top of page
  • Writer's pictureSantosh Kumar Behera

Configuring vSphere Native Key Provider for vTPM: A Step-by-Step Guide


vSphere is the industry-leading virtualization platform from VMware, offers various security features to protect virtualized environments. One such feature is the vSphere Native Key Provider, which allows you to enhance security by leveraging virtual Trusted Platform Modules (vTPM) for encryption and key management.

The vSphere Native Key Provider was introduced in VMware vSphere 7.0 Update 2 and later. It is a function of VMware vSphere vCenter Server, so you must deploy VMware vSphere vCenter Server to use this functionality. You must purchase the VMware vSphere Enterprise Plus Edition for this.

The vSphere Native Key provider allows you to encrypt virtual machines, enable vTPM in virtual machines, or enable data-at-rest encryption on vSAN, without the need for an external KMS (Key Management Server). You can export the vSphere Native Key provider key and import it again on another cluster. The vSphere Native Key provider only provides key management to objects within the inventory of vCenter Server, it cannot be used externally. If you require external functionality beyond vCenter Server, you will need to use an external third party KMS.

New requirements for Microsoft Windows 11 require a TPM (Trusted Platform Module). We can add this new vTPM device to support Windows 11.

vSphere Native Key Provider Prerequisites
  • Ensure both the vCenter Server and ESXi hosts are running vSphere 7.0 Update 2 or later.

  • Configure the vCenter Server file-based backup and restore, and store the backups securely as they contain the Key Derivation Key

  • Ensure the ESXi hosts running your virtual machines have TPM 2.0 support

Procedure for Configuring vSphere Native Key Provider

Step 1: Log in to the vSphere Client and select the vCenter Server instance.

Step 2: Navigate to "Configure" and click on "Key Providers under Security"

Step 3: Click Add then click Add Native Key Provider

Adding a key provider in VMware vSphere

Step 4: After selecting Add Native Key Provider, the configuration is simple. You give the key provider a name and click Add Key Provider.

Note : If you want this vSphere Native Key Provider to be used only by hosts with a TPM 2.0, select the Use key provider only with TPM protected ESXi hosts check box or else uncheck

Adding a native key provider in VMware vSphere

Step 5: After adding the Native Key Provider, you need to back up the key provider to become active. Click the Back Up button.

Backing up the native key provider

You will be asked if you want to protect the backup with a password. After providing the password, the key will download selecting Back Up Key Provider in the browser as a .p12 file

Backing up the native key provider

Downloaded the backup of the native key provider

After you perform the backup, the native key provider will be active. At this point, you can begin encrypting virtual machine disks using the native key provider.

vSphere native key provider is ready to manage virtual machine disk encryption


By configuring the vSphere Native Key Provider for vTPM, you can enhance the security and protection of your virtual machines in the vSphere environment. By following this step-by-step guide, you can enable vTPM support on ESXi hosts, enable vTPM on virtual machines, and configure vSphere Native Key Provider for effective encryption and key management. Leveraging vTPM provides an additional layer of security to protect your sensitive data and ensures the integrity of your virtualized environment

In my next document I will show how you can deploy a vTPM enabled Instant clone floating pool using windows 11 GA build.

Thanks to Nikhil # for the contribution.

You can refer the VMware Official document for vSphere Native Key Provider Overview for more details.


bottom of page