Add TPM attestation state and encryption recovery key reporting (#101)

- Add ESXi Host TPM & Encryption section to Get-AbrVSphereVMHostSecurity
  - Reports TPM attestation status via ExtensionData.Config.TpmAttestation
  - Reports encryption mode, RequireSecureBoot, and RequireSignedVIBs via esxcli
  - Recovery keys sub-table gated behind ShowEncryptionKeys option (InfoLevel >= 3)
  - TpmAttestation healthcheck warns when TPM present but not attested
- Add ShowEncryptionKeys option (default: false) to report JSON config
- Add TpmAttestation healthcheck (default: true) to report JSON config
- Add i18n keys to all 5 locale files (en-US, en-GB, es-ES, fr-FR, de-DE)
- Update README.md options and healthcheck tables

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: tpcarman

AsBuiltReport.VMware.vSphere/AsBuiltReport.VMware.vSphere.json

@@ -910,6 +910,20 @@ GetAbrVSphereVMHostSecurity = ConvertFrom-StringData @'
     VMToolsStatus        = VM Tools Status
     TableVMs             = Virtual Machines - {0}
     TableStartupShutdown = VM Startup/Shutdown Policy - {0}
+    TpmEncryption        = TPM & Verschlüsselung
+    TpmPresent           = TPM vorhanden
+    TpmStatus            = TPM-Attestierungsstatus
+    EncryptionMode       = Verschlüsselungsmodus
+    RequireSecureBoot    = Sicheres Booten erforderlich
+    RequireSignedVIBs    = Ausführbare Dateien nur von installierten VIBs
+    RecoveryKeys         = Verschlüsselungs-Wiederherstellungsschlüssel
+    RecoveryID           = Wiederherstellungs-ID
+    RecoveryKey          = Wiederherstellungsschlüssel
+    TpmEncryptionError   = TPM- und Verschlüsselungsinformationen für Host {0} konnten nicht abgerufen werden. {1}
+    TableTpmEncryption   = TPM & Verschlüsselung - {0}
+    TableRecoveryKeys    = Verschlüsselungs-Wiederherstellungsschlüssel - {0}
+    Yes                  = Ja
+    No                   = Nein
 '@
 
 # Get-AbrVSphereNetwork

AsBuiltReport.VMware.vSphere/Language/de-DE/VMwarevSphere.psd1

@@ -910,6 +910,20 @@ GetAbrVSphereVMHostSecurity = ConvertFrom-StringData @'
     VMToolsStatus        = VM Tools Status
     TableVMs             = Virtual Machines - {0}
     TableStartupShutdown = VM Startup/Shutdown Policy - {0}
+    TpmEncryption        = TPM & Encryption
+    TpmPresent           = TPM Present
+    TpmStatus            = TPM Attestation Status
+    EncryptionMode       = Encryption Mode
+    RequireSecureBoot    = Require Secure Boot
+    RequireSignedVIBs    = Require Executables From Installed VIBs Only
+    RecoveryKeys         = Encryption Recovery Keys
+    RecoveryID           = Recovery ID
+    RecoveryKey          = Recovery Key
+    TpmEncryptionError   = Unable to retrieve TPM & Encryption information for host {0}. {1}
+    TableTpmEncryption   = TPM & Encryption - {0}
+    TableRecoveryKeys    = Encryption Recovery Keys - {0}
+    Yes                  = Yes
+    No                   = No
 '@
 
 # Get-AbrVSphereNetwork

AsBuiltReport.VMware.vSphere/Language/en-GB/VMwarevSphere.psd1

@@ -910,6 +910,20 @@ GetAbrVSphereVMHostSecurity = ConvertFrom-StringData @'
     VMToolsStatus        = VM Tools Status
     TableVMs             = Virtual Machines - {0}
     TableStartupShutdown = VM Startup/Shutdown Policy - {0}
+    TpmEncryption        = TPM & Encryption
+    TpmPresent           = TPM Present
+    TpmStatus            = TPM Attestation Status
+    EncryptionMode       = Encryption Mode
+    RequireSecureBoot    = Require Secure Boot
+    RequireSignedVIBs    = Require Executables From Installed VIBs Only
+    RecoveryKeys         = Encryption Recovery Keys
+    RecoveryID           = Recovery ID
+    RecoveryKey          = Recovery Key
+    TpmEncryptionError   = Unable to retrieve TPM & Encryption information for host {0}. {1}
+    TableTpmEncryption   = TPM & Encryption - {0}
+    TableRecoveryKeys    = Encryption Recovery Keys - {0}
+    Yes                  = Yes
+    No                   = No
 '@
 
 # Get-AbrVSphereNetwork

AsBuiltReport.VMware.vSphere/Language/en-US/VMwarevSphere.psd1

@@ -910,6 +910,20 @@ GetAbrVSphereVMHostSecurity = ConvertFrom-StringData @'
     VMToolsStatus        = VM Tools Status
     TableVMs             = Virtual Machines - {0}
     TableStartupShutdown = VM Startup/Shutdown Policy - {0}
+    TpmEncryption        = TPM y cifrado
+    TpmPresent           = TPM presente
+    TpmStatus            = Estado de atestación TPM
+    EncryptionMode       = Modo de cifrado
+    RequireSecureBoot    = Requerir arranque seguro
+    RequireSignedVIBs    = Requerir ejecutables solo de VIBs instalados
+    RecoveryKeys         = Claves de recuperación de cifrado
+    RecoveryID           = ID de recuperación
+    RecoveryKey          = Clave de recuperación
+    TpmEncryptionError   = No se puede recuperar información de TPM y cifrado para el host {0}. {1}
+    TableTpmEncryption   = TPM y cifrado - {0}
+    TableRecoveryKeys    = Claves de recuperación de cifrado - {0}
+    Yes                  = Sí
+    No                   = No
 '@
 
 # Get-AbrVSphereNetwork

AsBuiltReport.VMware.vSphere/Language/es-ES/VMwarevSphere.psd1

@@ -910,6 +910,20 @@ GetAbrVSphereVMHostSecurity = ConvertFrom-StringData @'
     VMToolsStatus        = VM Tools Status
     TableVMs             = Virtual Machines - {0}
     TableStartupShutdown = VM Startup/Shutdown Policy - {0}
+    TpmEncryption        = TPM et chiffrement
+    TpmPresent           = TPM présent
+    TpmStatus            = Statut d'attestation TPM
+    EncryptionMode       = Mode de chiffrement
+    RequireSecureBoot    = Exiger le démarrage sécurisé
+    RequireSignedVIBs    = Exiger les exécutables uniquement depuis les VIBs installés
+    RecoveryKeys         = Clés de récupération de chiffrement
+    RecoveryID           = ID de récupération
+    RecoveryKey          = Clé de récupération
+    TpmEncryptionError   = Impossible de récupérer les informations TPM et chiffrement pour l'hôte {0}. {1}
+    TableTpmEncryption   = TPM et chiffrement - {0}
+    TableRecoveryKeys    = Clés de récupération de chiffrement - {0}
+    Yes                  = Oui
+    No                   = Non
 '@
 
 # Get-AbrVSphereNetwork

AsBuiltReport.VMware.vSphere/Language/fr-FR/VMwarevSphere.psd1

@@ -91,6 +91,69 @@ function Get-AbrVSphereVMHostSecurity {
                 }
                 #endregion ESXi Host Services
 
+                #region ESXi Host TPM & Encryption
+                $TpmAttestation = $VMHost.ExtensionData.Config.TpmAttestation
+                $EncryptionSettings = $null
+                try {
+                    $esxcliTpm = Get-EsxCli -VMHost $VMHost -V2 -Server $vCenter
+                    $EncryptionSettings = $esxcliTpm.system.settings.encryption.get.Invoke()
+                } catch {
+                    Write-PScriboMessage -IsWarning ($LocalizedData.TpmEncryptionError -f $VMHost, $_.Exception.Message)
+                }
+                if ($null -ne $TpmAttestation -or ($null -ne $EncryptionSettings -and $EncryptionSettings.Mode -ne 'None')) {
+                    Section -Style NOTOCHeading5 -ExcludeFromTOC $LocalizedData.TpmEncryption {
+                        $TpmEncryptionInfo = [PSCustomObject]@{
+                            $LocalizedData.TpmPresent        = if ($null -ne $TpmAttestation) { $LocalizedData.Yes } else { $LocalizedData.No }
+                            $LocalizedData.TpmStatus         = if ($null -ne $TpmAttestation) { $TpmAttestation.Status } else { 'N/A' }
+                            $LocalizedData.EncryptionMode    = if ($null -ne $EncryptionSettings) { $EncryptionSettings.Mode } else { 'N/A' }
+                            $LocalizedData.RequireSecureBoot = if ($null -ne $EncryptionSettings) { $EncryptionSettings.RequireSecureBoot } else { 'N/A' }
+                            $LocalizedData.RequireSignedVIBs = if ($null -ne $EncryptionSettings) { $EncryptionSettings.RequireExecutablesOnlyFromInstalledVIBs } else { 'N/A' }
+                        }
+                        if ($Healthcheck.VMHost.TpmAttestation) {
+                            $TpmEncryptionInfo | Where-Object {
+                                $null -ne $TpmAttestation -and $TpmAttestation.Status -ne 'attested'
+                            } | Set-Style -Style Warning -Property $LocalizedData.TpmStatus
+                        }
+                        $TableParams = @{
+                            Name         = ($LocalizedData.TableTpmEncryption -f $VMHost)
+                            List         = $true
+                            ColumnWidths = 40, 60
+                        }
+                        if ($Report.ShowTableCaptions) {
+                            $TableParams['Caption'] = "- $($TableParams.Name)"
+                        }
+                        $TpmEncryptionInfo | Table @TableParams
+
+                        # Recovery keys — InfoLevel >= 3 and ShowEncryptionKeys option
+                        if ($InfoLevel.VMHost -ge 3 -and $Options.ShowEncryptionKeys -and $null -ne $esxcliTpm) {
+                            try {
+                                $RecoveryKeys = $esxcliTpm.system.settings.encryption.recovery.list.Invoke()
+                                if ($RecoveryKeys) {
+                                    Section -Style NOTOCHeading6 -ExcludeFromTOC $LocalizedData.RecoveryKeys {
+                                        $RecoveryKeyInfo = foreach ($RecoveryKey in $RecoveryKeys) {
+                                            [PSCustomObject]@{
+                                                $LocalizedData.RecoveryID  = $RecoveryKey.RecoveryID
+                                                $LocalizedData.RecoveryKey = $RecoveryKey.Key
+                                            }
+                                        }
+                                        $TableParams = @{
+                                            Name         = ($LocalizedData.TableRecoveryKeys -f $VMHost)
+                                            ColumnWidths = 40, 60
+                                        }
+                                        if ($Report.ShowTableCaptions) {
+                                            $TableParams['Caption'] = "- $($TableParams.Name)"
+                                        }
+                                        $RecoveryKeyInfo | Table @TableParams
+                                    }
+                                }
+                            } catch {
+                                Write-PScriboMessage -IsWarning ($LocalizedData.TpmEncryptionError -f $VMHost, $_.Exception.Message)
+                            }
+                        }
+                    }
+                }
+                #endregion ESXi Host TPM & Encryption
+
                 #region ESXi Host Advanced Detail Information
                 if ($InfoLevel.VMHost -ge 4) {
                     #region ESXi Host Firewall

AsBuiltReport.VMware.vSphere/Src/Private/Get-AbrVSphereVMHostSecurity.ps1

@@ -16,6 +16,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+- Add TPM attestation state and host encryption settings to VMHost Security section; includes recovery key reporting (gated behind `ShowEncryptionKeys` option) and `TpmAttestation` healthcheck ([#101](https://github.com/AsBuiltReport/AsBuiltReport.VMware.vSphere/issues/101))
 - Add I/O Device Identifiers subsection to VMHost Hardware report, displaying VID/DID/SVID/SSID in lowercase hex for HCL validation ([#126](https://github.com/AsBuiltReport/AsBuiltReport.VMware.vSphere/issues/126))
 - Modular architecture: each report section is now a dedicated private function (`Get-AbrVSphere*`)
 - Internationalization (i18n) support via `Language/` `.psd1` files (`en-US`, `en-GB`, `es-ES`, `fr-FR`, `de-DE`)

CHANGELOG.md

@@ -191,8 +191,9 @@ The **Options** schema allows certain options within the report to be toggled on
 
 | Sub-Schema      | Setting      | Default | Description                                                                                                                                                                                 |
 |-----------------|--------------|---------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| ShowLicenseKeys | true / false | false   | Toggle to mask/unmask vSphere license keys<br><br> **Masked License Key**<br>\*\*\*\*\*-\*\*\*\*\*-\*\*\*\*\*-\*\*\*\*\*-AS12K<br><br> **Unmasked License Key**<br>AKLU4-PFG8M-W2D8J-56YDM-AS12K |
-| ShowVMSnapshots | true / false | true    | Toggle to enable/disable reporting of VM snapshots                                                                                                                                          |
+| ShowLicenseKeys    | true / false | false   | Toggle to mask/unmask vSphere license keys<br><br> **Masked License Key**<br>\*\*\*\*\*-\*\*\*\*\*-\*\*\*\*\*-\*\*\*\*\*-AS12K<br><br> **Unmasked License Key**<br>AKLU4-PFG8M-W2D8J-56YDM-AS12K |
+| ShowEncryptionKeys | true / false | false   | Toggle to show/hide ESXi host encryption recovery keys in the report. When disabled, the recovery keys table is suppressed even at InfoLevel 3+                                              |
+| ShowVMSnapshots    | true / false | true    | Toggle to enable/disable reporting of VM snapshots                                                                                                                                          |
 
 <!-- ********** Add/Remove the number of InfoLevels as required ********** -->
 ### InfoLevel
@@ -276,6 +277,7 @@ The **VMHost** schema is used to configure health checks for VMHosts.
 | NetworkAdapter  | true / false | true    | Highlights physical network adapters which are not 'Connected'<br> Highlights physical network adapters which are 'Down' | ![Critical](https://placehold.co/15x15/FEDDD7/FEDDD7)  Network adapter is 'Disconnected'<br> ![Critical](https://placehold.co/15x15/FEDDD7/FEDDD7)  Network adapter is 'Down'           |
 | LockdownMode    | true / false | true    | Highlights VMHosts which do not have Lockdown mode enabled                                                               | ![Warning](https://placehold.co/15x15/FFF4C7/FFF4C7) Lockdown Mode disabled<br>                                                                                                            |
 | VUMCompliance   | true / false | true    | Highlights VMHosts which are not compliant with VMware Update Manager software packages                                  | ![Warning](https://placehold.co/15x15/FFF4C7/FFF4C7) Unknown<br> ![Critical](https://placehold.co/15x15/FEDDD7/FEDDD7)  Incompatible                                                    |
+| TpmAttestation  | true / false | true    | Highlights VMHosts where a TPM is present but attestation status is not 'attested'                                       | ![Warning](https://placehold.co/15x15/FFF4C7/FFF4C7) TPM attestation status is not attested                                                                                              |
 
 #### vSAN
 The **vSAN** schema is used to configure health checks for vSAN.