Skip to content

vCenter Native Key Providers must be backed up with a strong password.

An XCCDF Rule

Description

<VulnDiscussion>The vCenter Native Key Provider feature was introduced in U2 and acts as a key provider for encryption-based capabilities, such as encrypted virtual machines without requiring an external KMS solution. When enabling this feature, a backup must be taken that is a PKCS#12 formatted file. If no password is provided during the backup process, this presents the opportunity for this to be used maliciously and compromise the environment.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-256374r919046_rule
Severity
Medium
References
Updated



Remediation - Manual Procedure

From the vSphere Client, go to Host and Clusters.

Select a vCenter Server >> Configure >> Security >> Key Providers.

Select the Native Key Provider, click "Back-up", and check the box "Protect Native Key Provider data with password".