The vCenter server Native Key Provider must be backed up with a strong password.

An XCCDF Rule

Description

<VulnDiscussion>The vCenter Native Key Provider feature was introduced in 7.0 U2 and acts as a key provider for encryption-based capabilities such as encrypted virtual machines without requiring an external KMS solution. When enabling this feature, a backup must be taken, which is a PKCS#12 formatted file. If no password is provided during the backup process, this presents the opportunity for this to be used maliciously and compromise the environment.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-258960r934538_rule
Severity: Medium
References: CCI-000366
Updated: 8 months ago

From the vSphere Client, go to Host and Clusters.

Select a vCenter Server >> Configure >> Settings >> Key Providers.

Select the Native Key Provider, click "Back-up", and check the box "Protect Native Key Provider data with password".
Provide a strong password and click "Back up key provider".

Delete any previous backups that were not protected with a password.

The vCenter server Native Key Provider must be backed up with a strong password.

Description

Remediation - Manual Procedure