UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The ESXi host must require TPM-based configuration encryption.


Overview

Finding ID Version Rule ID IA Controls Severity
V-256446 ESXI-70-000094 SV-256446r886119_rule Medium
Description
An ESXi host's configuration consists of configuration files for each service that runs on the host. The configuration files typically reside in the /etc/ directory, but they can also reside in other namespaces. The configuration files contain run-time information about the state of the services. Over time, the default values in the configuration files might change, for example, when settings on the ESXi host are changed. A cron job backs up the ESXi configuration files periodically, when ESXi shuts down gracefully or on demand, and creates an archived configuration file in the boot bank. When ESXi reboots, it reads the archived configuration file and recreates the state that ESXi was in when the backup was taken. Before vSphere 7.0 Update 2, the archived ESXi configuration file is not encrypted. In vSphere 7.0 Update 2 and later, the archived configuration file is encrypted. When the ESXi host is configured with a Trusted Platform Module (TPM), the TPM is used to "seal" the configuration to the host, providing a strong security guarantee and additional protection from offline attacks. Configuration encryption uses the physical TPM when it is available and supported at install or upgrade time. If the TPM was added or enabled later, the ESXi host must be told to reconfigure to use the newly available TPM. Once the TPM configuration encryption is enabled, it cannot be disabled.
STIG Date
VMware vSphere 7.0 ESXi Security Technical Implementation Guide 2023-02-21

Details

Check Text ( C-60121r886117_chk )
If the ESXi host does not have a compatible TPM, this finding is downgraded to a CAT III.

# esxcli system settings encryption get|grep Mode

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

$esxcli = Get-EsxCli -v2
$esxcli.system.settings.encryption.get.invoke() | Select Mode

Expected result:

Mode: TPM

If the output does not match the expected result, this is a finding.
Fix Text (F-60064r886118_fix)
Ensure the TPM 2.0 chip is enabled in the BIOS and the ESX UI does not show any errors about a present but unavailable TPM.

This setting cannot be configured until the TPM is properly enabled in the BIOS.

From an ESXi shell, run the following command:

# esxcli system settings encryption set --mode=TPM

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

$esxcli = Get-EsxCli -v2
$arguments = $esxcli.system.settings.encryption.set.CreateArgs()
$arguments.mode = "TPM"
$esxcli.system.settings.encryption.set.Invoke($arguments)

Evacuate the host and gracefully reboot for changes to take effect.