UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The vCenter Server for Windows must have new Key Encryption Keys (KEKs) re-issued at regular intervals for vSAN encrypted datastore(s).


Overview

Finding ID Version Rule ID IA Controls Severity
V-216885 VCWN-65-000066 SV-216885r612237_rule Low
Description
The Key Encryption Key (KEK) for a vSAN encrypted datastore is generated by the Key Management Server (KMS) and serves as a wrapper and lock around the Disk Encryption Key (DEK). The DEK is generated by the host and is used to encrypt and decrypt the datastore. A shallow re-key is a procedure in which the KMS issues a new KEK to the ESXi host which re-wraps the DEK but does not change the DEK or any data on disk. This operation must be done on a regular, site defined interval and can be viewed as similar in criticality to changing an administrative password. Should the KMS itself somehow be compromised, a standing operational procedure to re-key will put a time limit on the usefulness of any stolen KMS data.
STIG Date
VMW vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide 2021-06-23

Details

Check Text ( C-18116r366369_chk )
Interview the SA to determine that a procedure has been put in place to perform a shallow re-key of all vSAN encrypted datastores at regular, site defined intervals.

VMware recommends a 60-day re-key task but this interval must be defined by the SA and the ISSO.

If vSAN encryption is not in use, this is not a finding.
Fix Text (F-18114r366370_fix)
If vSAN encryption is in use, ensure that a regular re-key procedure is in place.