topic Re: TPM without encrypting VDKs in VMware Workstation Pro Discussions

TPM without encrypting VDKs

OwenBurnett — Fri, 01 Oct 2021 10:40:06 GMT

How can I create a VM with a TPM but without encrypting the virtual disk files?

Re: TPM without encrypting VDKs

RDPetruska — Fri, 01 Oct 2021 11:57:40 GMT

Searching this forum, according to the product manager, at this moment you cannot. But they are working on it.

Re: TPM without encrypting VDKs

OwenBurnett — Fri, 01 Oct 2021 15:00:26 GMT

Thanks, I don't see what there is to work on, its just a line or two or lock out code to remove, but its still a positive answer so it will probably happen

Hence eagerly awaiting the next build!

Re: TPM without encrypting VDKs

wila — Sat, 02 Oct 2021 21:01:46 GMT

Hi,

@OwenBurnett wrote:

Thanks, I don't see what there is to work on, its just a line or two or lock out code to remove,

Umm.. no. Sadly it isn't that simple.
In theory, yes they could do that, but it isn't really an option.

Besides being a "crypto processor" the TPM is also used to store secrets.
If those secrets are no longer encrypted then the safety that this TPM module is supposed to provide is no longer true.

This is one of those reasons on why the VM had to be encrypted for you to be able to add a TPM device.
As a result, it will require some real engineering on VMware's behalf in order to be able to remove the encrypt "the whole VM" part.

Perhaps they can get away with only encrypting the .vmx, or maybe there will be a small encrypted disk (like the UEFI disk that you'll with proxmox for example)

--
Wil

Re: TPM without encrypting VDKs

OwenBurnett — Tue, 05 Oct 2021 11:53:46 GMT

you are right if one wants the TPM not just for teh purpose of runnign windows 11 and don't caring for its security aspects.

If one wants it secure its a bit more work as new logic to only encrypt the TPM file but nothing else is needed.

for my use case having my host HDD's encrypted i would really just want a unsecure fake tpm to make windows 11 happy and never use it anyways, i dont need pin or face or fingerprint unlock in a VM LOL

Re: TPM without encrypting VDKs

RDPetruska — Tue, 05 Oct 2021 13:32:53 GMT

That may very well be the case for you. And even for a majority of VMware users. However, VMware creates Enterprise-class software which numerous businesses use daily - and need to maintain high quality for their support of MS operating systems. They are not going to throw together a half-baked component just so home users can get around MS's new requirements.

Re: TPM without encrypting VDKs

ozsmacd — Tue, 05 Oct 2021 22:33:37 GMT

I'm guessing the underlying requirement here is for Windows 11 to be able to run.

Am I right in saying that in this use case, the vTPM is required to ensure that Windows itself can encrypt itself, thus actually resulting in two levels of encryption. This isn't just a problem for home users, but also business/enterprise and government use cases also, double encryption will cause significant performance overhead with large fleets.

Given this, wouldn't it make sense to have an option to turn off VMware level encryption, where the vTPM is actually used to facilitate OS level encryption.

Re: TPM without encrypting VDKs

OwenBurnett — Wed, 06 Oct 2021 20:45:47 GMT

@ozsmacdActually it can be even worse,

you have your host system Encrypted which contains an encrypted VM which guest OS is also encrypted.

So 3 layers of encryption. LOL

talking about busyness software it was IMHO a design failure to begin with to bundle virtual disk encryption with TPM encryption.

usually you use a TPM in a machine to encrypt the disk so by design the way VMWare does it most often results in unnececery double encryption.

Also its not a measure of Enterprise-class software to prevent users from configuring their software as they need to, including fringe edge cases.

VMWare should from the get go allow the users to choose what to encrypt and if the user want to use an unencrypted TPM.

Re: TPM without encrypting VDKs

kasper — Thu, 07 Oct 2021 00:27:06 GMT

Yes, break the link between access control encryption and TPM. Having this requirement is REALLY BAD. 1st in order to remove disks you need to DECRYPT. 2nd VMDK encrypted files DO NOT COMPRESS. If you saved space before by archiving a VMDK with compression it is pointless. It will use roughly the same amount of space.

The TPM / Access Control encryption may be a show stopper.

Re: TPM without encrypting VDKs

kasper — Thu, 07 Oct 2021 00:30:29 GMT

It looks like Hyper-V can supply TPM without encrypting the disk?

Why not just encrypt the VMX file or create some silly encrypted file for TPM?

Re: TPM without encrypting VDKs

ozsmacd — Thu, 07 Oct 2021 01:42:09 GMT

I've been considering HyperV for a while now, have to say this might make the decision to move a bit simpler.

Free, does enough, will always be aligned with Microsoft's product release schedule (HyperV has formal support f Windows 11, VMware workstation does not).

As to the future of SharedVMs (ie VMs that auto start) in VMware, this is also a major concern. I have been PM posts about the why they want to get rid of it, and that another approach may be used to deliver the product. However it still shows as depreciated in the GUI and you have to wonder if it will go away again without reasonable consulting in v17?

Re: TPM without encrypting VDKs

wila — Thu, 07 Oct 2021 10:02:19 GMT

Hi,

@ozsmacd wrote:

As to the future of SharedVMs (ie VMs that auto start) in VMware, this is also a major concern. I have been PM posts about the why they want to get rid of it, and that another approach may be used to deliver the product. However it still shows as depreciated in the GUI and you have to wonder if it will go away again without reasonable consulting in v17?

V17 is a while away as V16 will be getting an extension on its life cycle. (see bottom paragraph at https://blogs.vmware.com/teamfusion/2021/09/fusion-for-m1-public-tech-preview-now-available.html )
As Michael says they are working on a reworked shared VM feature. I am confident that they will come up with a solution.
if in the meantime you are unsure or need an alternative solution then there's also my vimarun product which handles auto start as well as auto shutdown.

They are also working on a solution for releasing the virtual machine encryption requirement for adding a TPM device.
VMware sometimes moves a bit slow resolving these type of issues, but they do deliver.
Give them some time.

--
Wil

Re: TPM without encrypting VDKs

OwenBurnett — Fri, 08 Oct 2021 08:32:29 GMT

Hmm... if the TPM situation doesn't get resolved soon I may indeed need to look into hyper V although I don't like it as I want my VM's to work on windows and linux alike.

Re: TPM without encrypting VDKs

braindead — Wed, 05 Jan 2022 16:57:19 GMT

Add this to vmx:

managedvm.autoAddVTPM="software"

Start VM (it'll start and add the virtual TPM, and then shutdown).
Start VM again.

Win11 pro installed from OEM ISO without issue.

Re: TPM without encrypting VDKs

wila — Wed, 05 Jan 2022 17:00:00 GMT

Hi,

@braindead wrote:

Add this to vmx:

managedvm.autoAddVTPM="software"

Start VM (it'll start and add the virtual TPM, and then shutdown).

Start VM again.

Win11 pro installed from OEM ISO without issue.

That's an experimental feature and it does work.
However.. there's a reason it is labeled experimental and you should also read the following article before blindly following these steps.

https://www.vimalin.com/blog/what-you-should-know-about-vmwares-experimental-vtpm/

--
Wil

Re: TPM without encrypting VDKs

kasper — Wed, 05 Jan 2022 23:09:42 GMT

It gets better. You can now take this 'guest' image and apply it to a physical host that has issues supporting TPM.

And it should/has worked for me. However some MS update may come up and break it.

Interesting short term fix with long term consequences.