With the newer Cisco UCS servers coming out now, in particular the Cisco UCSX servers, they have a TPM V2 module to encrypt parts of the server hardware as shown here:
https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/sw/gui/config/guide/2-5/b_UCSM_GUI_Quick_Reference_Guide_2_5/b_UCSM_GUI_Quick_Reference_Guide_2_5_chapter_0110.pdf
When a new server with TPM 2 is introduced in vCenter, a warning shows in vCenter for that host:
"TPM Encryption Recovery Key Backup Alarm"
Searching Google for this alarm message and you will likely find this article: VMware KB81661 - "TPM Encryption Recovery Key Backup" warning alarm in vCenter Server. You quickly learned that starting with VMware vSphere 7.0 Update 2, any host containing a TPM 2.0 device will now encrypt its configuration files utilizing the TPM 2.0 module. The KB also mentions that it's possible that a host may not boot if it encounters an issue during the decryption process.
So I have developed a script which logs into all our vCenters on a weekly basis and exports the Host Recovery keys to a CSV file.
My questions are:
Is it dangerous to have the raw keys in a CSV file? Can hackers use this information to hack our systems?
Should I be exporting the keys in an encrypted format to the CSV file and storing the key to the encryption in our Password manager? If so, how do i go about this from PowerShell?
Thanks.
vCenter 7
ESXi 7