Table of Contents
- A Closer Look at Virtual Trusted Platform Module or vTPM
- Differences between a Physical TPM and a Virtual TPM
- Requirements for vTPM
- Adding the Virtual TPM Module to a Virtual Machine
- Concluding Thoughts
There are many security solutions today that are hardware based, however, some that are software based. Then others, that exist in the virtual world, are emulating hardware-based security devices. Today’s hypervisors are able to emulate many of these modern hardware-driven security devices to deliver these capabilities inside the virtual machine. One such hardware device that is built specifically for security is the Trusted Platform Module or TPM.
The TPM is a specialized chip on a device that stores encryption keys for the host system that can be used for hardware and guest operating system attestation. The latest version of the VMware vSphere, version 6.7 and 6.7 Update 1 are both capable of making use of the virtual TPM module on a guest virtual machine. This virtual TPM module provides for many great security benefits that follow suit with the hardware module in a physical machine.
Let’s take a closer look at VMware vSphere 6.7 Virtual Trusted Platform Module Enhanced Security and see the requirements for making use of this virtual TPM module in a VM as well as how it is implemented.
A Closer Look at Virtual Trusted Platform Module or vTPM
How does the “virtual” Trusted Platform Module or vTPM work?
In short,
vTPM, or Virtual Trusted Platform Module, in VMware vSphere is a digital guardian angel that securely safeguards virtual machines, ensuring the sanctity of their cryptographic keys and protecting against unauthorized access or tampering.
The vTPMs allow performing cryptographic coprocessor capabilities in the software layer. A huge focus in security today is separating out and isolating very sensitive components in software from the operating system. Malware and other malicious code looking to steal sensitive information from a target system often achieve this by the lack of barriers implemented with some of the secure and vulnerable processes from normal operating system accessible memory. With the vTPM a separate, secure, and isolated area exists for cryptographic keys to be stored that can be used to attest to the state of the system and the software running on it.
This technology is implemented in VMware vSphere 6.7 and can be added to a new virtual machine and even retro-added to an existing virtual machine. When you add the vTPM device to a virtual machine, the VM files are encrypted as this is where the ultra-secure TPM data is housed. The disks are not encrypted as part of this process. However, disk encryption can be added at the same time or later. It is important to note, there is no special storage policy that is associated with the vTPM virtual hardware or that is implemented when this is added to a VM.
Many have had experience with some type of encryption used in conjunction with a VM in the past. This can certainly affect backups and the ability to create and restore backups.
Can you back up a VM that has the vTPM module added, where the VM home files have been encrypted, as they are by default? Yes, you can.
A couple of important considerations need to be made when thinking about the vTPM module and data protection. It is critical to backup all of the VM files including the *.nvram file as this contains the encryption keys used in conjunction with vTPM. Also, make sure to have the encryption key convenient when you perform a restore operation on a vTPM enabled virtual machine.
One might think that you would need a physical TPM attached to the virtual host for allowing the capability to add the vTPM. This is not the case. In fact, you can add the vTPM to a virtual machine running on a host that does not have a valid TPM module installed.
Differences between a Physical TPM and a Virtual TPM
A hardware-based TPM is well a hardware that provides the ability to provide secure storage for keys or credentials. A virtual TPM device provides the same functionality, except inside software.
How does this work and how is it secured?
The vTPM device is able to provide a secure location for storing these types of information by using the .nvram file to store the secure cryptographic information on disk and securing this file using virtual machine encryption. Again, the home files of the VM, including the .nvram file are encrypted and not the virtual disk files. While a physical TPM has the cryptographic information including the public and private key, the vTPM device gets the key information initially from VMware Certificate authority or from another third-party certificate authority. While the keys in the virtual TPM could be changed, this would invalidate the existing sensitive information in the vTPM and is generally not done.
The VMware encryption process for virtual machines is enabled by the use of a Key Management Server cluster. The KMS cluster is added into vSphere and then the trust with the KMS cluster is verified to allow the provisioning of encryption keys. To be able to be used, the KMS cluster needs to be able to support the Key Management Interoperability Protocol (KMIP) 1.1.
Requirements for vTPM
To use a vTPM, your vSphere environment must meet these requirements:
Virtual machine requirements:
- EFI firmware
- Hardware version 14
Component requirements:
- vCenter Server 6.7 or 6.7 Update 1
- Virtual machine encryption (to encrypt the virtual machine home files)
- Key Management Server (KMS) configured for vCenter Server (virtual machine encryption depends on KMS)
Guest OS support:
- Windows Server 2019 (64 bit)
- Windows Server 2016 (64 bit)
- Windows 10 (64 bit)
Adding the Virtual TPM Module to a Virtual Machine
The process to add a vTPM to a new virtual machine is a straightforward process. You first need to make sure all the prerequisite steps have been performed with adding the KMS cluster to VMware vSphere and establishing trust. The guest operating system needs to run the required version of Windows including Windows 10, Server 2016 or 2019. Make sure the VM has also been configured to use EFI firmware.
On the Customize Hardware step of creating a new virtual machine process:
- Click Add New Hardware and select Trusted Platform Module
The process is similar to an existing virtual machine. You will simply need to Add New Hardware and add the Trusted Platform Module. Remember however that the firmware will need to be EFI firmware which if not already configured this way will require a reload of the operating system.
Concluding Thoughts
Security mechanisms are a top priority in both hardware devices and software as well. Today’s virtualization vendors are providing ways to emulate or mimic the features of hardware-based security mechanisms by way of the virtual counterpart to the physical hardware. One such example is the Trust Platform Module which is a hardware-based device that by way of cryptographic processing is able to securely store sensitive information such as keys or credentials.
With the release of VMware vSphere 6.7, VMware has made it possible to emulate the Trusted Platform Module as a vTPM module that is added to virtual machines and that allows the same functionality that is afforded by the hardware-based module. The nice thing about the vTPM is the physical host does not have to be equipped with a TPM module device. The mechanism is taken care of all in software by using the .nvram file to contain the contents of the vTPM hardware. The file is encrypted using virtual machine encryption, made possible by the Key Management Server cluster added to vSphere. By making use of this new feature in vSphere 6.7 and higher environments, organizations can extend a hardware security mechanism into the virtual world effectively and improve the security stance of compatible VMware virtual machines.
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.