Creating Virtual Machines with Trusted Platform Modules (TPMs) in vSphere

In this blog post, we will explore how to create virtual machines (VMs) that require Trusted Platform Modules (TPMs) to function. We will look at how to set up a Native Key Provider in vSphere and use it to provision VMs with vTPMs. We will also demonstrate what happens when we simulate the loss of a Key Provider and how to restore it.

What is a Trusted Platform Module?

A Trusted Platform Module (TPM) is a secure crypto processor that secures a computer via an integrated cryptographic key. In more basic terms, it’s like a security alarm for your computer (or virtual machine) to prevent hackers or malware from accessing data. A TPM is a requirement for some modern operating systems such as Windows 11, without workarounds. Therefore, to be able to run, for example, Windows 11 as a virtual machine, our VM is going to need a Virtual TPM or vTPM.

Setting up a Native Key Provider in vSphere

Before we can provision VMs with vTPMs, we need a key provider. For deployments of vSphere 7.0 update 2 or later, vCenter has a key provider built-in called the vSphere Native Key Provider. To set up a Native Key Provider, follow these steps:

1. From the vSphere client, select the vCenter instance at the top of the inventory list.

2. Select Configure > Security > Add > Add Native Key Provider.

3. Name the provider.

4. After creation of the provider, but before we can use it, we need to back up the provider configuration. Select Back Up to continue.

5. Supply a suitably complex password and select Back Up Key Provider.

6. Once the backup completes, the provider becomes active and available for use.

Creating a Windows 11 VM with a vTPM

Let’s now create a Windows 11 VM with a vTPM. For brevity, I’ll cover just the salient points below:

1. During the Windows 11 VM creation, we can see that the VM will be provided with a vTPM.

2. Confirming the VM configuration prior to completion, all looks good.

3. Let’s fire our VM up.

4. Install Windows 11.

5. Looking at the virtual hardware from the Windows install within the VM, a TPM can be seen.

Simulating the Loss of a Key Provider

Let’s simulate the loss of a Key Provider to see how our VM behaves. Follow these steps:

1. Delete my Key Provider.

2. Let’s see if our Windows VM will continue to operate correctly. Power on the VM.

3. As expected, the VM does not boot up due to the loss of the Key Provider.

4. Next, I’ll power off and remove the VM from the vCenter inventory.

5. Let’s restore the backup we took before we were able to complete the creation of the Native Key Provider.

6. With the key provider restored, let’s try to unlock our VM again.

7. Finally, let’s power the VM on.

Conclusion

With a bit of upfront configuration, deploying TPM-enabled modern operating system-based VMs such as Windows 11 are simple enough to complete when using the vSphere Native Key Provider. By following the steps outlined in this post, you can easily create VMs with vTPMs and ensure that your data remains secure. Remember to back up your key provider configuration before making any changes, and test the restoration of the key provider to ensure that you can unlock your VM in case of a loss.