I got this question on the VMTN forum this week, does the Native Key Provider require a host to have a TPM? (Trusted Platform Module) The documentation does discuss the use of TPM 2.0 when you enable the Native Key Provider. Let’s be clear, the vCenter Server Native Key Provider does not require a TPM! If a TPM is available on each host then it will be used by the Native Key Provider to store a secret on, which enables us to encrypt and decrypt the ESXi configuration. Again, as stated, it is not a requirement to use a TPM. I have asked to get the documentation appended so that it is officially documented as well, just posting it here so that it indexed by google.
PY Lafond says
Hi Duncan,
I would like to know is it’s possible to enable the NKP provider first in my vCenter server and use it in 1 cluster, and then add gradually TPMs 2.0 Chips physicaly to my 80 hosts in others clusters?
What will vCenter do to the host key meanwhile?
Will they be stored on the host boot device until TPM 2.0 chip are installed on host? And will the Keys be automatically rewrite on the TPM chip at that time, when vCenter detected the hosts TPM are present ??
Or should I install TPMs 2.0 Chips in all my hosts BEFORE enabling the NKP provider??
I can’t find this information anywhere!
Thanks a lot for your time Duncan.
Awesome blogs Yellowbricks, very helpfull.
100!!
Duncan Epping says
I will have to ask internally, I have never seen anything around this situation. Let me come back to you.
Matt says
we just got the same question, where are the keys stored on non-TPM hosts when NKP is used? Would be greatly appreciated if you could post an update about that.
Duncan Epping says
it is stored in the Configstore I was told. I’ve asked the team to provide some extra documentation, as I think that would be useful.
Matt says
Thank you very much!
PY Lafond says
Ok so, keys are store in the “Configstore” meanwhile. That’s good!
But now, will the Keys be automatically rewrite on the TPM chip when vCenter detected the hosts TPM are now present ??
Or should I install TPMs 2.0 Chips in all my hosts BEFORE enabling the NKP provider??
That’s the part I need to know before going fowards.
Thanks you very much!
PY Lafond says
Never mind, all our host have been upgraded with TPM chips.
Many thanks Duncan.
Rob Carey says
We are in this same boat, was an answer / recommendation located?
Walt Kasak says
We have the same question about adding TPM chips later, will the keys be re-written to the newly available TPM’s? Please update, we can’t find a definitive answer.
sumeeth says
any update further on “I would like to know is it’s possible to enable the NKP provider first in my vCenter server and use it in 1 cluster, and then add gradually TPMs 2.0 Chips physicaly to my 80 hosts in others clusters?”