Configuring the Cryptographic Functionality

You can use ESXCLI to manage the cryptographic functionality.

The following examples require restarting the HTTP proxy or a host reboot. Specify one of the options listed in Connection Options for ESXCLI Host Management Commands in place of <conn_options>.

esxcli <conn_options> system settings advanced set -o /UserVars/ESXiVPsDisabledProtocols -s <value>
esxcli <conn_options> system settings advanced set -o /UserVars/ESXiVPsAllowedCiphers -s <value>

You can use the /UserVars/ESXiVPsDisabledProtocols advanced option to specify the protocols that are disabled when establishing secure communications with ESXi. The value is a comma-separated list of protocols. The valid values are sslv3, tlsv1, tlsv1.1, tlsv1.2. For example, to disable sslv3, tlsv1, and tlsv1.1, you can run the following command.

esxcli <conn_options> system settings advanced set -o /UserVars/ESXiVPsDisabledProtocols -s "sslv3,tlsv1,tlsv1.1"

You can use the /UserVars/ESXiVPsAllowedCiphers advanced option to specify the ciphers allowed for secure communcations with ESXi. The value is a colon-separated list of ciphers, in the form required by the OpenSSL SSL_CTX_set_cipher_list API. The command has the following syntax.

esxcli <conn_options> system settings advanced set -o /UserVars/ESXiVPsAllowedCiphers -s <cipherlist>

The following example can potentially affect guest-related key destruction.

How memory pages are zeroed out for virtual machines and user-space applications is determined by the /Mem/MemEagerZero advanced option. This option determines how long residual information resides in memory after it is no longer in use.

When /Mem/MemEagerZero is set to 0, which is the default value, memory pages are zeroed when they are allocated to virtual machines and user-space applications. While this prevents exposing information from virtual machines to other clients, previous content can remain present in memory for a long time if the memory is not reused.

For more immediate content destruction, you can set /Mem/MemEagerZero to 1. In this case, memory pages are zeroed when a user-space application exits. For virtual machines, memory pages are zeroed when the virtual machine powers off, when its pages are migrated, or when virtual machine memory is reclaimed.

For example, to set /Mem/MemEagerZero to 1, use the following command.

esxcli <conn_options> system settings advanced set -o /Mem/MemEagerZero -i 1