Host-based backup of VMware vSphere VMs.
Post Reply
fmarchand
Novice
Posts: 3
Liked: never
Joined: Oct 26, 2023 7:29 am
Full Name: Frederic Marchand
Contact:

[Feature Request] Hybrid mode backup for VM with TPM module

Post by fmarchand »

Adding a TPM module to a VM automatically encrypts VM configuration files and flags the VM as encrypted and disable direct storage access mode for backup.
This prevents general use of TPM module in production VM as we cannot generalize the use of network mode backup without severe performance impacts.

Considering that hard disks are not encrypted, it should be possible to backup configuration files using network mode and backup hard disk using direct storage access.

Please impletment hybrid transport mode where encrypted configuration files are backed up through network and unencrypted hard disk are backed up through direct storage access.
HannesK
Product Manager
Posts: 14643
Liked: 2990 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: [Feature Request] Hybrid mode backup for VM with TPM module

Post by HannesK »

Hello,
and welcome to the forums.
Considering that hard disks are not encrypted
Hmm, that sounds more like a corner case scenario. What's the purpose of adding a vTPM and then not encrypting the disks? I try to understand the scenario and how often customers would configure that.

Best regards,
Hannes
PS: HotAdd mode is usually faster than network mode and could be an alternative
fmarchand
Novice
Posts: 3
Liked: never
Joined: Oct 26, 2023 7:29 am
Full Name: Frederic Marchand
Contact:

Re: [Feature Request] Hybrid mode backup for VM with TPM module

Post by fmarchand »

The TPM is a security device designed to store secrets.
It can be used in various scenarios, not just encrypting disk

Main example is the configuration of virtualization based security with Credential Guard

In this case, windows use the virtual TPM to protect the credentials. The hard disk is not encrypted and does not need to be.
In this case, the only encrypted files are the configuration files of the VM which can be captured through network in a snap in all cases.

https://blogs.vmware.com/vsphere/2018/0 ... e-6-7.html
HannesK
Product Manager
Posts: 14643
Liked: 2990 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: [Feature Request] Hybrid mode backup for VM with TPM module

Post by HannesK »

Hello,
yes, I see the use-case. I'm just surprised customers do it :-)

The link mentioned shows that one is technically doing nested virtualization (aka running Hyper-V in VMware). Not many customers I see do that today (it happens from time to time yes, but not many).

But yes, the scenario with credential guard without encryption makes sense.

Best regards,
Hannes
fmarchand
Novice
Posts: 3
Liked: never
Joined: Oct 26, 2023 7:29 am
Full Name: Frederic Marchand
Contact:

Re: [Feature Request] Hybrid mode backup for VM with TPM module

Post by fmarchand »

Stored hashed passwords and kerberos tickets are highly vulnerable and the main cause of security breaches through lateral movements.
The ability to store them securely is a valuable feature.

I don't know if my request is easy to implement or not.
But if that's the case, then it can become a strong added value.
Post Reply

Who is online

Users browsing this forum: No registered users and 21 guests