UCF STIG Viewer Logo

Encryption must be enabled for vMotion on the virtual machine.


Overview

Finding ID Version Rule ID IA Controls Severity
V-242469 VMCH-67-000024 SV-242469r717088_rule Medium
Description
vMotion migrations in vSphere 6.0 and earlier transferred working memory and CPU state information in clear text over the vMotion network. As of vSphere 6.5 this transfer can be transparently encrypted using 256bit AES-GCM with negligible performance impact. vSphere 6.5 enables encrypted vMotion by default as "Opportunistic", meaning that encrypted channels are used where supported but the operation will continue in plain text where encryption is not supported. For example when vMotioning between two 6.5 hosts encryption will always be utilized but since 6.0 and earlier releases do not support this feature vMotion from a 6.5 host to a 6.0 host would be allowed but would not be encrypted. If this finding is set to "Required" then vMotions to unsupported hosts will fail. This setting must be set to "Opportunistic" or "Required".
STIG Date
VMware vSphere 6.7 Virtual Machine Security Technical Implementation Guide 2022-01-04

Details

Check Text ( C-40322r802904_chk )
Note: If the system does not have vCenter installed and utilizes vMotion, then this is Not Applicable.

From the vSphere Web Client, select the Virtual Machine, right-click and go to Edit Settings >> VM Options Tab >> Encryption >> Encrypted vMotion.

or

From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:

Get-VM | Where {($_.ExtensionData.Config.MigrateEncryption -ne "opportunistic") -and ($_.ExtensionData.Config.MigrateEncryption -ne "required")}

If the setting does not have a value of "Opportunistic" or "Required", this is a finding.
Fix Text (F-40285r717087_fix)
From the vSphere Client select the Virtual Machine, right click and go to Edit Settings >> VM Options Tab >> Encryption >> Encrypted vMotion. Set the value to "Opportunistic" or "Required".