UCF STIG Viewer Logo

The vCenter Server must enable data at rest encryption for vSAN.


Finding ID Version Rule ID IA Controls Severity
V-258929 VCSA-80-000196 SV-258929r934445_rule Medium
Applications handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Data encryption is a common technique used in environments that require additional levels of security. It consists of a process to ensure that data can only be consumed by systems that have appropriate levels of access. Approved systems must have and use the appropriate cryptographic keys to encrypt and decrypt the data. Systems that do not have the keys will not be able to consume the data in any meaningful way, as it will remain encrypted in accordance with the commonly used Advanced Encryption Standard (AES) from the National Institute of Standards and Technology, or NIST. vSAN supports Data-At-Rest Encryption and Data-in-Transit Encryption and uses an AES 256 cipher. Data is encrypted after all other processing, such as deduplication, is performed. Data at rest encryption protects data on storage devices in case a device is removed from the cluster.
VMware vSphere 8.0 vCenter Security Technical Implementation Guide 2023-10-11


Check Text ( C-62669r934443_chk )
If no clusters are enabled for vSAN, this is not applicable.

From the vSphere Client, go to Host and Clusters.

Select the vCenter Server >> Select the cluster >> Configure >> vSAN >> Services >> Data Services.

Review the "Data-at-rest encryption" status.


From a PowerCLI command prompt while connected to the vCenter server, run the following command:

Get-Cluster | Where-Object {$_.VsanEnabled -eq $true} | Get-VsanClusterConfiguration | Select-Object Name,EncryptionEnabled

If "Data-At-Rest encryption" is not enabled, this is a finding.
Fix Text (F-62578r934444_fix)
From the vSphere Client, go to Host and Clusters.

Select the vCenter Server >> Select the target cluster >> Configure >> vSAN >> Services >> Data Services.

Click "Edit".

Enable "Data-At-Rest encryption" and select a pre-configured key provider from the drop down. Click "Apply".

Note: Before enabling, read and understand the operational implications of enabling data at rest encryption in vSAN and how it effects capacity, performance, and recovery scenarios.