Backup and Restore With vTPM

Trusted platform module (TPM) is the standard for a dedicated microchip that can store sensitive data, perform cryptographic tasks, and ensure platform integrity by establishing a chain of trust for software loaded onto a machine. It assures integrity by calculating a message digest for each software component that gets loaded, storing the message digest in platform configuration register.

Enabling vTPM in a Virtual Machine

Virtual TPM (vTPM) is a software implementation of TPM provided in virtual hardware version 14. In other words, vSphere 6.7 offers vTPM for newly created or upgraded VMs. Because vTPM is encrypted, encryption services must be present on the network. Backup and restore of a vTPM enabled VM is similar to backup and restore of an encrypted VM, with these additional requirements.
  • Each involved vCenter Server must be configured with the same key management server (KMS).
  • Before adding the vTPM device to a VM, the
    ConfigInfo.firmware
    type must be set to
    efi
    , not
    bios
    . When you add a VM with encryption storage policy, vSphere encrypts the VM Home including vTPM.
  • To preserve vTPM in a restored VM, the
    ConfigInfo.keyId
    ,
    encryption.bundle
    , NVRAM file, and vTPM device of the source VM must be saved at backup time, for later restore. Saving an NVRAM file requires use of the HTTP file service.

Backup with vTPM

To back up a vTPM enabled VM, follow these steps, as in the sample code below.
  1. Back up the
    keyId
    and
    encryption.bundle
    of the source VM from
    configInfo
    .
  2. Back up the vTPM device of the source VM from
    configInfo
    .
  3. Back up property
    firmware
    of the source VM from
    configInfo
    .
// get source VM config VirtualMachineConfigInfo sourceVmConfigInfo = ... ; // save keyId CryptoKeyId keyId = sourceVmConfigInfo.getKeyId(); // save encryption.bundle, which is in extraConfig List<OptionValue> extraCfg = sourceVmConfigInfo .getExtraConfig(); // save firmware String firmware = sourceVmConfigInfo.getFirmware(); // save vTPM device VirtualDevice vtpmDevice = null; for (VirtualDevice virtualDevice : sourceVmConfigInfo.getHardware().getDevice()) { if (virtualDevice instanceof VirtualTPM) { vtpmDevice = virtualDevice; } // save other devices // ... } // save nvram file byte[] nvramByteAry = vsphereFileServiceClient.download(sourceVmNvramFilePath);

Restoring With vTPM

To restore a vTPM enabled VM, follow these steps, as in the sample code below.
  1. Configure a VM with the same
    keyId
    and
    encryption.bundle
    as source (requires same KMS).
  2. Make sure an encryption storage policy exists and is assigned to the VM. See "Create an Encryption Storage Policy" in the
    vSphere Web Services SDK Programming Guide
    .
  3. Configure this VM with the same firmware property and vTPM device as the source VM.
  4. Restore NVRAM using HTTP service. Again, see section "HTTP Access to vSphere Server Files" in the
    vSphere Web Services SDK Programming Guide
    .
// create configSpec for VM to be created VirtualMachineConfigSpec configSpec = new VirtualMachineConfigSpec() ; // set keyId CryptoSpecEncrypt cryptoSpec = new CryptoSpecEncrypt(); cryptoSpec.setCryptoKeyId(keyId); configSpec.setCrypto(cryptoSpec); // set encryption.bundle configSpec.setExtraConfig(extraCfg); // // set PbmProfile for encryption // For complete code, see Example: Java program to set storage policy for encryption. // public class CreateVMEncryptionProfile extends ConnectedServiceBase { // private PbmServiceInstanceContent spbmsc; // private String profileName; // ... // for (PbmCapabilityVendorResourceTypeInfo vendor : vendorInfo) // for (PbmCapabilityVendorNamespaceInfo vnsi : vendor .getVendorNamespaceInfo()) // if (vnsi.getNamespaceInfo().getNamespace().equals("vmwarevmcrypt")) { // encryptionCapable = true; // break; // } // ... // set firmware configSpec.setFirmware(firmware); // set vTPM device VirtualDeviceConfigSpec vtpmDeviceConfig = new VirtualDeviceConfigSpec(); vtpmDeviceConfig.setOperation(VirtualDeviceConfigSpecOperation.ADD); vtpmDeviceConfig.setFileOperation(null); vtpmDeviceConfig.setDevice(vtpmDevice); configSpec.getDeviceChange().add(vtpmDeviceConfig); // set other properties and then create restore VM // ... // upload nvram vsphereFileServiceClient.upload(restoreVmNvramFilePath, nvramByteAry