VMware Communities
OwenBurnett
Enthusiast
Enthusiast

TPM without encrypting VDKs

How can I create a VM with a TPM but without encrypting the virtual disk files?

Reply
0 Kudos
15 Replies
RDPetruska
Leadership
Leadership

Searching this forum, according to the product manager, at this moment you cannot.  But they are working on it.

OwenBurnett
Enthusiast
Enthusiast

Thanks, I don't see what there is to work on, its just a line or two or lock out code to remove, but its still a positive answer so it will probably happen 😄

Hence eagerly awaiting the next build!

Reply
0 Kudos
wila
Immortal
Immortal

Hi,


@OwenBurnett wrote:

Thanks, I don't see what there is to work on, its just a line or two or lock out code to remove,


Umm.. no. Sadly it isn't that simple.
In theory, yes they could do that, but it isn't really an option.

Besides being a "crypto processor" the TPM is also used to store secrets.
If those secrets are no longer encrypted then the safety that this TPM module is supposed to provide is no longer true.

This is one of those reasons on why the VM had to be encrypted for you to be able to add a TPM device.
As a result, it will require some real engineering on VMware's behalf in order to be able to remove the encrypt "the whole VM" part.

Perhaps they can get away with only encrypting the .vmx, or maybe there will be a small encrypted disk (like the UEFI disk that you'll with proxmox for example)

--
Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva
OwenBurnett
Enthusiast
Enthusiast

you are right if one wants the TPM not just for teh purpose of runnign windows 11 and don't caring for its security aspects.

If one wants it secure its a bit more work as new logic to only encrypt the TPM file but nothing else is needed.

for my use case having my host HDD's encrypted i would really just want a unsecure fake tpm to make windows 11 happy and never use it anyways, i dont need pin or face or fingerprint unlock in a VM LOL

RDPetruska
Leadership
Leadership

That may very well be the case for you.  And even for a majority of VMware users.  However, VMware creates Enterprise-class software which numerous businesses use daily - and need to maintain high quality for their support of MS operating systems.  They are not going to throw together a half-baked component just so home users can get around MS's new requirements.

Reply
0 Kudos
ozsmacd
Enthusiast
Enthusiast

I'm guessing the underlying requirement here is for Windows 11 to be able to run.  

Am I right in saying that in this use case, the vTPM is required to ensure that Windows itself can encrypt itself, thus actually resulting in two levels of encryption.  This isn't just a problem for home users, but also business/enterprise and government use cases also, double encryption will cause significant performance overhead with large fleets.

Given this, wouldn't it make sense to have an option to turn off VMware level encryption, where the vTPM is actually used to facilitate OS level encryption.

Reply
0 Kudos
OwenBurnett
Enthusiast
Enthusiast

@ozsmacdActually it can be even worse,

you have your host system Encrypted which contains an encrypted VM which guest OS is also encrypted.

So 3 layers of encryption. LOL

 

talking about busyness software it was IMHO a design failure to begin with to bundle virtual disk encryption with TPM encryption.

usually you use a TPM in a machine to encrypt the disk so by design the way VMWare does it most often results in unnececery double encryption.

 

 

Also its not a measure of Enterprise-class software to prevent users from configuring their software as they need to, including fringe edge cases.

 

VMWare should from the get go allow the users to choose what to encrypt and if the user want to use an unencrypted TPM.

 

kasper
Enthusiast
Enthusiast

Yes, break the link between access control encryption and TPM.     Having this requirement is REALLY BAD.    1st in order to remove disks you need to DECRYPT.    2nd VMDK encrypted files DO NOT COMPRESS.    If you saved space before by archiving a VMDK with compression it is pointless.    It will use roughly the same amount of space.

 

The TPM / Access Control encryption may be a show stopper.

 

kasper
Enthusiast
Enthusiast

It looks like Hyper-V can supply TPM without encrypting the disk?

Why not just encrypt the VMX file or create some silly encrypted file for TPM?

Reply
0 Kudos
ozsmacd
Enthusiast
Enthusiast

I've been considering HyperV for a while now, have to say this might make the decision to move a bit simpler.

Free, does enough, will always be aligned with Microsoft's product release schedule (HyperV has formal support f Windows 11, VMware workstation does not).

As to the future of SharedVMs (ie VMs that auto start) in VMware, this is also a major concern.  I have been PM posts about the why they want to get rid of it, and that another approach may be used to deliver the product.  However it still shows as depreciated in the GUI and you have to wonder if it will go away again without reasonable consulting in v17?

Reply
0 Kudos
wila
Immortal
Immortal

Hi,


@ozsmacd wrote:

As to the future of SharedVMs (ie VMs that auto start) in VMware, this is also a major concern.  I have been PM posts about the why they want to get rid of it, and that another approach may be used to deliver the product.  However it still shows as depreciated in the GUI and you have to wonder if it will go away again without reasonable consulting in v17?


V17 is a while away as V16 will be getting an extension on its life cycle. (see bottom paragraph at https://blogs.vmware.com/teamfusion/2021/09/fusion-for-m1-public-tech-preview-now-available.html )
As Michael says they are working on a reworked shared VM feature. I am confident that they will come up with a solution.
if in the meantime you are unsure or need an alternative solution then there's also my vimarun product which handles auto start as well as auto shutdown.

They are also working on a solution for releasing the virtual machine encryption requirement for adding a TPM device.
VMware sometimes moves a bit slow resolving these type of issues, but they do deliver.
Give them some time.

--
Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva
Reply
0 Kudos
OwenBurnett
Enthusiast
Enthusiast

Hmm... if the TPM situation doesn't get resolved soon I may indeed need to look into hyper V although I don't like it as I want my VM's to work on windows and linux alike.

Reply
0 Kudos
braindead
Contributor
Contributor

Add this to vmx:

managedvm.autoAddVTPM="software"

  • Start VM (it'll start and add the virtual TPM, and then shutdown).
  • Start VM again. 

Win11 pro installed from OEM ISO without issue.

wila
Immortal
Immortal

Hi,


@braindead wrote:

Add this to vmx:

managedvm.autoAddVTPM="software"

  • Start VM (it'll start and add the virtual TPM, and then shutdown).
  • Start VM again. 

Win11 pro installed from OEM ISO without issue.


That's an experimental feature and it does work.
However.. there's a reason it is labeled experimental and you should also read the following article before blindly following these steps.

https://www.vimalin.com/blog/what-you-should-know-about-vmwares-experimental-vtpm/

--
Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva
Reply
0 Kudos
kasper
Enthusiast
Enthusiast

It gets better.    You can now take this 'guest' image and apply it to a physical host that has issues supporting TPM.

And it should/has worked for me.    However some MS update may come up and break it.

Interesting short term fix with long term consequences.

 

Reply
0 Kudos