home lab

Add a TPM card to VMware vSAN Host

Add a TPM card to VMware vSAN Host. A step-by-step look at retro-adding a TPM 2.0 module to a VMware vSAN host and configuring the module

Security is an extremely important part of server technology these days. With the sophistication of malicious attacks, supply chain hacks, and other risks to business-critical data, security contains several layers of protection. Security not only must be applied to software but it must also be applied at the host level. The Trusted Platform Module (TPM) is a passive security device that serves the purpose of storing sensitive security information. It can be used to validate the integrity of a host, enabling secure boot. In the world of virtualization, the host having a physical TPM device is required before you can add a virtual TPM or vTPM to your virtual machines. In my home lab, I have recently added TPM devices to my Supermicro servers. I thought I would create a blog to detail the steps to add a TPM card to VMware vSAN hosts in my home lab and what was involved.

TPM add-on cards

Many are under the impression if your server does not come with a TPM module, it is not possible to add one. This may be the case depending on your server model and the capabilities of your server’s motherboard. However, most boards produced in the past few years often have the header available for installing a TPM module. I am running all Supermicro gear in the home lab and Supermicro has several TPM add-on cards available that can be added to servers.

Take a look at the write-up of my Supermicro home lab here:

The hosts that I am currently installing TPM devices in are the Supermicro SYS-5028D-TN4T model servers. I specifically went with the TPM device listed here:

Installing the TPM add-on card in the Supermicro 5028D-TN4T

The process to install a TPM add-on card in the Supermicro 5028D-TN4T server wasn’t difficult. I wasn’t quite sure where the TPM header was located, however, quickly found it next to the motherboard SATA connectors as you will see below. Before installing, here is a quick pick of the 9665V-S model TPM.

Supermicro TPM add on card
Supermicro TPM add on card

Below is a photo I took after I installed the TPM add-on card in the Supermicro server. This model is a

Supermicro TPM add on card installed in the server
Supermicro TPM add on card installed in the server

The 9665V-S card is a vertical model that sits vertically on the motherboard. This model works perfectly in the 5028-TN4T server.

Configuring the TPM in the BIOS

One thing I like about the 9665V-S model (S for server) is that it is preconfigured for use. I didn’t have to download any utilities to configure it beforehand which is nice. Under the Advanced settings in the Supermicro BIOS, you see the TPM device configuration. All of the settings below are the default settings once I installed the device.

After installing the TPM in Supermicro verifying it is enabled
After installing the TPM in Supermicro verifying it is enabled

Under Security, you will want to set the Provision Factory Default keys to enabled.

Provision factory default keys
Provision factory default keys

You will see the message to Disable the CSM in Setup message. After setting the Secure boot to enabled, you will see the warning below on changing the CSM setting.

Disable CSM in setup message
Disable CSM in setup message

Viewing the CSM setting under the Security tab. Set this to disabled.

Viewing the current CSM setting
Viewing the current CSM setting

Verifying I am set to

Ensuring boot mode is UEFI
Ensuring boot mode is UEFI

Add a TPM card to VMware vSAN Host

After booting checking out the Monitor > Security dashboard. As you can see below, I received the Internal failure message. After a quick hit on a VMware KB, this is due to the host not being disconnected and reconnected to vCenter.

Internal failure on host attestation
Internal failure on host attestation

This is corroborated by the vpxd.log from vCenter with the No cached identity key, loading from DB error.

No cached identity key error
No cached identity key error

Can you safely disconnect and reconnect a vSAN host? Yes. Just migrate your workloads from the vSAN host, place it in maintenance mode, and then you can quickly and easily disconnect the host and reconnect it in vCenter.

Disconnect a VMware vSAN host from vCenter
Disconnect a VMware vSAN host from vCenter

After disconnecting the host, reconnect it.

Reconnect a VMware vSAN host to vCenter Server
Reconnect a VMware vSAN host to vCenter Server

Now, a few seconds after disconnecting and reconnecting the host, you should see your host attestation change to Passed with no failure messages in the messages column.

VMware ESXi host attestation passed after disconnecting and reconnecting in vCenter Server
VMware ESXi host attestation passed after disconnecting and reconnecting in vCenter Server

Wrapping Up

The process to Add a TPM card to VMware vSAN Host was straightforward. Depending on the hardware manufacturer, the process may vary. However, with the Supermicro TPM add on card, a simple installation of the card onto the TPM header was all that was required, besides a few BIOS settings as detailed above. After installing and configuring the TPM card, you can then set your server to Secure Boot. In VMware vCenter Server, the host needs to be disconnected and reconnected to correctly perform host attestation and get rid of the Internal Error that you will likely see adding a card after the fact.

Subscribe to VirtualizationHowto via Email ๐Ÿ””

Enter your email address to subscribe to this blog and receive notifications of new posts by email.



Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com, and a 7-time VMware vExpert, with over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, He has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family. Also, he goes through the effort of testing and troubleshooting issues, so you don't have to.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.