The vCenter server Native Key Provider must be backed up with a strong password.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-258960 | VCSA-80-000294 | SV-258960r1051428_rule | CCI-000366 | medium |
| Description | ||||
| The vCenter Native Key Provider feature was introduced in 7.0 U2 and acts as a key provider for encryption-based capabilities such as encrypted virtual machines without requiring an external KMS solution. When enabling this feature, a backup must be taken, which is a PKCS#12 formatted file. If no password is provided during the backup process, this presents the opportunity for this to be used maliciously and compromise the environment. | ||||
| STIG | Date | |||
| VMware vSphere 8.0 vCenter Security Technical Implementation Guide | 2025-06-09 | |||
Details
Check Text (C-258960r1051428_chk)
If the vCenter Native Key Provider feature is not in use, this is not applicable.
Interview the system administrator and determine if a password was provided for any backups taken of the Native Key Provider.
If backups exist for the Native Key Provider that are not password protected, this is a finding.
Fix Text (F-62609r1051427_fix)
From the vSphere Client, go to Host and Clusters.
Select a vCenter Server >> Configure >> Security >> Key Providers.
Select the Native Key Provider, click "Back-up", and check the box "Protect Native Key Provider data with password".
Provide a strong password and click "Back up key provider".
Delete any previous backups that were not protected with a password.