Bug: Deleting a VM that has a vTPM does not delete the vTPM master key from Keychain

Parallels Desktop Version 17.1.4 (51567), Pro edition. MacOS 12.4 on M1 Pro.

When creating a Windows 11 VM, the master key for the vTPM storage file is stored in Keychain under the name "Parallels.vTPM.{<vm_uuid>}". When later deleting the VM, after selecting the option to delete all associated files, the vTPM master key in Keychain is not deleted. If you've created and deleted a large number of VMs then many orphaned vTPM master keys remain in the user's keychain.

Given the vTPM storage file has been deleted, the master keys remaining in the user's keychain have no possible use and should be deleted at the point where the vTPM storage file is deleted by Parallels.

aside: how are we meant to submit bug reports? I've tried raising a support ticket but they seem intent on providing me end-user assistance (by manually deleting the orphaned keychain items?) rather than replicating the behaviour and forwarding a bug report to the dev team's queue. I get that end-user assistance is what tier-1 support's job is, but I don't want help, I just want to submit a bug report.

 

Hello @RussellM5, thanks a lot for the feedback! We do not delete the vTPM master key from user's keychain as we don't know if you are deleting the VM permanently, or about to restore a backup of this VM on the next day. May I wonder what your pain point with those records in the keychain is?
Any issues with Parallels products should be reported to Parallels Support, and if no solution can be found and the situation affects users' productivity, those issues usually being reported to Parallels Engineering for investigation.

 

Hi Dmitry - once I managed to get beyond Tier Zero support hell that (plus migration to a new Mac) is the answer I received. My use case is probably a bit unusual, I create and delete a lot of VMs rather than just having a single long-lived Windows VM, and noticed I had very many orphaned vTPM instances just hanging around in my keychain. To my mind, if you're restoring a backup of a VM or migrating to a new Mac, you'd use the BitLocker recovery key and set up on a new vTPM instance rather than keeping the old vTPM around, but I can understand that that's not the user experience that Parallels wants to present.

 

Hi Russel, thank you so much for your response. We will note that, and I really appreciate your understanding of the situation. Would you please also share some more details about your product usage and need? What do you use it for and what is your overall experience? Anything you have in mind to share, I would be happy to hear it!

 

OS build/install/config automation and software testing are how I create & destroy so many VMs.
The vTPM thing was a trivial annoyance, but the 2 changes from Parallels that would make my life a *lot* better are these requests:
https://forum.parallels.com/threads...roductivity-testing-games-etc-options.358201/
https://forum.parallels.com/threads/allow-tpm-in-non-windows-vms.358200/