I got this question on the VMTN forum this week, does the Native Key Provider require a host to have a TPM? (Trusted Platform Module) The documentation does discuss the use of TPM 2.0 when you enable the Native Key Provider. Let’s be clear, the vCenter Server Native Key Provider does not require a TPM! If a TPM is available on each host then it will be used by the Native Key Provider to store a secret on, which enables us to encrypt and decrypt the ESXi configuration. Again, as stated, it is not a requirement to use a TPM. I have asked to get the documentation appended so that it is officially documented as well, just posting it here so that it indexed by google.
Hi Duncan,
I would like to know is it’s possible to enable the NKP provider first in my vCenter server and use it in 1 cluster, and then add gradually TPMs 2.0 Chips physicaly to my 80 hosts in others clusters?
What will vCenter do to the host key meanwhile?
Will they be stored on the host boot device until TPM 2.0 chip are installed on host? And will the Keys be automatically rewrite on the TPM chip at that time, when vCenter detected the hosts TPM are present ??
Or should I install TPMs 2.0 Chips in all my hosts BEFORE enabling the NKP provider??
I can’t find this information anywhere!
Thanks a lot for your time Duncan.
Awesome blogs Yellowbricks, very helpfull.
100!!
I will have to ask internally, I have never seen anything around this situation. Let me come back to you.
we just got the same question, where are the keys stored on non-TPM hosts when NKP is used? Would be greatly appreciated if you could post an update about that.
it is stored in the Configstore I was told. I’ve asked the team to provide some extra documentation, as I think that would be useful.
Thank you very much!
Ok so, keys are store in the “Configstore” meanwhile. That’s good!
But now, will the Keys be automatically rewrite on the TPM chip when vCenter detected the hosts TPM are now present ??
Or should I install TPMs 2.0 Chips in all my hosts BEFORE enabling the NKP provider??
That’s the part I need to know before going fowards.
Thanks you very much!
Never mind, all our host have been upgraded with TPM chips.
Many thanks Duncan.
We are in this same boat, was an answer / recommendation located?
We have the same question about adding TPM chips later, will the keys be re-written to the newly available TPM’s? Please update, we can’t find a definitive answer.
any update further on “I would like to know is it’s possible to enable the NKP provider first in my vCenter server and use it in 1 cluster, and then add gradually TPMs 2.0 Chips physicaly to my 80 hosts in others clusters?”