Encrypted VMs and vTPM

Enterprise

Bacula Enterprise Only

This solution is only available for Bacula Enterprise. For subscription inquiries, please reach out to sales@baculasystems.com.

Encrypted VMs

ESXi hosts use encryption keys provided by vCenter to encrypt protected virtual machines.

What is Encrypted

  • Virtual disk data (VMDKs)

  • NVRAM

  • Portions of the VMX file

  • Other metadata as defined by VMware

Backup Behavior

VDDK obtains the necessary keys from vCenter and decrypts virtual disk blocks before transfer. The backup stored by Bacula contains disk data in clear (not encrypted).

Transport modes:

  • NBDSSL — supported

  • HotAdd — supported (the proxy VM must also be encrypted)

  • SAN — not supported

Required vSphere privileges: Cryptographer.Access, Cryptographer.AddDisk.

Application-level quiescing is not supported; only filesystem-level quiescing applies.

Restore Behavior

Disks are restored unencrypted.

VMX is partially encrypted; NVRAM is encrypted. Bacula uploads NVRAM at restore time if present, but does not upload VMX. For encrypted VMs, it’s better not to select the NVRAM file during restore, as it would be unusable. In most cases NVRAM isn’t required; VMware allows using a generic NVRAM if the original is unavailable or unusable.

vTPM-enabled VMs

A vTPM is a virtual Trusted Platform Module device attached to a VM. It stores sensitive data and performs cryptographic operations. In VMware, the vTPM device and its related state are encrypted using keys provided by vCenter.

Note

For modern Windows guests (Windows 11 and commonly Windows Server 2025), a TPM 2.0 device is expected, so adding a vTPM is effectively the default; on vSphere this makes the VM show as “encrypted” because vCenter encrypts the vTPM/NVRAM (VM home) via a key provider—separate from full‑disk encryption and not easy to avoid for a supported setup.

What is Encrypted

  • vTPM device state

  • Associated NVRAM content related to the vTPM

  • Portions of VM metadata as defined by VMware

Backup Behavior

VDDK obtains encryption keys from vCenter and decrypts virtual disk blocks before transfer. Disk data stored by Bacula is in clear (not encrypted).

The plugin does not back up the vTPM device/state as an individual component.

Transport modes:

  • NBDSSL — supported

  • HotAdd — supported (the proxy VM must also be encrypted)

  • SAN — not supported

Required vSphere privileges: Cryptographer.Access, Cryptographer.AddDisk.

Application-level quiescing is not supported; only filesystem-level quiescing applies.

Restore Behavior

Disks are restored unencrypted because they were stored unencrypted in the backup.

The vTPM device is not restored. The associated NVRAM is not usable and should not be selected during restore.

Note

The VM may boot and run without a vTPM depending on workload needs. Validate in a test environment.

See also

Previous articles:

Go back to: Operations.