Backup and Restore With
vTPM
Trusted platform
module (TPM) is the standard for a dedicated microchip that can store sensitive
data, perform cryptographic tasks, and ensure platform integrity by
establishing a chain of trust for software loaded onto a machine. It assures
integrity by calculating a message digest for each software component that gets
loaded, storing the message digest in platform configuration register.
Enabling vTPM in a
Virtual Machine
Virtual TPM (vTPM) is a
software implementation of TPM provided in virtual hardware version 14. In
other words, vSphere 6.7 offers vTPM for newly created or upgraded VMs. Because
vTPM is encrypted, encryption services must be present on the network. Backup
and restore of a vTPM enabled VM is similar to backup and restore of an
encrypted VM, with these additional requirements.
- Each involved vCenter Server must be configured with the same key management server (KMS).
- Before adding the vTPM device to a VM, theConfigInfo.firmwaretype must be set toefi, notbios. When you add a VM with encryption storage policy, vSphere encrypts the VM Home including vTPM.
- To preserve vTPM in a restored VM, theConfigInfo.keyId,encryption.bundle, NVRAM file, and vTPM device of the source VM must be saved at backup time, for later restore. Saving an NVRAM file requires use of the HTTP file service.
Backup with
vTPM
To back up a vTPM enabled VM,
follow these steps, as in the sample code below.
- Back up thekeyIdandencryption.bundleof the source VM fromconfigInfo.
- Back up the vTPM device of the source VM fromconfigInfo.
- Back up propertyfirmwareof the source VM fromconfigInfo.
// get source VM config VirtualMachineConfigInfo sourceVmConfigInfo = ... ; // save keyId CryptoKeyId keyId = sourceVmConfigInfo.getKeyId(); // save encryption.bundle, which is in extraConfig List<OptionValue> extraCfg = sourceVmConfigInfo .getExtraConfig(); // save firmware String firmware = sourceVmConfigInfo.getFirmware(); // save vTPM device VirtualDevice vtpmDevice = null; for (VirtualDevice virtualDevice : sourceVmConfigInfo.getHardware().getDevice()) { if (virtualDevice instanceof VirtualTPM) { vtpmDevice = virtualDevice; } // save other devices // ... } // save nvram file byte[] nvramByteAry = vsphereFileServiceClient.download(sourceVmNvramFilePath);
Restoring With
vTPM
To restore a vTPM enabled VM,
follow these steps, as in the sample code below.
- Configure a VM with the samekeyIdandencryption.bundleas source (requires same KMS).
- Make sure an encryption storage policy exists and is assigned to the VM. See "Create an Encryption Storage Policy" in thevSphere Web Services SDK Programming Guide.
- Configure this VM with the same firmware property and vTPM device as the source VM.
- Restore NVRAM using HTTP service. Again, see section "HTTP Access to vSphere Server Files" in thevSphere Web Services SDK Programming Guide.
// create configSpec for VM to be created VirtualMachineConfigSpec configSpec = new VirtualMachineConfigSpec() ; // set keyId CryptoSpecEncrypt cryptoSpec = new CryptoSpecEncrypt(); cryptoSpec.setCryptoKeyId(keyId); configSpec.setCrypto(cryptoSpec); // set encryption.bundle configSpec.setExtraConfig(extraCfg); // // set PbmProfile for encryption // For complete code, see Example: Java program to set storage policy for encryption. // public class CreateVMEncryptionProfile extends ConnectedServiceBase { // private PbmServiceInstanceContent spbmsc; // private String profileName; // ... // for (PbmCapabilityVendorResourceTypeInfo vendor : vendorInfo) // for (PbmCapabilityVendorNamespaceInfo vnsi : vendor .getVendorNamespaceInfo()) // if (vnsi.getNamespaceInfo().getNamespace().equals("vmwarevmcrypt")) { // encryptionCapable = true; // break; // } // ... // set firmware configSpec.setFirmware(firmware); // set vTPM device VirtualDeviceConfigSpec vtpmDeviceConfig = new VirtualDeviceConfigSpec(); vtpmDeviceConfig.setOperation(VirtualDeviceConfigSpecOperation.ADD); vtpmDeviceConfig.setFileOperation(null); vtpmDeviceConfig.setDevice(vtpmDevice); configSpec.getDeviceChange().add(vtpmDeviceConfig); // set other properties and then create restore VM // ... // upload nvram vsphereFileServiceClient.upload(restoreVmNvramFilePath, nvramByteAry