This allows for storage and reporting of security relevant metrics. You can see that there is a limited storage area for items like credentials or certificates and another for secure storage of “Platform Configuration Registers”. See the image below that is a representation of the contents of a TPM based on information from the Trusted Computing Group It is part of a tamper resistant integrated circuit. On a physical TPM this is a hardware-based component of the TPM device itself. Securing a virtual TPMĪ hardware TPM has the ability to store information securely in what’s referred to as “Non-Volatile Secure Storage”. The ability is there to do these operations via API. Replacement of VMCA issued certificates with a set of certificates from your own Certificate Authority is done via the HTML5 UI. You can verify the digital certificate used by the TPM, just like on physical, if you so choose. A physical TPM has no method by which it can contact the TPM vendor’s CA. The vTPM does not contact the CA at any time. While the key pair is part of a digital certificate issued either by the VMware Certificate Authority (VMCA) or by a third-party Certificate Authority (CA). Once the vTPM uses a key, it is typically not changed because doing so invalidates sensitive information stored in the vTPM. The key pair used to provide the unique identity to the vTPM lives with the vTPM. This is used to provide the vTPM with its unique identity. When the vTPM device is added an Endorsement Key Certificate is issued by VMCA. These keys are preloaded into the chip and are generated by the vendors Certificate Authority (CA). vTPM UniquenessĪ hardware based TPM is provisioned with a unique Endorsement Key (EK) “at the factory”. When the vTPM is added the VM’s “home” files will be encrypted. You can only do this task if a Key Manager is configured in vCenter. #NoSecuritySnowflakes Adding a vTPMĪdding a virtual TPM is as simple as adding a new virtual device to a VM. Not to mention, you don’t have to manage the encryption “in guest” which lowers your overall workload significantly. This means you already have a virtual machine encryption solution that’s easy to manage and works for every virtual machine that’s supported on vSphere, regardless of the guest operating system. Remember, in order to enable vTPM you have to already have VM Encryption! Well, technically, all the parts are now there to run Bitlocker but I have to ask “Why?”.
VMWARE ESXI 6 IPMITOOL WINDOWS
“Does this mean I can run Bitlocker on a Windows VM now?!” Let’s get a question I get asked about out of the way up front.
Enablement of VBS does not require a vTPM.Įnablement of vTPM for any VM other than Windows is done via API. The HTML5 UI is designed with this in mind.
The specific use case for a vTPM on vSphere is to support Windows security features.
VMWARE ESXI 6 IPMITOOL WINDOWS 10
There are some requirements necessary in order to add a virtual TPM to a Windows 10 or 2016 VM Learn more about TPM’s at the Trusted Computing Group website. In this blog article we will go deeper on the new feature for Windows guests called “Virtual TPM”.Ī vTPM, or “virtual Trusted Platform Module 2.0”, performs the same functions as a physical TPM 2.0 device, but it performs cryptographic coprocessor capabilities in software. In a previous blog we covered support for Virtualization Based Security (VBS) and briefly covered virtual TPM. With vSphere 6.7 we have released a comprehensive list of virtual hardware support for features required by Windows 10 and Windows 2016. As security becomes a bigger and bigger “thing”, requirements for virtualized hardware to support features in guest operating systems are rising.