What is a virtual Trusted Platform Module (vTPM)?

How can I protect my virtual environments?
Virtual machine (VM) technology can be used for cost efficient and flexible processing in both on-premises and cloud environments. However, as VMs have become more popular, the chances of these being weaponized against users has increased.

In a typical data centre, there will often be around 25-30 VMs present on a single host. VMs will have access to a host computer’s files and data. To avoid the risk of detection or the activation of antivirus software, attackers are increasingly hiding ransomware payloads within virtual machines (VMs) when encrypting files on a host computer, with the aim to steal and exploit masses of data once the device boots up.

Having measures in place which focus on the security of virtual environments is essential. Without a vTPM, data centers and other ‘host’ environments cannot access the same security capabilities achieved in physical devices.

What is a vTPM?
A vTPM is a software-based representation of a traditional TPM 2.0 chip. It carries out the same hardware-based security functions a TPM, for example, attestation, key and random number generation – without the physical chip being required.

When would I need to use a vTPM?
A vTPM is especially useful when running a VM, a compute resource that executes programs and applications on software rather than a physical computer.

VMs give users the ability to satisfy varying levels of processing power requirements, overcome interoperability and enable the use of different operating systems and allow for the testing of applications within a safer, external environment. When looking to use a VM, the vTPM allows you to assess whether malicious activity has taken place and only run the boot process once validation checks have been successfully completed.

What sort of devices does a vTPM protect?
Unlike the TPM, the vTPM focuses less on the ‘host’ device itself, but rather the virtual environments being operated on it. A number of virtual ‘guest’ machines are able to run on a single ‘host’ machine, with each able to run its own operating system regardless of the rest. For these virtual machines, the vTPM operates as a TPM 2.0 virtual crypto coprocessor.

How does a vTPM work?
A vTPM emulates the secure storage capabilities of a TPM and executes these cryptographic operations within the software.

Once added to your virtual machine, the vTPM empowers the guest operating system to generate and store private keys to enhance the available security measures. Similar to the device-based TPM, any keys created are isolated from the system, reducing the risk of being compromized during an attack. The vTPM receives key information from a certificate authority (CA), which works exactly the encryption key (EK) found on a physical TPM.

The keys created by the vTPM will then only be used by the operating system for encryption and signing purposes, enabling you to remotely validate the identity and trustworthiness of your virtual machine. It will also verify the software run within it. Whether you have a new or an existing virtual machine, a vTPM can be integrated at any point to enhance your security measures. The vTPM leverages the security of the virtualization environment with the same isolation boundary hypervisor.

Where is a vTPM being used today?
Click here for details on an example of a vTPM implementation from Google.

Where can I find more information on a vTPM?

• Virtualized Platform Work Group Page
• Virtualized Platform Blog
• Published Virtualized Trusted Platform Architecture Specification

Interested in an overview of the solutions for other devices? See What is a Root of Trust?

Interested in a solution that secures physical devices? See TPM.