Virtual machines (VMs) must enable encryption for vMotion. (2024)

Virtual machines (VMs) must enable encryption for vMotion.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-258716	VMCH-80-000203	SV-258716r933209_rule		Medium

Description
vMotion migrations in vSphere 6.0 and earlier transferred working memory and CPU state information in clear text over the vMotion network. As of vSphere 6.5, this transfer can be transparently encrypted using 256-bit AES-GCM with negligible performance impact.vSphere enables encrypted vMotion by default as "Opportunistic", meaning that encrypted channels are used where supported, but the operation will continue in plain text where encryption is not supported.For example, when vMotioning between two hosts, encryption will always be used. However, because 6.0 and earlier releases do not support this feature, vMotion from a 7.0 host to a 6.0 host would be allowed but would not be encrypted. If the encryption is set to "Required", vMotions to unsupported hosts will fail. This must be set to "Opportunistic" or "Required".

Description

vMotion migrations in vSphere 6.0 and earlier transferred working memory and CPU state information in clear text over the vMotion network. As of vSphere 6.5, this transfer can be transparently encrypted using 256-bit AES-GCM with negligible performance impact.vSphere enables encrypted vMotion by default as "Opportunistic", meaning that encrypted channels are used where supported, but the operation will continue in plain text where encryption is not supported.For example, when vMotioning between two hosts, encryption will always be used. However, because 6.0 and earlier releases do not support this feature, vMotion from a 7.0 host to a 6.0 host would be allowed but would not be encrypted. If the encryption is set to "Required", vMotions to unsupported hosts will fail. This must be set to "Opportunistic" or "Required".

STIG	Date
VMware vSphere 8.0 Virtual Machine Security Technical Implementation Guide	2023-10-11

Details

Check Text ( C-62456r933207_chk )
For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Encryption. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM \| Where {($_.ExtensionData.Config.MigrateEncryption -eq "disabled")} If the "Encrypted vMotion" setting does not have a value of "Opportunistic" or "Required", this is a finding.

Check Text ( C-62456r933207_chk )

For each virtual machine do the following:

From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Encryption.

From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:

Get-VM | Where {($_.ExtensionData.Config.MigrateEncryption -eq "disabled")}

If the "Encrypted vMotion" setting does not have a value of "Opportunistic" or "Required", this is a finding.

Fix Text (F-62365r933208_fix)
For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Encryption. For "Encrypted vMotion" set the value to "Opportunistic" or "Required". Click "OK". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following commands: $spec = New-Object VMware.Vim.VirtualMachineConfigSpec $spec.MigrateEncryption = New-Object VMware.Vim.VirtualMachineConfigSpecEncryptedVMotionModes $spec.MigrateEncryption = $true (Get-VM -Name ).ExtensionData.ReconfigVM($spec)

Fix Text (F-62365r933208_fix)

For each virtual machine do the following:

From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Encryption.

For "Encrypted vMotion" set the value to "Opportunistic" or "Required". Click "OK".

From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following commands:

$spec = New-Object VMware.Vim.VirtualMachineConfigSpec
$spec.MigrateEncryption = New-Object VMware.Vim.VirtualMachineConfigSpecEncryptedVMotionModes
$spec.MigrateEncryption = $true
(Get-VM -Name

).ExtensionData.ReconfigVM($spec)