Discussions specific to the VMware vSphere hypervisor
Post Reply
Aremac
Enthusiast
Posts: 59
Liked: 3 times
Joined: Sep 30, 2011 11:59 pm
Full Name: Sam Pierce
Contact:

vTPM

Post by Aremac »

Hello,

I'm looking to see the impact of vTPM enabled VM's (Not Encrypted VM's) Is there any documents or information detailing what impact vTPM has on Veeam backups. Most of what I find is assuming that if you're talking about vTPM your also doing VMDK encryption which is not what I'm looking at. Basically just enabling vTPM to expose capability to the Guest os (cred guard, etc).

Thank you.

HannesK
Veeam Software
Posts: 12483
Liked: 2392 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: vTPM

Post by HannesK »

Hello,
well, it's more than "just enable a vTPM", but from a backup perspective it's not relevant.

It stays "just a VM" (well, it's Hyper-V running on VMware, but we don't care).

By the way: how do you add a vTPM without encrypting the VM on VMware side? As far as I know, that's a requirement.

Best regards,
Hannes

evilaliv3
Novice
Posts: 5
Liked: never
Joined: Apr 09, 2022 8:38 am
Full Name: Govanni Pellerano
Contact:

Re: vTPM

Post by evilaliv3 »

Hello, i leave here a questin that i think is relevant to you hoping some of you have already discussed this topic:

Does anyone know where the vTPM backup reside on VMWARE and if backing-up the VCSA in VEAM would lead on saving the VTPM in plaintext on VEAM and thus vanishing the encryption?

HannesK
Veeam Software
Posts: 12483
Liked: 2392 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: vTPM

Post by HannesK » 1 person likes this post

Hello,
where the vTPM backup reside on VMWARE
I'm not sure what that means.
VEAM and thus vanishing the encryption
if "the encryption" means VMware native encryption: we get the data in clear text from VMware (I guess it's the same for every backup software operating at vm-level).
if "the encryption" means in-guest encryption: with vm-based backup, a backup software operating at vm-based level will not be able to see the content. Full-VM restore is still possible, but file level restore fails

Best regards,
Hannes

evilaliv3
Novice
Posts: 5
Liked: never
Joined: Apr 09, 2022 8:38 am
Full Name: Govanni Pellerano
Contact:

Re: vTPM

Post by evilaliv3 »

Thank you Hannes, this answered my questions!

At this point i wonder what is the value of VMware native encryption in a real use case scenario featuring backups like veam wehere the encryption key will be always saved in plaintext along the encrypted data. :)

HannesK
Veeam Software
Posts: 12483
Liked: 2392 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: vTPM

Post by HannesK » 2 people like this post

the value of encrypted disks / data is, that somebody who steals the hardware cannot access it. From the other point of view... who would use VMware encryption if granular restore would be impossible? That would force customers to use in-guest agents again to somehow be able to restore a file (well, except instant recovery with manual copy & paste). Most customers want granular restore :-)

backups can be encrypted also on the Veeam side again. see here

Andreas Neufert
VP, Product Management
Posts: 6251
Liked: 1301 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: vTPM

Post by Andreas Neufert » 2 people like this post

To clarify, we do not get the encryption key in plain text. We are getting the data unencrypted as the encryption happens at a lower level. So HotAdd/NBD deliver unencrypted data. You can enable NBDs and Veeam Transport encryption to encrypt dataflow. Veeam Backup target encryption (there is a FIPS mode if needed) will protect the backups.

Overall in case of disaster recovery this way is much more valuable as if something happens to your production environment, you can restore data and do not loose everything.
Last edited by HannesK on Apr 11, 2022 8:54 am, edited 1 time in total.
Reason: fixed typo

evilaliv3
Novice
Posts: 5
Liked: never
Joined: Apr 09, 2022 8:38 am
Full Name: Govanni Pellerano
Contact:

Re: vTPM

Post by evilaliv3 »

Thank you so much Hanne and Andreas

Andreas: you told that the encryption key is never received in plaintext; would you please clarify about this aspect? Where does the VTPM reside on vmware and where is its backup on VEAM?

Andreas Neufert
VP, Product Management
Posts: 6251
Liked: 1301 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: vTPM

Post by Andreas Neufert » 1 person likes this post

You can read 2 pages of the official VMware documentation about this process.
Please read the Encrypted Backup chapter starting from page 119 as well as the process is described there that the vTPM is using (described at page 120).
https://developer.vmware.com/docs/12703 ... uide--7-0-

evilaliv3
Novice
Posts: 5
Liked: never
Joined: Apr 09, 2022 8:38 am
Full Name: Govanni Pellerano
Contact:

Re: vTPM

Post by evilaliv3 »

Thank you Andrea, very helpful.

Up to this document the vTPM is encrypted as far that network encrpyion serive exists (i think it refers to a KMS enabling encryption of the vSAN). I think this means that if only vTPMs and NKP are used the content of the vTPM and the NVRAM of each VM will be plaintext directly on the vSAN. Please correct me if i'm missing something and thank you so much for your insights.

Andreas Neufert
VP, Product Management
Posts: 6251
Liked: 1301 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: vTPM

Post by Andreas Neufert »

How I read it, is that you need the Key Manager to work for vTPMs. This means the content related to the vTPM get´s encrypted independant of the storage policy for the VM data. To be honest it is more of a question for VMware than for Veeam. If the information metadata information is stored encrypted we will not unencrypt this data for backup. But the disk content get´s unencrypted before backup (and encrypted again if you restore with a storage policy that force encryption) by design of VMware.

mkretzer
Veeam Legend
Posts: 982
Liked: 288 times
Joined: Dec 17, 2015 7:17 am
Contact:

Re: vTPM

Post by mkretzer »

Thanks to this thread we did some restore tests of VMs with vTPM enabled - and we get errors with nearly every restore method. Is it normal that instant disk recovery, instant recovery, VM file restore and so on do not work?

Currently testing full recovery to new VM.

Andreas Neufert
VP, Product Management
Posts: 6251
Liked: 1301 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: vTPM

Post by Andreas Neufert »

Is the target host configured with the same Key Manager?

I would create a test VM on a host, and then restore to the same host to check if it is working correctly before I try other hosts.

Andreas Neufert
VP, Product Management
Posts: 6251
Liked: 1301 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: vTPM

Post by Andreas Neufert »


mkretzer
Veeam Legend
Posts: 982
Liked: 288 times
Joined: Dec 17, 2015 7:17 am
Contact:

Re: vTPM

Post by mkretzer »

Yes, same cluster. I am not talking about encrypted disks, only encrypted config (which is automatic when adding vTPM). Does that also mean we have to encrypt the (linux) proxy VMs disks or just add an vTPM and encrypt the proxy config files?

Andreas Neufert
VP, Product Management
Posts: 6251
Liked: 1301 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: vTPM

Post by Andreas Neufert »

Hi thanks for the feedback.
I suggest to do the following:
1) Open a support ticket and upload logs from the failed restore.
2) share the Ticket number here.
3) I will ask support to route the ticket to someone with the needed background knowledge about encryption/vTPM.

Thanks.

mkretzer
Veeam Legend
Posts: 982
Liked: 288 times
Joined: Dec 17, 2015 7:17 am
Contact:

Re: vTPM

Post by mkretzer »

Case 05401295

Andreas Neufert
VP, Product Management
Posts: 6251
Liked: 1301 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: vTPM

Post by Andreas Neufert »

I have updated support management with the ask to route the case.

mkretzer
Veeam Legend
Posts: 982
Liked: 288 times
Joined: Dec 17, 2015 7:17 am
Contact:

Re: vTPM

Post by mkretzer »

Thank you, log generation will take a few more hours :-(

DaStivi
Service Provider
Posts: 190
Liked: 22 times
Joined: Jun 30, 2015 9:13 am
Full Name: Stephan Lang
Location: Austria
Contact:

Re: vTPM

Post by DaStivi »

Aremac wrote: Apr 30, 2020 5:29 pm I'm looking to see the impact of vTPM enabled VM's (Not Encrypted VM's) Is there any documents or information detailing what impact vTPM has on Veeam backups. Most of what I find is assuming that if you're talking about vTPM your also doing VMDK encryption which is not what I'm looking at. Basically just enabling vTPM to expose capability to the Guest os (cred guard, etc).
I am exactly in the same spot now... I am enabling vTPM for Windows Security features, further More bitlocker in Windows...

We tested also vmware encryption but nljust for tests sake ....

With vspere 7 you don't need an external KMS, there is the nativ Key Provider, basically ah certificate that's stored in vcenter server and cached on the esx Hosts...

Worst case what could happen if you loose these keys, you have some bitlocker encrypted disk you need to configure to ah new machine, because config also won't read without the keys after some time or without vcenter and esx rebooted, and then you'll need the bitlocker recovery keys...

At least for an virtual privileged access workstation I'll want that... Even more i consider this for my Domaincontrollers (that run in remotenoffices ), should protect ah bit better from "offline" NTFS.dit dumps , like VMware snapshots etc.. of course backup encryption is ah thing too then!!

I'll gonna test single item restore later and see how that works out ...

At least with VMware encryption, i did read the veeam guide that only NBD and hotadd is supported... So no direct NFS or storage integration, of course, can't work anymore 😔

Andreas Neufert
VP, Product Management
Posts: 6251
Liked: 1301 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: vTPM

Post by Andreas Neufert »

Just following up on the case 05401295 from above.
We could not reproduce the issue in our lab (it just worked) and the customer environment started to work even from old restore points previously made.
So far the root cause issue why the restore was not successfull when the ticket was opened did not came to a conclusion. One of the ideas was that ESXi host or other components were restarted.

@DaStivi if you face issues, please open a support ticket. They can help. Maybe meniton there that you have a similar issue to 05401295.

Post Reply

Who is online

Users browsing this forum: Google [Bot] and 46 guests