Backing up vTPM-secured VMs

Discussion in 'Parallels Desktop on a Mac with Apple silicon' started by MatthiasE5, Oct 20, 2021.

  1. MatthiasE5

    MatthiasE5 Hunter

    Messages:
    146
    Hello,
    I keep an up-to-date copy of my VM on an exterenal Samsung T5 2GB. I do that every week. I used to used the "clone" function to do that, but it seems to me that in the future, this would require exporting a new keychain with every backup (is this correct?). So now I am copying the pvm file via Finder instead (to the SSD).
    I have created and copied a keychain as detailed here: https://kb.parallels.com/de/122702 ; I put all keys (that were created for my currently in-use Windows VM as well as for my old clones on the external SSD which I attached for that purpose and Parallels automatically created them) into the keychain and saved a copy of the keychain on the Samsung SSD (and on a flash drive just to be sure).
    I saved my Mac system password and the password for the parallels keychain in three safe locations (written on paper and in a high security password manager).
    As far as I can tell, as long as I keep COPYing, not CLONing my VM, this is all that I ever have to do to be prepared for the event of my Mac dying, or the VM dying?
     
  2. MarkLe

    MarkLe Junior Member

    Messages:
    10
    Would love to know the answer to that question too, before I upgrade my VMs to Windows 11.

    You refer to a KB article describing how to backup the keychain (https://kb.parallels.com/de/122702), but I can't find that information in that article (the same KB article is also referred here: https://www.parallels.com/blogs/Windows-11-TPM/). Can it be that the information on how to copy the keychain is removed?
     
  3. gVirtual

    gVirtual Junior Member

    Messages:
    18
    I had to move a VM to a new machine earlier this week. I've previously followed the KB that explained how to export and import keychain passwords.
    What I see now is that the TPM passwords are now stored in the iCloud portion of the keychain so that, assuming you are allowing iCloud to roam your keychain, they will automatically appear on all of your Macs.
    In other words, assuming you have iCloud Keychain enabled and move your VM to a new machine which is logged into the same Apple ID, there will be no need to manually import/export passwords from the keychain.
     
  4. MatthiasE5

    MatthiasE5 Hunter

    Messages:
    146
    I am using Parallels 17.1.0 51516, which is the latest version, and it was only AFTER installing that version that I installed vTMP. My keys are not stored in the iCloud portion of the keychain.
    They changed the contents of the page I linked to, yes. Perhaps by mistake?
    The original document is here still here. I have saved it to disk, I suggest you too save it before it's gone. It is not in wayback machine or on archive.is
    https://webcache.googleusercontent....k&gl=de&lr=lang_de|lang_en&client=firefox-b-d

    I have pointed Parallels Support to this thread in the hopes that they might clarify. Thanks to Parallels Support here and thanks to Parallels in general for making this amazing software, it runs wonderfully on my MBA M1.
     
  5. gVirtual

    gVirtual Junior Member

    Messages:
    18
    Interesting. So when you open the KeyChain app and select iCloud under Keychains, you see many items but nothing like with "Parallels.vTPM.{guid}"?
    Prior to the latest version, no Parallels TPM keys were stored in the iCloud keychain. I'm absolutely sure of that because I spent a bunch of time importing and exporting TPM keys to move VMs between M1 machines.
    They are now definitely in the iCloud Keychain and that implementation change seems to correlate to the documentation change that you referenced.
    Just confirming....are you signed into iCloud and is Keychain checked in iCloud settings?
     
    MatthiasE5 likes this.
  6. MatthiasE5

    MatthiasE5 Hunter

    Messages:
    146
    You are right, gVirtual, I made a mistake when checking. I am sorry for the confusion.

    1. keychain is checked in MAC SETTINGS iCloud, and it was checked at point of installation of Parallels update (vTPM requiring update) (99.999% certain)
    2. I am signed in to iClouds on my Mac
    3. the parallels keys show up in these locations:

    1. standard key chains -> iCloud
    2. own key chains -> parallels_vTPM (i named that)
    3. system key chains -> system

    So everything just like you said.
    The crucial thing seems to be that the typical user that has just one VM should EITHER make sure that iCloud is enabled globally and for keychain, OR that they copy the keychain to external sources once, and that will then cover them in the future in case of desaster (provided they backuped the VM). (no guarantee, that's how I understand it). Ideally one should do both (iCloud and manual to external drive), I guess. And make sure one fetches ALL keychains in case there are several, which will happen as soon as one clones VMs (from within Parallels VM list) instead of copying them in Finder.
     

Share This Page