UCF STIG Viewer Logo

The vCenter Server must enable data in transit encryption for vSAN.


Overview

Finding ID Version Rule ID IA Controls Severity
V-258969 VCSA-80-000304 SV-258969r961863_rule Medium
Description
Transit encryption must be enabled to prevent unauthorized disclosure information and to protect the confidentiality of organizational information. vSAN data-in-transit encryption has the following characteristics: -vSAN uses AES-256 bit encryption on data in transit. -Forward secrecy is enforced for vSAN data-in-transit encryption. -Traffic between data hosts and witness hosts is encrypted. -File service data traffic between the VDFS proxy and VDFS server is encrypted. -vSAN file services inter-host connections are encrypted. -vSAN uses symmetric keys that are generated dynamically and shared between hosts. Hosts dynamically generate an encryption key when they establish a connection, and they use the key to encrypt all traffic between the hosts. You do not need a key management server to perform data-in-transit encryption. Each host is authenticated when it joins the cluster, ensuring connections only to trusted hosts are allowed. When a host is removed from the cluster, it is authentication certificate is removed. vSAN data-in-transit encryption is a cluster-wide setting. When enabled, all data and metadata traffic is encrypted as it transits across hosts.
STIG Date
VMware vSphere 8.0 vCenter Security Technical Implementation Guide 2024-07-11

Details

Check Text ( C-62709r934563_chk )
If no clusters are enabled for vSAN, this is not applicable.

From the vSphere Client, go to Host and Clusters.

Select the vCenter Server >> Select the cluster >> Configure >> vSAN >> Services >> Data Services.

Review the "Data-in-transit encryption" status.

or

From a PowerCLI command prompt while connected to the vCenter server, run the following commands:

$vsanclusterconf = Get-VsanView -Id VsanVcClusterConfigSystem-vsan-cluster-config-system
$vsanclusterconf.VsanClusterGetConfig((Get-Cluster -Name ).ExtensionData.MoRef).DataInTransitEncryptionConfig

Repeat these steps for each vSAN enabled cluster in the environment.

If "Data-In-Transit encryption" is not enabled, this is a finding.
Fix Text (F-62618r934564_fix)
From the vSphere Client, go to Host and Clusters.

Select the vCenter Server >> Select the target cluster >> Configure >> vSAN >> Services >> Data Services.

Click "Edit".

Enable "Data-In-Transit encryption" and choose a rekey interval suitable for the environment then click "Apply".