-
- Enthusiast
- Posts: 59
- Liked: 3 times
- Joined: Sep 30, 2011 11:59 pm
- Full Name: Sam Pierce
- Contact:
vTPM
Hello,
I'm looking to see the impact of vTPM enabled VM's (Not Encrypted VM's) Is there any documents or information detailing what impact vTPM has on Veeam backups. Most of what I find is assuming that if you're talking about vTPM your also doing VMDK encryption which is not what I'm looking at. Basically just enabling vTPM to expose capability to the Guest os (cred guard, etc).
Thank you.
I'm looking to see the impact of vTPM enabled VM's (Not Encrypted VM's) Is there any documents or information detailing what impact vTPM has on Veeam backups. Most of what I find is assuming that if you're talking about vTPM your also doing VMDK encryption which is not what I'm looking at. Basically just enabling vTPM to expose capability to the Guest os (cred guard, etc).
Thank you.
-
- Product Manager
- Posts: 14844
- Liked: 3086 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: vTPM
Hello,
well, it's more than "just enable a vTPM", but from a backup perspective it's not relevant.
It stays "just a VM" (well, it's Hyper-V running on VMware, but we don't care).
By the way: how do you add a vTPM without encrypting the VM on VMware side? As far as I know, that's a requirement.
Best regards,
Hannes
well, it's more than "just enable a vTPM", but from a backup perspective it's not relevant.
It stays "just a VM" (well, it's Hyper-V running on VMware, but we don't care).
By the way: how do you add a vTPM without encrypting the VM on VMware side? As far as I know, that's a requirement.
Best regards,
Hannes
-
- Novice
- Posts: 5
- Liked: never
- Joined: Apr 09, 2022 8:38 am
- Full Name: Govanni Pellerano
- Contact:
Re: vTPM
Hello, i leave here a questin that i think is relevant to you hoping some of you have already discussed this topic:
Does anyone know where the vTPM backup reside on VMWARE and if backing-up the VCSA in VEAM would lead on saving the VTPM in plaintext on VEAM and thus vanishing the encryption?
Does anyone know where the vTPM backup reside on VMWARE and if backing-up the VCSA in VEAM would lead on saving the VTPM in plaintext on VEAM and thus vanishing the encryption?
-
- Product Manager
- Posts: 14844
- Liked: 3086 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: vTPM
Hello,
if "the encryption" means in-guest encryption: with vm-based backup, a backup software operating at vm-based level will not be able to see the content. Full-VM restore is still possible, but file level restore fails
Best regards,
Hannes
I'm not sure what that means.where the vTPM backup reside on VMWARE
if "the encryption" means VMware native encryption: we get the data in clear text from VMware (I guess it's the same for every backup software operating at vm-level).VEAM and thus vanishing the encryption
if "the encryption" means in-guest encryption: with vm-based backup, a backup software operating at vm-based level will not be able to see the content. Full-VM restore is still possible, but file level restore fails
Best regards,
Hannes
-
- Novice
- Posts: 5
- Liked: never
- Joined: Apr 09, 2022 8:38 am
- Full Name: Govanni Pellerano
- Contact:
Re: vTPM
Thank you Hannes, this answered my questions!
At this point i wonder what is the value of VMware native encryption in a real use case scenario featuring backups like veam wehere the encryption key will be always saved in plaintext along the encrypted data.
At this point i wonder what is the value of VMware native encryption in a real use case scenario featuring backups like veam wehere the encryption key will be always saved in plaintext along the encrypted data.
-
- Product Manager
- Posts: 14844
- Liked: 3086 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: vTPM
the value of encrypted disks / data is, that somebody who steals the hardware cannot access it. From the other point of view... who would use VMware encryption if granular restore would be impossible? That would force customers to use in-guest agents again to somehow be able to restore a file (well, except instant recovery with manual copy & paste). Most customers want granular restore
backups can be encrypted also on the Veeam side again. see here
backups can be encrypted also on the Veeam side again. see here
-
- VP, Product Management
- Posts: 7081
- Liked: 1511 times
- Joined: May 04, 2011 8:36 am
- Full Name: Andreas Neufert
- Location: Germany
- Contact:
Re: vTPM
To clarify, we do not get the encryption key in plain text. We are getting the data unencrypted as the encryption happens at a lower level. So HotAdd/NBD deliver unencrypted data. You can enable NBDs and Veeam Transport encryption to encrypt dataflow. Veeam Backup target encryption (there is a FIPS mode if needed) will protect the backups.
Overall in case of disaster recovery this way is much more valuable as if something happens to your production environment, you can restore data and do not loose everything.
Overall in case of disaster recovery this way is much more valuable as if something happens to your production environment, you can restore data and do not loose everything.
Last edited by HannesK on Apr 11, 2022 8:54 am, edited 1 time in total.
Reason: fixed typo
Reason: fixed typo
-
- Novice
- Posts: 5
- Liked: never
- Joined: Apr 09, 2022 8:38 am
- Full Name: Govanni Pellerano
- Contact:
Re: vTPM
Thank you so much Hanne and Andreas
Andreas: you told that the encryption key is never received in plaintext; would you please clarify about this aspect? Where does the VTPM reside on vmware and where is its backup on VEAM?
Andreas: you told that the encryption key is never received in plaintext; would you please clarify about this aspect? Where does the VTPM reside on vmware and where is its backup on VEAM?
-
- VP, Product Management
- Posts: 7081
- Liked: 1511 times
- Joined: May 04, 2011 8:36 am
- Full Name: Andreas Neufert
- Location: Germany
- Contact:
Re: vTPM
You can read 2 pages of the official VMware documentation about this process.
Please read the Encrypted Backup chapter starting from page 119 as well as the process is described there that the vTPM is using (described at page 120).
https://developer.vmware.com/docs/12703 ... uide--7-0-
Please read the Encrypted Backup chapter starting from page 119 as well as the process is described there that the vTPM is using (described at page 120).
https://developer.vmware.com/docs/12703 ... uide--7-0-
-
- Novice
- Posts: 5
- Liked: never
- Joined: Apr 09, 2022 8:38 am
- Full Name: Govanni Pellerano
- Contact:
Re: vTPM
Thank you Andrea, very helpful.
Up to this document the vTPM is encrypted as far that network encrpyion serive exists (i think it refers to a KMS enabling encryption of the vSAN). I think this means that if only vTPMs and NKP are used the content of the vTPM and the NVRAM of each VM will be plaintext directly on the vSAN. Please correct me if i'm missing something and thank you so much for your insights.
Up to this document the vTPM is encrypted as far that network encrpyion serive exists (i think it refers to a KMS enabling encryption of the vSAN). I think this means that if only vTPMs and NKP are used the content of the vTPM and the NVRAM of each VM will be plaintext directly on the vSAN. Please correct me if i'm missing something and thank you so much for your insights.
-
- VP, Product Management
- Posts: 7081
- Liked: 1511 times
- Joined: May 04, 2011 8:36 am
- Full Name: Andreas Neufert
- Location: Germany
- Contact:
Re: vTPM
How I read it, is that you need the Key Manager to work for vTPMs. This means the content related to the vTPM get´s encrypted independant of the storage policy for the VM data. To be honest it is more of a question for VMware than for Veeam. If the information metadata information is stored encrypted we will not unencrypt this data for backup. But the disk content get´s unencrypted before backup (and encrypted again if you restore with a storage policy that force encryption) by design of VMware.
-
- Veeam Legend
- Posts: 1203
- Liked: 417 times
- Joined: Dec 17, 2015 7:17 am
- Contact:
Re: vTPM
Thanks to this thread we did some restore tests of VMs with vTPM enabled - and we get errors with nearly every restore method. Is it normal that instant disk recovery, instant recovery, VM file restore and so on do not work?
Currently testing full recovery to new VM.
Currently testing full recovery to new VM.
-
- VP, Product Management
- Posts: 7081
- Liked: 1511 times
- Joined: May 04, 2011 8:36 am
- Full Name: Andreas Neufert
- Location: Germany
- Contact:
Re: vTPM
Is the target host configured with the same Key Manager?
I would create a test VM on a host, and then restore to the same host to check if it is working correctly before I try other hosts.
I would create a test VM on a host, and then restore to the same host to check if it is working correctly before I try other hosts.
-
- VP, Product Management
- Posts: 7081
- Liked: 1511 times
- Joined: May 04, 2011 8:36 am
- Full Name: Andreas Neufert
- Location: Germany
- Contact:
Re: vTPM
Please check as well here the requirements:
https://helpcenter.veeam.com/docs/backu ... ml?ver=110
https://www.veeam.com/wp-vmware-vm-encryption.html
https://helpcenter.veeam.com/docs/backu ... ml?ver=110
https://www.veeam.com/wp-vmware-vm-encryption.html
-
- Veeam Legend
- Posts: 1203
- Liked: 417 times
- Joined: Dec 17, 2015 7:17 am
- Contact:
Re: vTPM
Yes, same cluster. I am not talking about encrypted disks, only encrypted config (which is automatic when adding vTPM). Does that also mean we have to encrypt the (linux) proxy VMs disks or just add an vTPM and encrypt the proxy config files?
-
- VP, Product Management
- Posts: 7081
- Liked: 1511 times
- Joined: May 04, 2011 8:36 am
- Full Name: Andreas Neufert
- Location: Germany
- Contact:
Re: vTPM
Hi thanks for the feedback.
I suggest to do the following:
1) Open a support ticket and upload logs from the failed restore.
2) share the Ticket number here.
3) I will ask support to route the ticket to someone with the needed background knowledge about encryption/vTPM.
Thanks.
I suggest to do the following:
1) Open a support ticket and upload logs from the failed restore.
2) share the Ticket number here.
3) I will ask support to route the ticket to someone with the needed background knowledge about encryption/vTPM.
Thanks.
-
- VP, Product Management
- Posts: 7081
- Liked: 1511 times
- Joined: May 04, 2011 8:36 am
- Full Name: Andreas Neufert
- Location: Germany
- Contact:
Re: vTPM
I have updated support management with the ask to route the case.
-
- Service Provider
- Posts: 295
- Liked: 46 times
- Joined: Jun 30, 2015 9:13 am
- Full Name: Stephan Lang
- Location: Austria
- Contact:
Re: vTPM
I am exactly in the same spot now... I am enabling vTPM for Windows Security features, further More bitlocker in Windows...Aremac wrote: ↑Apr 30, 2020 5:29 pm I'm looking to see the impact of vTPM enabled VM's (Not Encrypted VM's) Is there any documents or information detailing what impact vTPM has on Veeam backups. Most of what I find is assuming that if you're talking about vTPM your also doing VMDK encryption which is not what I'm looking at. Basically just enabling vTPM to expose capability to the Guest os (cred guard, etc).
We tested also vmware encryption but nljust for tests sake ....
With vspere 7 you don't need an external KMS, there is the nativ Key Provider, basically ah certificate that's stored in vcenter server and cached on the esx Hosts...
Worst case what could happen if you loose these keys, you have some bitlocker encrypted disk you need to configure to ah new machine, because config also won't read without the keys after some time or without vcenter and esx rebooted, and then you'll need the bitlocker recovery keys...
At least for an virtual privileged access workstation I'll want that... Even more i consider this for my Domaincontrollers (that run in remotenoffices ), should protect ah bit better from "offline" NTFS.dit dumps , like VMware snapshots etc.. of course backup encryption is ah thing too then!!
I'll gonna test single item restore later and see how that works out ...
At least with VMware encryption, i did read the veeam guide that only NBD and hotadd is supported... So no direct NFS or storage integration, of course, can't work anymore
-
- VP, Product Management
- Posts: 7081
- Liked: 1511 times
- Joined: May 04, 2011 8:36 am
- Full Name: Andreas Neufert
- Location: Germany
- Contact:
Re: vTPM
Just following up on the case 05401295 from above.
We could not reproduce the issue in our lab (it just worked) and the customer environment started to work even from old restore points previously made.
So far the root cause issue why the restore was not successfull when the ticket was opened did not came to a conclusion. One of the ideas was that ESXi host or other components were restarted.
@DaStivi if you face issues, please open a support ticket. They can help. Maybe meniton there that you have a similar issue to 05401295.
We could not reproduce the issue in our lab (it just worked) and the customer environment started to work even from old restore points previously made.
So far the root cause issue why the restore was not successfull when the ticket was opened did not came to a conclusion. One of the ideas was that ESXi host or other components were restarted.
@DaStivi if you face issues, please open a support ticket. They can help. Maybe meniton there that you have a similar issue to 05401295.
Who is online
Users browsing this forum: No registered users and 17 guests