OpenControls Logo

STIG Viewer

The vCenter server Native Key Provider must be backed up with a strong password.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-258960VCSA-80-000294SV-258960r934538_ruleCCI-000366medium
Description
The vCenter Native Key Provider feature was introduced in 7.0 U2 and acts as a key provider for encryption-based capabilities such as encrypted virtual machines without requiring an external KMS solution. When enabling this feature, a backup must be taken, which is a PKCS#12 formatted file. If no password is provided during the backup process, this presents the opportunity for this to be used maliciously and compromise the environment.
STIGDate
VMware vSphere 8.0 vCenter Security Technical Implementation Guide2023-10-11

Related Frameworks

4 paths across 3 frameworks
NIST 800-531 mapping
CM-6
1.00
  • DISA · V1R1 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
  • DISA · V1R1 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
  • DISA · V1R1 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
  • DISA · V1R1 · disa_xccdf · related

Details

Check Text (C-258960r934538_chk)

If the vCenter Native Key Provider feature is not in use, this is not applicable. Interview the system administrator and determine if a password was provided for any backups taken of the Native Key Provider. If backups exist for the Native Key Provider that are not password protected, this is a finding.

Fix Text (F-62609r934537_fix)

From the vSphere Client, go to Host and Clusters. Select a vCenter Server >> Configure >> Settings >> Key Providers. Select the Native Key Provider, click "Back-up", and check the box "Protect Native Key Provider data with password". Provide a strong password and click "Back up key provider". Delete any previous backups that were not protected with a password.