UCF STIG Viewer Logo

The vCenter Server must have new Key Encryption Keys (KEKs) reissued at regular intervals for vSAN encrypted datastore(s).


Overview

Finding ID Version Rule ID IA Controls Severity
V-243121 VCTR-67-000066 SV-243121r719606_rule Medium
Description
The KEK for a vSAN encrypted datastore is generated by the Key Management Server (KMS) and serves as a wrapper and lock around the Disk Encryption Key (DEK). The DEK is generated by the host and is used to encrypt and decrypt the datastore. A mustow rekey is a procedure in which the KMS issues a new KEK to the ESXi host that rewraps the DEK but does not change the DEK or any data on disk. This operation must be done on a regular, site-defined interval and can be viewed as similar in criticality to changing an administrative password. If the KMS is compromised, a standing operational procedure to rekey will put a time limit on the usefulness of any stolen KMS data.
STIG Date
VMware vSphere 6.7 vCenter Security Technical Implementation Guide 2022-01-04

Details

Check Text ( C-46396r719604_chk )
Interview the SA to determine that a procedure has been implemented to perform a mustow rekey of all vSAN encrypted datastores at regular, site-defined intervals.

VMware recommends a 60-day rekey task, but this interval must be defined by the SA and the ISSO.

If vSAN encryption is not in use, this is not a finding.
Fix Text (F-46353r719605_fix)
If vSAN encryption is in use, ensure that a regular rekey procedure is in place.