UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The vCenter Server must have new Key Encryption Keys (KEKs) reissued at regular intervals for vSAN encrypted datastore(s).


Overview

Finding ID Version Rule ID IA Controls Severity
V-258954 VCSA-80-000287 SV-258954r934520_rule Medium
Description
The KEK for a vSAN encrypted datastore is generated by the Key Management Server (KMS) and serves as a wrapper and lock around the Disk Encryption Key (DEK). The DEK is generated by the host and is used to encrypt and decrypt the datastore. A shallow rekey is a procedure in which the KMS issues a new KEK to the ESXi host, which rewraps the DEK but does not change the DEK or any data on disk. This operation must be done on a regular, site-defined interval and can be viewed as similar in criticality to changing an administrative password. If the KMS is compromised, a standing operational procedure to rekey will put a time limit on the usefulness of any stolen KMS data.
STIG Date
VMware vSphere 8.0 vCenter Security Technical Implementation Guide 2023-10-11

Details

Check Text ( C-62694r934518_chk )
If vSAN is not in use, this is not applicable.

Interview the system administrator (SA) to determine that a procedure has been put in place to perform a shallow rekey of all vSAN encrypted datastores at regular, site-defined intervals.

VMware recommends a 60-day rekey task, but this interval must be defined by the SA and the ISSO.

If vSAN encryption is not in use, this is not a finding.

If vSAN encryption is in use and a regular rekey procedure is not in place, this is a finding.
Fix Text (F-62603r934519_fix)
If vSAN encryption is in use, ensure that a regular rekey procedure is in place.