vCenter Native Key Providers must be backed up with a strong password.
An XCCDF Rule
Description
<VulnDiscussion>The vCenter Native Key Provider feature was introduced in U2 and acts as a key provider for encryption-based capabilities, such as encrypted virtual machines without requiring an external KMS solution. When enabling this feature, a backup must be taken that is a PKCS#12 formatted file. If no password is provided during the backup process, this presents the opportunity for this to be used maliciously and compromise the environment.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-256374r919046_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
From the vSphere Client, go to Host and Clusters.
Select a vCenter Server >> Configure >> Security >> Key Providers.
Select the Native Key Provider, click "Back-up", and check the box "Protect Native Key Provider data with password".