Detections
Analytics
7.3 (L1) Virtual machines must require encryption for Fault Tolerance
Information
Requiring encryption for Fault Tolerance in virtual machines is critical for ensuring secure data transmission between primary and secondary VMs, especially in environments where sensitive data is processed. While the default setting 'opportunistic' may result in encryption due to widespread AES-NI support in vSphere-compatible hardware, enforcing the 'required' setting for encryption guarantees that no unencrypted operations occur. The parameter governing this behavior is VM Configuration with a recommended setting of ftEncryptionRequired.By enforcing encryption for Fault Tolerance, organizations bolster the security posture of their virtual environments against potential data interception or leakage during transmission. This requirement is vital for maintaining data integrity and confidentiality.
Solution
The following PowerCLI command may be used:$VMview = Get-VM -Name $VM | Get-View
$ConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
$ConfigSpec.FtEncryptionMode = New-object VMware.Vim.VirtualMachineConfigSpecEncryptedFtModes
$ConfigSpec.FtEncryptionMode = "ftEncryptionRequired"
$VMview.ReconfigVM_Task($ConfigSpec)
Impact:
There are no identified negative impacts associated with enforcing encryption for Fault Tolerance, and it's instrumental in enhancing the security of data transmission within virtual environments.
See Also
Item Details
Audit Name: CIS VMware ESXi 8.0 v1.1.0 L1
Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4
Plugin: VMware
Control ID: 54d7db718e3c326b86eb3100c2c4fc88879309f610df78f5c578002126d2154b