In April, VMware introduced support for vTPM for Windows 10 and Windows Server 2016 in vSphere 6.7. This follows on from Microsoft adding vTPM support in Hyper-V in Windows Server 2016.
Why add vTPM support? The main driver is to allow customers to use BitLocker for encryption. BitLocker relies on a TPM for storing its encryption keys.
In this article we will be showing how HyTrust KeyControl works in conjunction with VMware support for vTPM and explores the difference between BitLocker and HyTrust DataControl.
What is a TPM vs vTPM?
A TPM (Trusted Platform Module) is a hardware device that provides mini-HSM-like capabilities (random number generation, secure protection of secrets including encryption keys). Applications can use the TPM to authenticate hardware devices as each TPM chip has a unique, secret RSA key burned into the chip during manufacturing. TPMs conform to the Trusted Platform Module 2.0 specification. Here are the main functions of a TPM:
A vTPM emulates the physical TPM. It performs the same functions as a physical TPM device but it performs the cryptographic operations in software. The operating system and its applications won’t notice the difference between a physical and virtual TPM.
How does VMware emulate a TPM?
Mike Foley’s blog (https://blogs.vmware.com/vsphere/2018/05/vsphere-6-7-virtual-trusted-platform-modules.html) talks about how to configure a TPM per VM. Let’s look at an architectural view of how this is achieved:
The vTPM device is implemented in the VMware hypervisor. For the hardware crypto functions that were present in the physical TPM, some of these functions may be mapped to hardware underneath the hypervisor (for example, use of Intel RDRAND/RDSEED for random number generation). Others will be implemented in software. Either way, the goal is to ensure that the users of the TPM in the VM see no difference.
One critical part of the vTPM implementation is the secure storage of encryption keys. This is achieved by the hypervisor writing these keys to the VM’s .nvram file which is encrypted using vSphere VM encryption. With VM Encryption, there are two choices that can be made by admins:
- Encryption of VMDKs (virtual disks)
- Encryption of the VM Home files (The .nvram file, parts of the .vmx file, swap, log, .vmss, .vmsn, namespacedb etc)
To deploy vTPM, VM Encryption must be enabled and the VM Home files must be encrypted. This ensures protection of the .nvram file and thus the vTPM secrets.
Where does HyTrust fit into the Picture?
To enable VM encryption, an external KMS (Key Management Server) cluster must be deployed. HyTrust KeyControl is the trusted VMware vSphere and VSAN encryption KMS server used by hundreds of customers today.
Furthermore, you can use HyTrust KeyControl for vTPM support, vSphere encryption, VSAN encryption or any other applications that use KMIP as the protocol to create and manage encryption keys.
Better still you can also use HyTrust DataControl to encrypt your VMs, not just in vSphere environments, but public cloud platforms such as AWS, Azure and IBM Cloud.
HyTrust DataControl vs Microsoft BitLocker
If customers want to use BitLocker on vSphere environments for their Windows VMs, HyTrust KeyControl is required to securely protect the vTPM.
However, there are many features that HyTrust DataControl offers above and beyond what Microsoft offer with BitLocker. Here are some of these capabilities:
- Support for all Windows 64-bit operating systems
- Support for many Linux distributions
- Fully functional with or without a vTPM being present
- Full BoundaryControl capabilities in vSphere environments when used in conjunction with HyTrust CloudControl (prevent encryption keys being delivered to VMs that are not running in a designated boundary)
- Integration with HyTrust CloudAdvisor for VM data discovery, classification and user behavior analytics (while keeping data encrypted)
- Dynamic encryption (no need to stop applications running when performing the initial encryption or a rekey)
- Template and cloning operations
- Access controls to prevent system administrators from seeing sensitive decrypted data
- Support for 90% deduplication savings
- Auto-encryption of VMs and disks
- Full scripting for all agent and GUI operations
For further information on how HyTrust DataControl can be used to protect your data or how HyTrust KeyControl can be used to secure VMware vTPMs, please contact [email protected]