Cloud Director now supports virtual Trusted Platform Module (vTPM), the vSphere software emulation physical TPM, specialized hardware components designed to provide enhanced security-related functions for workloads.
What is TPM?
TPM is a hardware chip integrated into the physical host internal components. It provides a range of security functions, including secure boot, secure storage of cryptographic keys and certificates, and hardware-based encryption and data decryption.
One of the key features of TPM is its ability to provide a secure and trusted environment for a device to boot up and start running. It does this by verifying the integrity of the boot process and ensuring that only trusted software and firmware are loaded.
What is vTPM?
vSphere introduced vTPM support from version 6.7 onwards. vTPM uses the same functions as TPM but performs the cryptographic coprocessor capabilities in software. The great advantage to vTPM is that the vTPM enables the guest operating system to create and store private keys, i.e, not exposed to the operating system itself, radically reducing the virtual machine attack surface and exposure.
Cloud Director is a true multi-tenant solution, securely executing multiple virtual machines (VMs) on a single physical host using layer 2 segmentation. Each VM or vApp is isolated from the other VMs of vApps and typically the physical host, making it difficult to provide a secure and trusted environment.
vTPM solves this problem by emulating the security functions of a physical TPM within a virtual machine or vApp. This allows the VM to encrypt all the VM data (including .nvram files) with a hardware-based root of trust from a physical host TPM module. This enhances the security of the virtualized environment and allows it to be used for more security-sensitive applications.
Overall, vTPM is a crucial component of a secure and trusted virtualized environment. Emulating the security functions of a physical TPM within a virtual machine allows the virtualized data center environment to provide a hardware-based root of trust and enhance the security of the virtualized environment in Cloud Director.
What’s required for vTPM?
The most important thing to create vTPM VM is that the vCenter must have a default KMS to encrypt the VM home files, and the physical hosts in the Virtual Data Center (VDC) use TPM 2.0 or later. To use the vTPM capability, your vSphere environment must run hardware version 14 and later and support EFI firmware. The operating systems of your VMs need to support TPM, and boot firmware is EFI; vCenter server 6.7 or later for Windows VM or vCenter server 7.0 update 2 for Linux VM.
Why is TPM critical for Sovereign Cloud?
Cloud Director is the cloud platform for our Cloud Providers, particularly Sovereign Cloud, where providers wish to offer secure multi-tenant services. vTPM offers additional security to these environments so providers can confidently offer encryption based on a hardware-based root of trust.
This new Cloud Director vTPM capability is critical to sovereign clouds for several reasons:
Enhancing Security
Like a physical TPM, vTPM provides a hardware-based root of trust that enhances the security of virtualized infrastructure by protecting cryptographic keys, securing the boot process, and providing hardware-based encryption and decryption of data. This helps protect against various cyber threats, including unauthorized access, data theft, and malware attacks.
Maintaining Sovereignty
Sovereign Cloud aims to provide a secure and trusted environment for the processing and storing of classified sensitive data. vTPM can help to maintain this sovereignty by enabling the virtualized environment to be controlled and managed by the organization that owns the data. This is particularly important for organizations, such as the public sector and defense, subject to strict data protection and privacy regulations.
Enabling Isolation
vTPM allows each virtual machine or vApp to have its own hardware-based root of trust, which helps to isolate each VM/vApp from other VMs/vApps and the physical host in the VDC. This enhances the security of the virtualized environment by reducing the risk of unauthorized access and data breaches.
Meeting Compliance Requirements
Many organizations that use Sovereign Cloud environments are subject to strict compliance requirements, such as those related to data protection and privacy. vTPM can help to meet these requirements by providing an emulated hardware-based root of trust that can be used to protect sensitive data and ensure the confidentiality, integrity, and availability of critical systems and applications. Using Cloud Director and Cloud Director Availability with the KMS registered on both the source and target, Sovereign Cloud providers can deliver higher mission-critical data security and availability.
Find out more about vTPM and other Cloud Director 10.4.2 updates here
Originally posted on April 19, 2023 @ 8:48 pm