Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-243121 | VCTR-67-000066 | SV-243121r719606_rule | Medium |
Description |
---|
The KEK for a vSAN encrypted datastore is generated by the Key Management Server (KMS) and serves as a wrapper and lock around the Disk Encryption Key (DEK). The DEK is generated by the host and is used to encrypt and decrypt the datastore. A mustow rekey is a procedure in which the KMS issues a new KEK to the ESXi host that rewraps the DEK but does not change the DEK or any data on disk. This operation must be done on a regular, site-defined interval and can be viewed as similar in criticality to changing an administrative password. If the KMS is compromised, a standing operational procedure to rekey will put a time limit on the usefulness of any stolen KMS data. |
STIG | Date |
---|---|
VMware vSphere 6.7 vCenter Security Technical Implementation Guide | 2022-09-09 |
Check Text ( C-46396r719604_chk ) |
---|
Interview the SA to determine that a procedure has been implemented to perform a mustow rekey of all vSAN encrypted datastores at regular, site-defined intervals. VMware recommends a 60-day rekey task, but this interval must be defined by the SA and the ISSO. If vSAN encryption is not in use, this is not a finding. |
Fix Text (F-46353r719605_fix) |
---|
If vSAN encryption is in use, ensure that a regular rekey procedure is in place. |