KB208069

Introduction

This article describes a way to add a virtual TPM module in VMware virtual machines without the need of encrypting the whole VM. VMware Workstation version 16 has the ability of adding a Trusted Platform Module on virtual machines, making system management more easier with the help of this technology, however the user interface does not allow a pathway of performing such configuration without the need of encrypting the VM first.

Symptoms

On VMware Workstation 16, users must first fully encrypt the VM in order to be able to add a TPM on a VM on the user interface.

Consider the following scenario: the user needs to create a VM which includes a TPM but without having the VM be fully encrypted.

Solution

Because interior data of TPMs must be kept confidential to prevent voiding of security functions, the whole virtual machine must be encrypted to ensure integrity of the system from unauthorised and unsolicited tampering.

Users can take the risk of revealing private data of TPMs on VMs they wish to use a TPM without the need of VM encryption, by taking the following steps:

1. Create an unencrypted VM and change the firmware type to EFI.
2. Add the following lines in the VMX file of the VM: uefi.secureBoot.enabled = "TRUE" managedvm.autoAddVTPM = "software"
3. The TPM should be automatically installed to the VM by VMware Workstation upon next opening of the VM for preparation before the user can perform power actions.

Users should ensure that such encryption data are not revealed to unwanted parties to ensure the functioning of TPM. Disclosing such data to a third party will result in void of security features of the TPM.