I was toying with the idea of trying out Windows 11 in my home lab running ESXi 7 and came across this post.
It discusses the process of enabling the vCenter Native Key provider so that a vTPM can be added to VMs. I was previously unaware of this feature and had some questions regarding restrictions on this feature.
This post shows considerations when removing vTPM from a VM. Basically says to disable any guest features that rely on TPM before removing it from the VM. So for example if the VM is Windows and you are using BitLocker, unencrypt the drive before removing the vTPM "hardware" from the VM. Okay great. But what about vMotion related concerns? What about cross vCenter vMotoin concerns? What about export to ovf for import into other VMware environments? Does any of this break with vTPM enabled?
vTPM should just be for local VM OS encryptions like BitLocker. That wouldn't have anything to do with vMotion. Now if you do TPM on your ESXi host, it very well could. I've never used TPM on my ESXi hosts, so I don't now how that works exactly.
Hi @alantz , yes my questions were focused on vTPM and the guest VMs. I assume VMware thought of vMotion tasks and supporting this vTPM chip on the VM between hosts in the same cluster. Was just wondering if there were any issues with cross vCenter vMotion or export/import using OVF to a completely separate VMware environment.
I did enable vTPM in the lab this morning using this guide. Was super easy and allowed me to install Windows 11 in a VM without the unsupported errors. Host does not have TPM..
@actyler1001: do you have any idea where the VTPM is stored and if it is stored encrypted or not?
I suspect it is just stored in plaintext on the VCSA storage, but this actually would vanish any encryption as the keys will be always stored in plaintext on the NAS/remote backips along with the encrypted VMs.
What do you think?