Host-based backup of Microsoft Hyper-V VMs.
Post Reply
Anders
Enthusiast
Posts: 58
Liked: 13 times
Joined: Sep 09, 2010 9:45 am
Full Name: Anders Lorensen
Contact:

vTPM VMs

Post by Anders »

Hi

I have a customer who requested a vTPM module to their VM's we host for them on Hyper-V 2016.

I am wondering what Veeam supports and dont support in this regard. - The documentation dont really tell much. (maybe because nothing is supported?)

When adding a vTPM 2.0 module to a VM, 2 certificates are created on the Hyper-V certificate store. Are those backed up, when the VM is backed up?
Are they added to tape if I have a backup to tape job of a VM with vTPM?
Are they restoed when a full VM restore is performed?

What if I do a replca of the VM? Are those certificates copied to the replica host? Or would that work at all? (are certificates tied up to the UUID? do replica VM's have same UUID?)

What if I do a full VM restore to an alternative location with a new UUID?

In short does Veeam handle all this stuff, or is it better to "just say no" and avoid vTPM for the time being, untill it is more mature and supported by the full ecosystem, including Veeam?

Thanks for any and all answers!
Egor Yakovlev
Product Manager
Posts: 2578
Liked: 707 times
Joined: Jun 14, 2013 9:30 am
Full Name: Egor Yakovlev
Location: Prague, Czech Republic
Contact:

Re: vTPM VMs

Post by Egor Yakovlev »

Hi Anders,

I guess you are looking for Shielded VM protection.
[For Hyper-V 2016 and later] Veeam Backup & Replication cannot interact with the guest OS of a shielded VM and get information about its OS, IP address and so on. For this reason, the following operations are not supported for shielded VMs:
- Application-aware image processing
- Restore of VM guest OS files to the original location
- Restore of application items to the original location
[For Hyper-V 2016 and later] Shielded VMs can run only on trusted hosts guarded with the Host Guardian Service. Bear it in mind when selecting a target host for VM replication or VM restore. If the target host is not guarded with the same Host Guardian Service as the source host, you will not be able to power on the replicated or restored VM.
/Cheers!
Anders
Enthusiast
Posts: 58
Liked: 13 times
Joined: Sep 09, 2010 9:45 am
Full Name: Anders Lorensen
Contact:

Re: vTPM VMs

Post by Anders »

Shielded VM's and a TPM 2.0 device in a VM is not the exact same thing. TPM is a sub-feature of a shielded VM.

vTPM can be used for credential guard for example, without encrypting the whole VM.

But the last part of your answer tells me that Veeam is not aware of the certificates, and rely on HGS to keep those secure. Which means we need some other sort of backup solution for the certificates, if we go ahead with using TPM devices.

Might be an idea for Veeam to look into these technologies and put support for them into the roadmap, as windows 11 loves TPM 2.0 for example. and backup of the "TPM device" seems like a pretty essential feature in the near future.
nmdange
Veteran
Posts: 528
Liked: 144 times
Joined: Aug 20, 2015 9:30 pm
Contact:

Re: vTPM VMs

Post by nmdange »

Keep in mind, if you assign a vTPM without using HGS, the certificates are stored locally to that host. You can't use HA/clustering or otherwise move the VM to another host without manually exporting and importing that certificate. That's even without Veeam in the picture. You'd be better off setting up HGS, and just using the "encryption supported" option on your VMs rather than full shielding. Then you can perform the necessary backups on the HGS itself.
Post Reply

Who is online

Users browsing this forum: josh_swr and 29 guests