You can add a Virtual Trusted Platform Module (vTPM) to an existing virtual machine to provide enhanced security to the guest operating system. You must create a key provider before you can add a vTPM.

The VMware virtual TPM is compatible with TPM 2.0, and creates a TPM-enabled virtual chip for use by the virtual machine and the guest OS it hosts.

Prerequisites

  • Ensure your vSphere environment is configured for a key provider. See the vSphere Security documentation.
  • The guest OS you use can be Windows Server 2008 and later, Windows 7 and later, or Linux.
  • Verify that the virtual machine is turned off.
  • The ESXi hosts running in your environment must be ESXi 6.7 and later (Windows guest OS), or 7.0 Update 2 and later (Linux guest OS).
  • The virtual machine must use EFI firmware.
  • Verify that you have the required privileges:
    • Cryptographic operations.Clone
    • Cryptographic operations.Encrypt
    • Cryptographic operations.Encrypt new
    • Cryptographic operations.Migrate
    • Cryptographic operations.Register VM
    • Virtual machine.Change Configuration.Add or remove device
Note: After adding a vTPM to a virtual machine, the Cryptographic operations.Direct Access privilege is required to open a console session.

Procedure

  1. Connect to vCenter Server by using the vSphere Client.
  2. Right-click the virtual machine in the inventory that you want to modify and select Edit Settings.
  3. In the Edit Settings dialog box, click Add New Device and select Trusted Platform Module.
  4. Click OK.
    The Virtual Machine Details pane reflects that encryption has been applied to the virtual machine.