Open CodeJACKz opened 1 year ago
CodeJACKz
commented
1 year ago I'll get greedy by asking to record the Key Persistence status too :-)
This is used to set it: Key persistence is not enabled by default when using 3rd party KMS. This can be enabled via the following esxcli commands: esxcli system settings encryption set --mode=TPM esxcli system security keypersistence enable
tpcarman
commented
1 year ago I'll look into adding the TPM information, however an as-built does not set or change a configuration, it simply documents and records the current configuration.
CodeJACKz
commented
1 year ago Thanks Tim. I only included them "set" commands to hint at a place to check if it was even enabled or not
tpcarman
commented
1 year ago Yeah thanks for that, I will likely use that to report on whether it is set or not, and probably add a health check for it too.
Since TPM should now be implemented for all deployments, can this detail be added to the report?
Link with example code: https://vm.knutsson.it/2021/07/powercli-tpm-encryption-recovery-key-backup/
I got bitten by this after a recent deployment where the keys were not recorded and a node failed a couple of weeks after. Recovery would have been possible and faster had i recorded all the keys.