[Feature Request] Hybrid mode backup for VM with TPM module

fmarchand · Post by **fmarchand** » Oct 26, 2023 7:45 am this post

Adding a TPM module to a VM automatically encrypts VM configuration files and flags the VM as encrypted and disable direct storage access mode for backup.
This prevents general use of TPM module in production VM as we cannot generalize the use of network mode backup without severe performance impacts.

Considering that hard disks are not encrypted, it should be possible to backup configuration files using network mode and backup hard disk using direct storage access.

Please impletment hybrid transport mode where encrypted configuration files are backed up through network and unencrypted hard disk are backed up through direct storage access.

Post by **HannesK** » Nov 07, 2023 11:58 am this post

Hello,
and welcome to the forums.

Considering that hard disks are not encrypted

Hmm, that sounds more like a corner case scenario. What's the purpose of adding a vTPM and then not encrypting the disks? I try to understand the scenario and how often customers would configure that.

Best regards,
Hannes
PS: HotAdd mode is usually faster than network mode and could be an alternative

fmarchand · Post by **fmarchand** » Nov 07, 2023 2:33 pm this post

The TPM is a security device designed to store secrets.
It can be used in various scenarios, not just encrypting disk

Main example is the configuration of virtualization based security with Credential Guard

In this case, windows use the virtual TPM to protect the credentials. The hard disk is not encrypted and does not need to be.
In this case, the only encrypted files are the configuration files of the VM which can be captured through network in a snap in all cases.

https://blogs.vmware.com/vsphere/2018/0 ... e-6-7.html

Post by **HannesK** » Nov 08, 2023 11:21 am this post

Hello,
yes, I see the use-case. I'm just surprised customers do it

The link mentioned shows that one is technically doing nested virtualization (aka running Hyper-V in VMware). Not many customers I see do that today (it happens from time to time yes, but not many).

But yes, the scenario with credential guard without encryption makes sense.

Best regards,
Hannes

fmarchand · Post by **fmarchand** » Nov 08, 2023 12:33 pm this post

Stored hashed passwords and kerberos tickets are highly vulnerable and the main cause of security breaches through lateral movements.
The ability to store them securely is a valuable feature.

I don't know if my request is easy to implement or not.
But if that's the case, then it can become a strong added value.

R&D Forums

[Feature Request] Hybrid mode backup for VM with TPM module

Re: [Feature Request] Hybrid mode backup for VM with TPM module

Re: [Feature Request] Hybrid mode backup for VM with TPM module

Re: [Feature Request] Hybrid mode backup for VM with TPM module

Re: [Feature Request] Hybrid mode backup for VM with TPM module

Who is online