• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Yellow Bricks

by Duncan Epping

  • Home
  • ESXTOP
  • Stickers/Shirts
  • Privacy Policy
  • About
  • Show Search
Hide Search

Does the Native Key Provider require a host to have a TPM?

Duncan Epping · Feb 23, 2022 · 10 Comments

I got this question on the VMTN forum this week, does the Native Key Provider require a host to have a TPM? (Trusted Platform Module) The documentation does discuss the use of TPM 2.0 when you enable the Native Key Provider. Let’s be clear, the vCenter Server Native Key Provider does not require a TPM! If a TPM is available on each host then it will be used by the Native Key Provider to store a secret on, which enables us to encrypt and decrypt the ESXi configuration. Again, as stated, it is not a requirement to use a TPM. I have asked to get the documentation appended so that it is officially documented as well, just posting it here so that it indexed by google.

Related

cloud, vSAN 7, 7.0, native key provider, nkp, vcenter, VMware, vSphere

Reader Interactions

Comments

  1. PY Lafond says

    15 June, 2022 at 16:39

    Hi Duncan,

    I would like to know is it’s possible to enable the NKP provider first in my vCenter server and use it in 1 cluster, and then add gradually TPMs 2.0 Chips physicaly to my 80 hosts in others clusters?

    What will vCenter do to the host key meanwhile?

    Will they be stored on the host boot device until TPM 2.0 chip are installed on host? And will the Keys be automatically rewrite on the TPM chip at that time, when vCenter detected the hosts TPM are present ??

    Or should I install TPMs 2.0 Chips in all my hosts BEFORE enabling the NKP provider??

    I can’t find this information anywhere!

    Thanks a lot for your time Duncan.
    Awesome blogs Yellowbricks, very helpfull.
    100!!

    Reply
    • Duncan Epping says

      15 June, 2022 at 17:01

      I will have to ask internally, I have never seen anything around this situation. Let me come back to you.

      Reply
  2. Matt says

    28 June, 2022 at 14:32

    we just got the same question, where are the keys stored on non-TPM hosts when NKP is used? Would be greatly appreciated if you could post an update about that.

    Reply
    • Duncan Epping says

      29 June, 2022 at 07:53

      it is stored in the Configstore I was told. I’ve asked the team to provide some extra documentation, as I think that would be useful.

      Reply
      • Matt says

        29 June, 2022 at 08:51

        Thank you very much!

        Reply
  3. PY Lafond says

    5 July, 2022 at 17:30

    Ok so, keys are store in the “Configstore” meanwhile. That’s good!

    But now, will the Keys be automatically rewrite on the TPM chip when vCenter detected the hosts TPM are now present ??

    Or should I install TPMs 2.0 Chips in all my hosts BEFORE enabling the NKP provider??

    That’s the part I need to know before going fowards.
    Thanks you very much!

    Reply
    • PY Lafond says

      14 September, 2022 at 20:43

      Never mind, all our host have been upgraded with TPM chips.
      Many thanks Duncan.

      Reply
  4. Rob Carey says

    3 October, 2022 at 22:32

    We are in this same boat, was an answer / recommendation located?

    Reply
  5. Walt Kasak says

    6 December, 2022 at 17:04

    We have the same question about adding TPM chips later, will the keys be re-written to the newly available TPM’s? Please update, we can’t find a definitive answer.

    Reply
  6. sumeeth says

    17 April, 2023 at 17:32

    any update further on “I would like to know is it’s possible to enable the NKP provider first in my vCenter server and use it in 1 cluster, and then add gradually TPMs 2.0 Chips physicaly to my 80 hosts in others clusters?”

    Reply

Leave a Reply Cancel reply

Primary Sidebar

About the author

Duncan Epping is a Chief Technologist in the Office of CTO of the Cloud Platform BU at VMware. He is a VCDX (# 007), the author of the "vSAN Deep Dive", the “vSphere Clustering Technical Deep Dive” series, and the host of the "Unexplored Territory" podcast.

Upcoming Events

May 24th – VMUG Poland
Aug 21st – VMware Explore
Sep 20th – VMUG DK
Nov 6th – VMware Explore
Dec 7th – Swiss German VMUG

Recommended Reads

Sponsors

Want to support Yellow-Bricks? Buy an advert!

Advertisements

Copyright Yellow-Bricks.com © 2023 · Log in