Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-216885 | VCWN-65-000066 | SV-216885r612237_rule | Low |
Description |
---|
The Key Encryption Key (KEK) for a vSAN encrypted datastore is generated by the Key Management Server (KMS) and serves as a wrapper and lock around the Disk Encryption Key (DEK). The DEK is generated by the host and is used to encrypt and decrypt the datastore. A shallow re-key is a procedure in which the KMS issues a new KEK to the ESXi host which re-wraps the DEK but does not change the DEK or any data on disk. This operation must be done on a regular, site defined interval and can be viewed as similar in criticality to changing an administrative password. Should the KMS itself somehow be compromised, a standing operational procedure to re-key will put a time limit on the usefulness of any stolen KMS data. |
STIG | Date |
---|---|
VMW vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide | 2021-06-23 |
Check Text ( C-18116r366369_chk ) |
---|
Interview the SA to determine that a procedure has been put in place to perform a shallow re-key of all vSAN encrypted datastores at regular, site defined intervals. VMware recommends a 60-day re-key task but this interval must be defined by the SA and the ISSO. If vSAN encryption is not in use, this is not a finding. |
Fix Text (F-18114r366370_fix) |
---|
If vSAN encryption is in use, ensure that a regular re-key procedure is in place. |