Detections
Analytics
VCSA-80-000287 - The vCenter Server must have new Key Encryption Keys (KEKs) reissued at regular intervals for vSAN encrypted datastore(s).
Information
The KEK for a vSAN encrypted datastore is generated by the Key Management Server (KMS) and serves as a wrapper and lock around the Disk Encryption Key (DEK). The DEK is generated by the host and is used to encrypt and decrypt the datastore. A shallow rekey is a procedure in which the KMS issues a new KEK to the ESXi host, which rewraps the DEK but does not change the DEK or any data on disk.This operation must be done on a regular, site-defined interval and can be viewed as similar in criticality to changing an administrative password. If the KMS is compromised, a standing operational procedure to rekey will put a time limit on the usefulness of any stolen KMS data.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
If vSAN encryption is in use, ensure a regular rekey procedure is in place.To generate new encryption keys for vSAN, do the following:
From the vSphere Client, go to Host and Clusters.
Select the vCenter Server >> Select the cluster >> Configure >> vSAN >> Services >> Data Services.
Select "Generate New Encryption Keys" and optionally generate new DEKs and click "Generate".
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_8-0_Y25M07_STIG.zip
Item Details
Audit Name: DISA VMware vSphere 8.0 vCenter STIG v2r3
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-258954r1003610_rule, STIG-ID|VCSA-80-000287, Vuln-ID|V-258954
Plugin: VMware
Control ID: 51205eeb699809906c7517c3d30b91638a628aa251b10032506843402ac571cb