{"id":1681,"date":"2022-12-13T12:49:37","date_gmt":"2022-12-13T17:49:37","guid":{"rendered":"https:\/\/enterpriseadmins.org\/blog\/?p=1681"},"modified":"2022-12-13T12:49:37","modified_gmt":"2022-12-13T17:49:37","slug":"which-virtual-machines-have-cloned-vtpm-devices","status":"publish","type":"post","link":"https:\/\/enterpriseadmins.org\/blog\/scripting\/which-virtual-machines-have-cloned-vtpm-devices\/","title":{"rendered":"Which virtual machines have cloned vTPM devices?"},"content":{"rendered":"\n

In vSphere 7.0, when a virtual machine with a vTPM device is cloned, the secrets and identity in the vTPM are cloned as well. In vSphere 8.0 there is an option during a clone to replace the vTPM so that it gets its own secrets and identity (more information available here: Clone an Encrypted Virtual Machine (vmware.com)<\/a>). <\/p>\n\n\n\n

Someone recently asked me if it would be possible to programmatically find VMs that had duplicate key\/secrets. I looked and found a Get-VTpm<\/code> cmdlet, which returns a VTpm Structure<\/a> that contains an Id<\/code> and Key<\/code> property. I suspected that the Key<\/code> property would contain the key we were interested in, so I setup a quick test to confirm. Here is the output of a few VMs with vTPM devices showing the Id<\/code> and Key<\/code> values.<\/p>\n\n\n\n

 Get-VM | Get-VTpm | select Parent, Name, Id, Key\r\n\r\nParent              Name        Id                             Key\r\n------              ----        --                             ---\r\nclone_unique        Virtual TPM VirtualMachine-vm-1020\/11000 11000\r\nclone_dupeVtpm      Virtual TPM VirtualMachine-vm-1019\/11000 11000\r\nNew Virtual Machine Virtual TPM VirtualMachine-vm-1013\/11000 11000\r<\/code><\/pre>\n\n\n\n
As we can see, the Key<\/code> is actually the hardware device key of 11000<\/code> which is static, regardless of whether we expect a duplicate vTPM or not.<\/p>\n\n\n\n
However, digging into ExtensionData<\/code> I found some other more interesting properties, specifically EndorsementKeyCertificateSigningRequest<\/code> and EndorsementKeyCertificate<\/code>.  Comparing the EndorsementKeyCertificate<\/code> property confirmed that when a vTPM is duplicated this key is the same, but when it has been replaced it is unique.  Taking that information into account, this one liner would group vTPMs by duplicate keys:<\/p>\n\n\n\n
Get-VM | Get-VTpm | Select-Object Parent, @{N='vTpmEndorsementKeyCertificate';E={[string][System.Text.Encoding]::Unicode.GetBytes($_.ExtensionData.EndorsementKeyCertificate[1])}} | Group-Object vTpmEndorsementKeyCertificate<\/code><\/pre>\n\n\n\n
The output of this command would be a grouping per key.  The Group<\/code> property would contain all the VM names (aka Parent<\/code> in this context) using the same key.  In the example below, there is 1 VM with a unique key and 2 VMs sharing a key.<\/p>\n\n\n\n
Count Name                      Group\r\n----- ----                      -----\r\n    1 52 0 56 0 32 0 49 0 51... {@{Parent=clone_unique; vTpmEndorsementKeyCertificate=52 0 56 0 32 0 49 0 51 0 48 0 32 0 51 0 32 0 50 0 49 0 57 0 32 0 52 0 56 0 3...\r\n    2 52 0 56 0 32 0 49 0 51... {@{Parent=clone_dupeVtpm; vTpmEndorsementKeyCertificate=52 0 56 0 32 0 49 0 51 0 48 0 32 0 51 0 32 0 50 0 49 0 57 0 32 0 52 0 56 0...<\/code><\/pre>\n\n\n\n
Using this information we could remove\/replace the vTPM in the duplicate VMs if needed to ensure a unique key.  Note, per the documentation here<\/a>, “As a best practice, ensure that your workloads no longer use a vTPM before you replace the keys. Otherwise, the workloads in the cloned virtual machine might not function correctly.”<\/p>\n","protected":false},"excerpt":{"rendered":"
In vSphere 7.0, when a virtual machine with a vTPM device is cloned, the secrets and identity in the vTPM are cloned as well. In vSphere 8.0 there is an option during a clone to replace the vTPM so that … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":6,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-1681","post","type-post","status-publish","format-standard","hentry","category-scripting","category-virtualization"],"_links":{"self":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts\/1681","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/comments?post=1681"}],"version-history":[{"count":4,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts\/1681\/revisions"}],"predecessor-version":[{"id":1685,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts\/1681\/revisions\/1685"}],"wp:attachment":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/media?parent=1681"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/categories?post=1681"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/tags?post=1681"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}