• EN
Solved

How to protect AHV VM with vTPM enabled

Moustafa_Hindawi
Userlevel 7
Badge +6

Hello

How to protect AHV VM with vTPM enabled?

icon

Best answer by Pybarra 25 February 2023, 17:51

View original
Moustafa Hindawi | Blogger | Nutanix Technology Champion | NCSE | NCM-MCI | VMCE | 2xVCAP-DTM & DCV | 2xVCP-NV & CMA | LinkedIn: https://www.linkedin.com/in/moustafaadelmoustafa/ | My Blog: https://cloudwhales.co.uk/author/mhindawi/

13 comments

Chris.Childerhose
Userlevel 7
Badge +20

I would suggest reading this page as it is the Veeam help guide for AHV - Welcome to Veeam Backup for Nutanix AHV - Veeam Backup for Nutanix AHV User Guide

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
Moustafa_Hindawi
Userlevel 7
Badge +6

Thank @Chris.Childerhose 

I already searched in the guide for how-to without success.

Moustafa Hindawi | Blogger | Nutanix Technology Champion | NCSE | NCM-MCI | VMCE | 2xVCAP-DTM & DCV | 2xVCP-NV & CMA | LinkedIn: https://www.linkedin.com/in/moustafaadelmoustafa/ | My Blog: https://cloudwhales.co.uk/author/mhindawi/
Chris.Childerhose
Userlevel 7
Badge +20

Thank @Chris.Childerhose 

I already searched in the guide for how-to without success.

Did you try searching Google as well or even the Nutanix forums?

Sorry but I don’t use Nutanix so trying to help guide.

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
Moustafa_Hindawi
Userlevel 7
Badge +6

Hi @Chris.Childerhose 

Thank you so much for taking time to help me. I really appreciate that.

I tried to google and search in R&D without success too. All about Vmware.

Moustafa Hindawi | Blogger | Nutanix Technology Champion | NCSE | NCM-MCI | VMCE | 2xVCAP-DTM & DCV | 2xVCP-NV & CMA | LinkedIn: https://www.linkedin.com/in/moustafaadelmoustafa/ | My Blog: https://cloudwhales.co.uk/author/mhindawi/
Chris.Childerhose
Userlevel 7
Badge +20

If you have support with Nutanix maybe contact them also?

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
Moustafa_Hindawi
Userlevel 7
Badge +6

I will check. However, I looking for Veeam guidelines for backup AHV VMs with vTPM enabled.

Moustafa Hindawi | Blogger | Nutanix Technology Champion | NCSE | NCM-MCI | VMCE | 2xVCAP-DTM & DCV | 2xVCP-NV & CMA | LinkedIn: https://www.linkedin.com/in/moustafaadelmoustafa/ | My Blog: https://cloudwhales.co.uk/author/mhindawi/
Chris.Childerhose
Userlevel 7
Badge +20

Ok then maybe post over at the Veeam Forums or search there to see if there are people with the same questions.

R&D Forums (veeam.com)

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
Moustafa_Hindawi
Userlevel 7
Badge +6

Ok then maybe post over at the Veeam Forums or search there to see if there are people with the same questions.

R&D Forums (veeam.com)

I will.

Moustafa Hindawi | Blogger | Nutanix Technology Champion | NCSE | NCM-MCI | VMCE | 2xVCAP-DTM & DCV | 2xVCP-NV & CMA | LinkedIn: https://www.linkedin.com/in/moustafaadelmoustafa/ | My Blog: https://cloudwhales.co.uk/author/mhindawi/
Pybarra
Userlevel 6
Badge +3

Hello,

This is a feature that is not currently supported by Veeam Backup for Nutanix AHV v3 or v4. Please see Nutanix link below for more information about it. The second link is from the Veeam forums that mentions vTPM in general. @Chris.Childerhose mentioned the Veeam Forums above😀

https://portal.nutanix.com/page/documents/kbs/details?targetId=kA07V000000LXKwSAO

https://forums.veeam.com/microsoft-hyper-v-f25/vtpm-vms-t79349.html?_gl=1*fegn60*_ga*NzU3ODQyMjcuMTY3MTgxNDE1Mw..*_ga_PMJS81E58L*MTY3NzM0Mjk5MC4yMjcuMS4xNjc3MzQzNTIwLjE5LjAuMA..

 

Thanks,

Pete

Moustafa_Hindawi
Userlevel 7
Badge +6

Hello,

This is a feature that is not currently supported by Veeam Backup for Nutanix AHV v3 or v4. Please see Nutanix link below for more information about it. The second link is from the Veeam forums that mentions vTPM in general. @Chris.Childerhose mentioned the Veeam Forums above😀

https://portal.nutanix.com/page/documents/kbs/details?targetId=kA07V000000LXKwSAO

https://forums.veeam.com/microsoft-hyper-v-f25/vtpm-vms-t79349.html?_gl=1*fegn60*_ga*NzU3ODQyMjcuMTY3MTgxNDE1Mw..*_ga_PMJS81E58L*MTY3NzM0Mjk5MC4yMjcuMS4xNjc3MzQzNTIwLjE5LjAuMA..

 

Thanks,

Pete

Thank you @Pybarra 

Moustafa Hindawi | Blogger | Nutanix Technology Champion | NCSE | NCM-MCI | VMCE | 2xVCAP-DTM & DCV | 2xVCP-NV & CMA | LinkedIn: https://www.linkedin.com/in/moustafaadelmoustafa/ | My Blog: https://cloudwhales.co.uk/author/mhindawi/
J

Product Manager from Nutanix here.

I’m looking into enhancements that allow backup of vTPM-enabled AHV VMs. I’d like to understand more details about how Veeam users would use backup/restore of vTPM-enabled AHV VMs. If you would benefit from such an enhancement, please share these details:

  • Customer organization name (company name)
  • What use case is using vTPM? In particular...
    • Is vTPM to be used just to satisfy Windows 11 hardware requirement, or another use case where no data stored in vTPM (i.e. vTPM just used for generating keys/numbers, not storing)?
    • Is vTPM to be used for BitLocker (and not Nutanix encryption)?
    • Is there some other application/use case for storing data in vTPM that is critical? (Please share details)
  • Do you have a single Prism Central, or multiple Prism Centrals?
    • Would you need to back up from a cluster within one Prism Central and restore to a cluster in a different Prism Central?
  • Is an external key manager being used for backup-related encryption keys? (Which key manager?)
    • Do you need an external key manager to be used for storing the Nutanix encryption keys that are used to encrypt the vTPM backup data?
  • Business impact on the customer if backup/restore vTPM is not supported.
  • Business impact on the customer if backup/restore of vTPM data is not supported.
Joshua Eddy | Principal Product Manager, Data Protection, Nutanix
P

Hey Joshua,

Thanks for looking into this. We desperately need a way to backup our vTPM enabled servers with Veeam. Otherwise it renders the Veeam backup product mostly useless for us.

  • Our vTPM use case.
    • We use Microsoft credential guard to protect our production Windows servers. Windows Credential guard leverages the TPM to store admin users credentials in a secure space outside of the OS rather than running memory that is highly vulnerable to attack. 
  • We use Prism Central. 
    • Recovery Points feature in Prism Central does not work at all when vTPM is enabled on a VM. In our case, the Nutanix Veeam backup proxy leverages PC recovery points for backup jobs and this is why they fail.
  • We do not store backup keys in vTPM.

This seems to be a Nutanix issue with recovery points for vTPM as we can make AHV/Prism VM snapshots on the hosts with no issues. If the Veeam AHV backup product had an option to use host based snapshots rather than Prism Central recovery points then we could still use the Veeam backup. 

Removing the vTPM on our production systems is not an option as it would greatly reduce our IT security posture. At this point if the problem is not resolved early in 2024 then we will start look to for other backup solutions to better fit our needs.

 

J

Same problems as PearceH. Urgent

Comment


Terms & Conditions