vSphere Native Key Provider enables the ability to use VM encryption capabilities without an external key provider. For example, if you are required to use vTPM, you will need to configure Key providers in the vCenter. Especially when you configure an OS like Windows 11 or if you need to use vTPM on a VM. vSphere 7.0 Update 2 and later versions Native Key Provider feature supports.
Configure a Native Key Provider in vCenter.
01. Once you log into vCenter, Select the vCenter from the inventory and click Configure. Then, select Key Providers.
02. Click Add and select Add Native Key Provider.
03. Define a Name for the key provider. If your hardware has a TPM, tick Use key provider only with TPM protected ESXi Hosts. Then, click Add Key Provider.
This will offload the encryption key generation process to the physical TPM chip installed on the ESXi host. However, to use vTPM, a physical TPM chip installed host is not a requirement. You can untick the Use key provider only with TPM protected ESXi Hosts and click Add Key Provider so the key provider is not dependent on TPM-protected ESXi hosts.
04. Now, Select the key provider. Click Backup.
Without backing up the Key provider you will not be able to configure vTPM for VMs.
05. Tick Protect Native Key Provider data with password (Recommended).
06. Define the password then Click Back up key provider.
07. Save the backup file in a safe location. You will need the backup file if you need to restore the Key provider for some reason.
08. Monitor Key provider status is active. Now, you can configure vTPM for VMs.
Add a vTPM to a VM.
09. Select the VM you need to add the vTPM or during the VM creation you can add the module.
10. From the Add New Device drop-down menu select Trusted Platform Module.
11. Click OK.
The task failed with the error A general run time error occurred. The key provider is not compatible with the host. Reson “The host does not support Native Key Provider because it is not in a cluster. So it is for obvious reasons as my lab ESXi host was not part of a cluster. I had to create a cluster and add the host to the cluster to correct the issue.
Then, I added the Trusted Platform Module (TPM), and it was successful.
How to Restore Native Key Provider?
01. Select the vCenter, and click Configure. Then select Key Providers.
02. Browse the Backup file. Then define the password and click Next.
03. Click Finish.
This will restore your VMware Native Key provider with the selected backup. If you like to know more about vSphere Native Key Provider refer to the VMware document here.
I hope this helps. To see my previous VMware-related posts click here.