vTPM

[Aremac]

Hello,

I'm looking to see the impact of vTPM enabled VM's (Not Encrypted VM's) Is there any documents or information detailing what impact vTPM has on Veeam backups. Most of what I find is assuming that if you're talking about vTPM your also doing VMDK encryption which is not what I'm looking at. Basically just enabling vTPM to expose capability to the Guest os (cred guard, etc).

Thank you.

[HannesK]

Hello,
well, it's more than "just enable a vTPM", but from a backup perspective it's not relevant.

It stays "just a VM" (well, it's Hyper-V running on VMware, but we don't care).

By the way: how do you add a vTPM without encrypting the VM on VMware side? As far as I know, that's a requirement.

Best regards,
Hannes

[evilaliv3]

Hello, i leave here a questin that i think is relevant to you hoping some of you have already discussed this topic:

Does anyone know where the vTPM backup reside on VMWARE and if backing-up the VCSA in VEAM would lead on saving the VTPM in plaintext on VEAM and thus vanishing the encryption?

[HannesK]

Hello,

where the vTPM backup reside on VMWARE

I'm not sure what that means.

VEAM and thus vanishing the encryption

if "the encryption" means VMware native encryption: we get the data in clear text from VMware (I guess it's the same for every backup software operating at vm-level).
if "the encryption" means in-guest encryption: with vm-based backup, a backup software operating at vm-based level will not be able to see the content. Full-VM restore is still possible, but file level restore fails

Best regards,
Hannes

[evilaliv3]

Thank you Hannes, this answered my questions!

At this point i wonder what is the value of VMware native encryption in a real use case scenario featuring backups like veam wehere the encryption key will be always saved in plaintext along the encrypted data.

[HannesK]

the value of encrypted disks / data is, that somebody who steals the hardware cannot access it. From the other point of view... who would use VMware encryption if granular restore would be impossible? That would force customers to use in-guest agents again to somehow be able to restore a file (well, except instant recovery with manual copy & paste). Most customers want granular restore

backups can be encrypted also on the Veeam side again. see here

[Andreas Neufert]

To clarify, we do not get the encryption key in plain text. We are getting the data unencrypted as the encryption happens at a lower level. So HotAdd/NBD deliver unencrypted data. You can enable NBDs and Veeam Transport encryption to encrypt dataflow. Veeam Backup target encryption (there is a FIPS mode if needed) will protect the backups.

Overall in case of disaster recovery this way is much more valuable as if something happens to your production environment, you can restore data and do not loose everything.

[evilaliv3]

Thank you so much Hanne and Andreas

Andreas: you told that the encryption key is never received in plaintext; would you please clarify about this aspect? Where does the VTPM reside on vmware and where is its backup on VEAM?

[Andreas Neufert]

You can read 2 pages of the official VMware documentation about this process.
Please read the Encrypted Backup chapter starting from page 119 as well as the process is described there that the vTPM is using (described at page 120).
https://developer.vmware.com/docs/12703 ... uide--7-0-

[evilaliv3]

Thank you Andrea, very helpful.

Up to this document the vTPM is encrypted as far that network encrpyion serive exists (i think it refers to a KMS enabling encryption of the vSAN). I think this means that if only vTPMs and NKP are used the content of the vTPM and the NVRAM of each VM will be plaintext directly on the vSAN. Please correct me if i'm missing something and thank you so much for your insights.

[Andreas Neufert]

How I read it, is that you need the Key Manager to work for vTPMs. This means the content related to the vTPM get´s encrypted independant of the storage policy for the VM data. To be honest it is more of a question for VMware than for Veeam. If the information metadata information is stored encrypted we will not unencrypt this data for backup. But the disk content get´s unencrypted before backup (and encrypted again if you restore with a storage policy that force encryption) by design of VMware.

[mkretzer]

Thanks to this thread we did some restore tests of VMs with vTPM enabled - and we get errors with nearly every restore method. Is it normal that instant disk recovery, instant recovery, VM file restore and so on do not work?

Currently testing full recovery to new VM.

[Andreas Neufert]

Is the target host configured with the same Key Manager?

I would create a test VM on a host, and then restore to the same host to check if it is working correctly before I try other hosts.

[Andreas Neufert]

Please check as well here the requirements:

https://helpcenter.veeam.com/docs/backu ... ml?ver=110

https://www.veeam.com/wp-vmware-vm-encryption.html

[mkretzer]

Yes, same cluster. I am not talking about encrypted disks, only encrypted config (which is automatic when adding vTPM). Does that also mean we have to encrypt the (linux) proxy VMs disks or just add an vTPM and encrypt the proxy config files?

[Andreas Neufert]

Hi thanks for the feedback.
I suggest to do the following:
1) Open a support ticket and upload logs from the failed restore.
2) share the Ticket number here.
3) I will ask support to route the ticket to someone with the needed background knowledge about encryption/vTPM.

Thanks.

[mkretzer]

Case 05401295

[Andreas Neufert]

I have updated support management with the ask to route the case.

[mkretzer]

Thank you, log generation will take a few more hours

[DaStivi]

I'm looking to see the impact of vTPM enabled VM's (Not Encrypted VM's) Is there any documents or information detailing what impact vTPM has on Veeam backups. Most of what I find is assuming that if you're talking about vTPM your also doing VMDK encryption which is not what I'm looking at. Basically just enabling vTPM to expose capability to the Guest os (cred guard, etc).

I am exactly in the same spot now... I am enabling vTPM for Windows Security features, further More bitlocker in Windows...

We tested also vmware encryption but nljust for tests sake ....

With vspere 7 you don't need an external KMS, there is the nativ Key Provider, basically ah certificate that's stored in vcenter server and cached on the esx Hosts...

Worst case what could happen if you loose these keys, you have some bitlocker encrypted disk you need to configure to ah new machine, because config also won't read without the keys after some time or without vcenter and esx rebooted, and then you'll need the bitlocker recovery keys...

At least for an virtual privileged access workstation I'll want that... Even more i consider this for my Domaincontrollers (that run in remotenoffices ), should protect ah bit better from "offline" NTFS.dit dumps , like VMware snapshots etc.. of course backup encryption is ah thing too then!!

I'll gonna test single item restore later and see how that works out ...

At least with VMware encryption, i did read the veeam guide that only NBD and hotadd is supported... So no direct NFS or storage integration, of course, can't work anymore

[Andreas Neufert]

Just following up on the case 05401295 from above.
We could not reproduce the issue in our lab (it just worked) and the customer environment started to work even from old restore points previously made.
So far the root cause issue why the restore was not successfull when the ticket was opened did not came to a conclusion. One of the ideas was that ESXi host or other components were restarted.

@DaStivi if you face issues, please open a support ticket. They can help. Maybe meniton there that you have a similar issue to 05401295.