vCenter Native Key Providers must be backed up with a strong password.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-256374 | VCSA-70-000294 | SV-256374r919046_rule | CCI-000366 | medium |
| Description | ||||
| The vCenter Native Key Provider feature was introduced in U2 and acts as a key provider for encryption-based capabilities, such as encrypted virtual machines without requiring an external KMS solution. When enabling this feature, a backup must be taken that is a PKCS#12 formatted file. If no password is provided during the backup process, this presents the opportunity for this to be used maliciously and compromise the environment. | ||||
| STIG | Date | |||
| VMware vSphere 7.0 vCenter Security Technical Implementation Guide | 2023-12-21 | |||
Details
Check Text (C-256374r919046_chk)
If the vCenter Native Key Provider feature is not in use, this is not applicable.
Interview the system administrator and determine if a password was provided for any backups taken of the Native Key Provider.
If backups exist for the Native Key Provider that are not password protected, this is a finding.
Fix Text (F-59992r918994_fix)
From the vSphere Client, go to Host and Clusters.
Select a vCenter Server >> Configure >> Security >> Key Providers.
Select the Native Key Provider, click "Back-up", and check the box "Protect Native Key Provider data with password".
Provide a strong password and click "Back up key provider".
Delete any previous backups that were not protected with a password.