The vCenter server Native Key Provider must be backed up with a strong password.

An XCCDF Rule

Description

The vCenter Native Key Provider feature was introduced in 7.0 U2 and acts as a key provider for encryption-based capabilities such as encrypted virtual machines without requiring an external KMS solution. When enabling this feature, a backup must be taken, which is a PKCS#12 formatted file. If no password is provided during the backup process, this presents the opportunity for this to be used maliciously and compromise the environment.

ID: SV-258960r934538_rule
Version: VCSA-80-000294
Severity: Medium
References: CCI-000366
Updated: about 2 months ago

Remediation Templates

From the vSphere Client, go to Host and Clusters.

Select a vCenter Server >> Configure >> Settings >> Key Providers.

Select the Native Key Provider, click "Back-up", and check the box "Protect Native Key Provider data with password".
Provide a strong password and click "Back up key provider".

Delete any previous backups that were not protected with a password.

The vCenter server Native Key Provider must be backed up with a strong password.

Description

Remediation Templates

A Manual Procedure