Instant clone operation via vSphere API fails for a virtual machine with a vTPM device
search cancel

Instant clone operation via vSphere API fails for a virtual machine with a vTPM device

book

Article ID: 396169

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Initiating an API request for an instant clone of an encrypted VM shows the following entries in the vpxd.log.

/var/log/vmware/vpxd/vpxd.log


YYYY-MM-DDTHH:MM:SS. error vpxd[07332] [Originator@6876 sub=VmProv opID=b56471f7-17f4-9381-b6df-69888f298aca-ab-60ea49e5-01] Get exception while executing action vpx.vmprov.InvokePrechecks:
--> (vmodl.fault.InvalidArgument) {
-->    faultMessage = (vmodl.LocalizableMessage) [
-->       (vmodl.LocalizableMessage) {
-->          key = "com.vmware.vim.vpxd.vmcheck.instantCloneSrcEncrypted",
-->          arg = (vmodl.KeyAnyValue) [
-->             (vmodl.KeyAnyValue) {
-->                key = "arg",
-->                value = "vm-1540592"
-->             }
-->          ],
-->       }
-->    ],
-->    invalidProperty = "vm.hasvTPM",
-->    msg = ""
--> }

Cause

Adding a virtual TPM (vTPM) to a vSphere virtual machine automatically triggers VMware VM Encryption to secure the vTPM's secrets and configuration. Consequently, VMs protected by any form of encryption, including this automatic vTPM encryption, cannot be used as source VMs for instant clone operations. This limitation stems from vSphere's instant clone technology, which depends on shared memory and disk states, a process incompatible with encryption's isolation measures.

Resolution

Instant clone via vSphere API of vTPM virtual machine is not supported.

Additional Information

Additional doc for instant cloning: https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/7-0/vsphere-security-7-0/virtual-machine-encryption/encryption-best-practices-and-caveats/virtual-machine-encryption-interoperability.html

Powered by Wolken Software