HCI Security vSAN vSphere VxRail

TPM chip replacement for VxRail nodes

If TPM 1.2 chips are configured inside one or all VxRail nodes of your cluster you mainly have two choices before the upgrade of your VxRail cluster to Version 8:

  • replace the TPM 1.2 chips with TPM 2.0 chips or
  • deactivate the TPM 1.2 chips completely if they are not in use and you don’t need the TPM features

I always recommend my customers to replace the chips because you never know if you need TPM features in the future. So, just do it now during the upgrade phase. It doesn’t really cost very much (about 50$ each chip) and takes only about 1/2 hour of your time for each server. Actually it’s a no brainer if the 1.2 chips have not been activated in vSphere 7. Fortunately that has been the case with all of my customers.

I wanted to share the necessary steps which I have done a few times now with success.

// open the vSphere Client
check your vCenter Backup
check your vCenter & vSAN Cluster Health Check
put each VxRail Node into Maintenance Mode using “Ensure Accessibility”
shutdown Node


// open iDRAC
power on Node


// open iDRAC Console
activate & configure TPM & Secure Boot in BIOS
https://www.dell.com/support/kbdoc/en-us/000172501/dell-emc-vxrail-hosts-show-alert-in-vcenter-stating-tpm-2-0-device-detected-but-a-connection-cannot-be-established-customer-correctable?lwp=rt
boot to System Setup (F2)
record Boot Settings
reset iDRAC to Default
restore Boot Settings
check if TPM 2.0 & TXT is activated
exit System Setup & Reboot
boot again to System Setup (F2)
check if TXT Algorithm is set to SHA256
activate Secure Boot
exit System Setup & Reboot


// open vSphere Client
exit Node from Maintenance Mode
Disconnect- & Re-Connect Node
check if Attestation-Status is “passed“ under vCenter/Monitor/Security/Host Attestation
if it is „failed”, “Internal failure“ and a blue info on the Node „The new host TPM endorsement key does not match the one stored in the DB” => go to next step


// open vCenter SSH
delete TPM endorsement Keys form the vCenter Database
https://www.dell.com/support/kbdoc/en-us/000065619 (Audience Level: Partners)
before changing something in the vCenter Database take an offline Snapshot of the vCenter VM !
then follow the KB Article steps:
put Node into Maintenance Mode using “Ensure Accessibility”
save the VPX_HOST Table of the VCDB!
delete the correct Key Values in the VPX_HOST Table of the VCDB => CAUTION! please double check to make sure you delete the right one!!!


// open vSphere Client
Disconnect- & Re-Connect Node
check if Attestation-Status is “passed“ under vCenter/Monitor/Security/Host Attestation
exit Node from Maintenance Mode
check your vCenter & vSAN Cluster Health


// open ESXi SSH (on each VxRail Node)
activate TPM-Mode in ESXi, force Secure Boot for ESXi, save TPM Recovery Keys, synchronize ESXi Configuration into second Bootbank
https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-30DA8CC1-5D9F-4025-B5DB-6D592B6BD9B4.html
# esxcli system settings encryption set –mode=TPM
# esxcli system settings encryption set –require-secure-boot=T
# esxcli system settings encryption recovery list
# /sbin/auto-backup.sh

// open vSphere Client
final check of your vCenter & vSAN Cluster Health


If you have read up to this point, I hope my article was helpful to you. Feel free to share if you like…


// footnotes:

Date: 14.08.2023
Version: 1.0