2.8 (L1) Host must require TPM-based configuration encryption

Information

The host should enforce TPM-based configuration encryption to secure its configuration files, notably within the /etc/ directory or other namespaces. From vSphere 7.0 Update 2 onwards, configuration files archived are encrypted, leveraging a Trusted Platform Module (TPM) to "seal" the configuration to the host, thereby enhancing security against offline attacks. This encryption, once enabled, is irreversible and utilizes the physical TPM present during installation or upgrade.

Implementing TPM-based configuration encryption significantly bolsters security by protecting configuration files from unauthorized access and alterations. This measure is crucial for safeguarding the integrity of host configurations and preventing potential offline attacks.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Impact:

Enabling TPM-based configuration encryption alongside Secure Boot renders traditional root password recovery methods ineffective. It's imperative to ensure continued access to administrator accounts on ESXi to avoid access issues.

See Also

https://workbench.cisecurity.org/benchmarks/15784

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|14.8

Plugin: VMware

Control ID: d5cd74e56cf9eaba74529ff61c48310799b00719657dc895669999966b5845bd