search

hashicorp / packer-plugin-vsphere

Packer plugin for VMware vSphere Builder
https://www.packer.io/docs/builders/vsphere
Mozilla Public License 2.0
94 stars 91 forks source link

vTPM is not required to enable VBS. #339

Closed 5nines closed 9 months ago

5nines commented 9 months ago

I was wondering if it would be possible to remove the requirement for vTPM to be enabled when VBS is enabled? vTPM is not actually required to enable VBS and forcing this option would force the need for a Key Management Server infrastructure to be setup and configured for VCenter. Excellent feature add either way!

Originally posted by @nywilken in https://github.com/hashicorp/packer-plugin-vsphere/pull/318#pullrequestreview-1722276953

5nines commented 9 months ago

https://vkernel.nl/configure-virtualized-based-security-vbs

Configure VMware Native Key Provider Let me start by saying vTPM is not required to have to implement Microsoft VBS with Credential Guard. Credential Guard will work, but it will be less secure.

The only way to assign a Trusted Platform module device to a VM, is by having a configured key provider in vCenter (Native or 3th party). The key provider need to be maintained, so it will be an additional dependency in the infrastructure.

tenthirtyam commented 9 months ago

Look like I may have made a mistake in the implementation but that would be an easy fix. I'll need to look at it during my personal time.

5nines commented 9 months ago

@tenthirtyam Okay, good deal. Thanks very much!

tenthirtyam commented 9 months ago

340