UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The vCenter Server must enable data in transit encryption for vSAN.


Overview

Finding ID Version Rule ID IA Controls Severity
V-258969 VCSA-80-000304 SV-258969r934565_rule Medium
Description
Transit encryption must be enabled to prevent unauthorized disclosure information and to protect the confidentiality of organizational information. vSAN data-in-transit encryption has the following characteristics: -vSAN uses AES-256 bit encryption on data in transit. -Forward secrecy is enforced for vSAN data-in-transit encryption. -Traffic between data hosts and witness hosts is encrypted. -File service data traffic between the VDFS proxy and VDFS server is encrypted. -vSAN file services inter-host connections are encrypted. -vSAN uses symmetric keys that are generated dynamically and shared between hosts. Hosts dynamically generate an encryption key when they establish a connection, and they use the key to encrypt all traffic between the hosts. You do not need a key management server to perform data-in-transit encryption. Each host is authenticated when it joins the cluster, ensuring connections only to trusted hosts are allowed. When a host is removed from the cluster, it is authentication certificate is removed. vSAN data-in-transit encryption is a cluster-wide setting. When enabled, all data and metadata traffic is encrypted as it transits across hosts.
STIG Date
VMware vSphere 8.0 vCenter Security Technical Implementation Guide 2023-10-11

Details

Check Text ( C-62709r934563_chk )
If no clusters are enabled for vSAN, this is not applicable.

From the vSphere Client, go to Host and Clusters.

Select the vCenter Server >> Select the cluster >> Configure >> vSAN >> Services >> Data Services.

Review the "Data-in-transit encryption" status.

or

From a PowerCLI command prompt while connected to the vCenter server, run the following commands:

$vsanclusterconf = Get-VsanView -Id VsanVcClusterConfigSystem-vsan-cluster-config-system
$vsanclusterconf.VsanClusterGetConfig((Get-Cluster -Name ).ExtensionData.MoRef).DataInTransitEncryptionConfig

Repeat these steps for each vSAN enabled cluster in the environment.

If "Data-In-Transit encryption" is not enabled, this is a finding.
Fix Text (F-62618r934564_fix)
From the vSphere Client, go to Host and Clusters.

Select the vCenter Server >> Select the target cluster >> Configure >> vSAN >> Services >> Data Services.

Click "Edit".

Enable "Data-In-Transit encryption" and choose a rekey interval suitable for the environment then click "Apply".