OpenControls Logo

STIG Viewer

The vCenter Server must enable data in transit encryption for vSAN.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-258969VCSA-80-000304SV-258969r961863_ruleCCI-000366medium
Description
Transit encryption must be enabled to prevent unauthorized disclosure information and to protect the confidentiality of organizational information. vSAN data-in-transit encryption has the following characteristics: -vSAN uses AES-256 bit encryption on data in transit. -Forward secrecy is enforced for vSAN data-in-transit encryption. -Traffic between data hosts and witness hosts is encrypted. -File service data traffic between the VDFS proxy and VDFS server is encrypted. -vSAN file services inter-host connections are encrypted. -vSAN uses symmetric keys that are generated dynamically and shared between hosts. Hosts dynamically generate an encryption key when they establish a connection, and they use the key to encrypt all traffic between the hosts. You do not need a key management server to perform data-in-transit encryption. Each host is authenticated when it joins the cluster, ensuring connections only to trusted hosts are allowed. When a host is removed from the cluster, it is authentication certificate is removed. vSAN data-in-transit encryption is a cluster-wide setting. When enabled, all data and metadata traffic is encrypted as it transits across hosts.
STIGDate
VMware vSphere 8.0 vCenter Security Technical Implementation Guide2025-06-09

Details

Check Text (C-258969r961863_chk)

If no clusters are enabled for vSAN, this is not applicable. From the vSphere Client, go to Host and Clusters. Select the vCenter Server >> Select the cluster >> Configure >> vSAN >> Services >> Data Services. Review the "Data-in-transit encryption" status. or From a PowerCLI command prompt while connected to the vCenter server, run the following commands: $vsanclusterconf = Get-VsanView -Id VsanVcClusterConfigSystem-vsan-cluster-config-system $vsanclusterconf.VsanClusterGetConfig((Get-Cluster -Name <cluster name>).ExtensionData.MoRef).DataInTransitEncryptionConfig Repeat these steps for each vSAN enabled cluster in the environment. If "Data-In-Transit encryption" is not enabled, this is a finding.

Fix Text (F-62618r934564_fix)

From the vSphere Client, go to Host and Clusters. Select the vCenter Server >> Select the target cluster >> Configure >> vSAN >> Services >> Data Services. Click "Edit". Enable "Data-In-Transit encryption" and choose a rekey interval suitable for the environment then click "Apply".