Recently I’ve changed jobs and joined a smaller company in the vicinity of my home. Still doing security stuff of course, but now with a focus on infrastructure again. As I soon discovered the company uses VMWare for it’s virtualization, which is great but a change for me personally. Having been a Hyper-V user for as long as I can remember I needed to educate myself quickly, specially on the security part of the product.
One thing that I was missing in the former vSphere product was the absence of encryption for the VM guest when it comes to using a TPM chip. As of the latest and the greatest release this is now an optional piece of virtual hardware that you can add for Windows Server 2016 or Windows 10 X64 editions. Cool stuff!!!
As I found out the hard way it’s a bit of a daunting task at first. Looking back at Hyper-V it’s just selecting a checkbox and all the magic happens under the hood. For a lab situation that’s wonderful, but for production purposes, where you put all the secrets on one box, perhaps not so much. With VCenter you need to enable the “Enterprise” way of working before you can add a Virtual TPM chip to a guest. Needless to say you can create a similar setup in Hyper-V, but this way of working with VCenter kind of forces you to think bigger, which isn’t necessarily a bad thing. So, in this guide I’ll show you how to create that infrastructure you need to enable the virtual TPM chip so you can encrypt those disks that hold confidential data, or, as in my case, just mess around with BitLocker drive encryption.
VMWare utilizes a Key Management System (KMS) for the storage of high confidential keys, such as those generated in a virtual TMP. Look at it as a high secure server that stores the keys to the kingdom. To make use of those keys a trust needs to be established between the VCenter and the KMS machine. Once a Windows guest requests a TPM operation, the VCenter requests new keys to protect the TPM itself on behalf of the guest. That request is then honored by the KMS server.
To get started with the setup we’ll be focusing on one of the vendor, HyTrust. This vendor provides a preconfigured OVA template with their product KeyControl for easy setup. Just follow these steps to create your KMS server.
First go to the following link and download the KeyControl OVA file.
Extract it when done and import the OVA into your VCenter. I’ll assume that you know how to do that. Midway of the OVA deployment you’ll be asked a couple of question, like configuration, hostname, IP address etc. As for the configuration I’ve selected “Demo”.
This is really just a minimal install that will allow you to test drive the product for a month. A trial license key is shipped with the product that includes access to all product features and allows you to configure up to two KeyControl nodes and to protect up to five virtual machines. The trial license is automatically activated when you configure the first KeyControl node. If you need to extend the trial, you can apply here:
Add the network settings and complete the setup.
Once the OVA is deployed, power it on and login to the console of the VM. The first question the setup asks is to create a password for the root user. Please note this is not the password that we’ll be using later on in this post!
Proceed to the next screen when you’re done.
As this is not a cluster setup, we can select the default here and continue.
On the final setup screen you can note the IP address that you’ve used during the setup. Logoff in the next screen and close the console session. We won’t be needing it for our lab setup.
Next thing we need to do is go to the web interface. Point your browser to the fqdn or IP address of the KeyControl server. You’ll be presented with a wizard that will take you through the final steps of the process. Click on the “login” on the top right.
Use secroot/secroot as the default login.
Accept the “End-User License Agreement” and create a new password. As for the email notifications I’ve selected the “Disable email notifications” options, click “Continue”. Same applies to “Automatic Vitals Reporting”, click “Save and Continue”.
In the HyTrust KeyControl web interface klink on the “KMIP” button on the top and set the “State” to “Enable“. Click “Apply” to enable the KMS functionality, click “Proceed” on the “Overwrite all existing KMIP Server settings?“ pop-up. Please note the port number configured on this page (“5696”). This is the default port that we’ll be using later on.
Next, click on “Client Certificates” – “Actions” – “Create Certificate”.
In the “Create a New Client Certificate” pop-up screen fill in a name and an expiration date. Please note that you should leave the password blank! If a password is added the wizard for importing it into VCenter will fail. I don’t necessarily agree with this way of working but that’s the way it works for now. Click “Create” to generate the certificate. Only thing left here is to download the certificate so we can import it into VCenter at a later stage.
Select the certificate and in the “Actions” menu select “Download Certificate”.
Save it on a secure location on your system. You can safely logoff from the KeyControl server as we won’t be needing it anymore for this demo.
Let’s move to our VCenter server. On the top node of your VCenter node select the name of your host and click “Configure” on the right.
On the configuration options below open de “More” node and select “Key management Server”. Click “Add” on the right. Fill in the data according to your infrastructure requirements.
For the cluster name I’ve chosen VKMS, it’s something that you can refer to later if you’re setting up a cluster. Click “Add”. If VCenter can make a successful connection to the VKMS host it will preset an overview of the certificate it will add to it’s configuration.
Click “Trust” to continue.
In the exercise above we’ve let our VCenter setup trust the VKMS server. All that remains is that we do the same for the VKMS server. You would expect to be logging into the VKMS again, but this can also be done from VCenter itself. That’s the reason we created the certificate in the beginning of this post. Select the VKMS host we just added.
The configuration window will open where we can select “Make KMS trust VCenter”. In the pop-up that appears we have to select a method how we’ll want to let our VKMS trust VCenter.
As we own the certificates we’ll use the third option “KMS Certificate and Private key”. Click “Next”.
Now here’s the trick that got me stuck for a while. In the “Upload KMS Credentials” page, the wizard asks for a KMS Certificate and private key. After a couple of attempts and doing a bit of reading, it appears that selecting the certificate we created twice does the trick.
Click the “Upload a file” and browse to the certificates we downloaded from the KeyControl server earlier. Select the certificate name we created earlier and select “Open”. Back in the wizard select “Establish trust”. On success everything will be set to green on the VCenter side.
And that’s really it!
All remains is creating a new virtual machine where you need to select: “Enable Windows Virtualization Based Security” on the “Select a Guest OS” page.
This will give you the option to add a Trusted Platform Module (TPM) chip at any time.
I hope that this blog post was helpful, and as always, feedback is appreciated.