Adding a TPM module to a VM automatically encrypts VM configuration files and flags the VM as encrypted and disable direct storage access mode for backup.
This prevents general use of TPM module in production VM as we cannot generalize the use of network mode backup without severe performance impacts.
Considering that hard disks are not encrypted, it should be possible to backup configuration files using network mode and backup hard disk using direct storage access.
Please impletment hybrid transport mode where encrypted configuration files are backed up through network and unencrypted hard disk are backed up through direct storage access.
-
- Novice
- Posts: 3
- Liked: never
- Joined: Oct 26, 2023 7:29 am
- Full Name: Frederic Marchand
- Contact:
-
- Product Manager
- Posts: 14643
- Liked: 2990 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: [Feature Request] Hybrid mode backup for VM with TPM module
Hello,
and welcome to the forums.
Best regards,
Hannes
PS: HotAdd mode is usually faster than network mode and could be an alternative
and welcome to the forums.
Hmm, that sounds more like a corner case scenario. What's the purpose of adding a vTPM and then not encrypting the disks? I try to understand the scenario and how often customers would configure that.Considering that hard disks are not encrypted
Best regards,
Hannes
PS: HotAdd mode is usually faster than network mode and could be an alternative
-
- Novice
- Posts: 3
- Liked: never
- Joined: Oct 26, 2023 7:29 am
- Full Name: Frederic Marchand
- Contact:
Re: [Feature Request] Hybrid mode backup for VM with TPM module
The TPM is a security device designed to store secrets.
It can be used in various scenarios, not just encrypting disk
Main example is the configuration of virtualization based security with Credential Guard
In this case, windows use the virtual TPM to protect the credentials. The hard disk is not encrypted and does not need to be.
In this case, the only encrypted files are the configuration files of the VM which can be captured through network in a snap in all cases.
https://blogs.vmware.com/vsphere/2018/0 ... e-6-7.html
It can be used in various scenarios, not just encrypting disk
Main example is the configuration of virtualization based security with Credential Guard
In this case, windows use the virtual TPM to protect the credentials. The hard disk is not encrypted and does not need to be.
In this case, the only encrypted files are the configuration files of the VM which can be captured through network in a snap in all cases.
https://blogs.vmware.com/vsphere/2018/0 ... e-6-7.html
-
- Product Manager
- Posts: 14643
- Liked: 2990 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: [Feature Request] Hybrid mode backup for VM with TPM module
Hello,
yes, I see the use-case. I'm just surprised customers do it
The link mentioned shows that one is technically doing nested virtualization (aka running Hyper-V in VMware). Not many customers I see do that today (it happens from time to time yes, but not many).
But yes, the scenario with credential guard without encryption makes sense.
Best regards,
Hannes
yes, I see the use-case. I'm just surprised customers do it
The link mentioned shows that one is technically doing nested virtualization (aka running Hyper-V in VMware). Not many customers I see do that today (it happens from time to time yes, but not many).
But yes, the scenario with credential guard without encryption makes sense.
Best regards,
Hannes
-
- Novice
- Posts: 3
- Liked: never
- Joined: Oct 26, 2023 7:29 am
- Full Name: Frederic Marchand
- Contact:
Re: [Feature Request] Hybrid mode backup for VM with TPM module
Stored hashed passwords and kerberos tickets are highly vulnerable and the main cause of security breaches through lateral movements.
The ability to store them securely is a valuable feature.
I don't know if my request is easy to implement or not.
But if that's the case, then it can become a strong added value.
The ability to store them securely is a valuable feature.
I don't know if my request is easy to implement or not.
But if that's the case, then it can become a strong added value.
Who is online
Users browsing this forum: No registered users and 21 guests