In ESXi 8.0 and later, the ESXi Entropy implementation supports the FIPS 140-3 and EAL4 certifications. Kernel boot options control which entropy sources to activate on an ESXi host.

In computing, the term “entropy” refers to random characters and data that are collected for use in cryptography, such as generating encryption keys to secure data transmitted over a network. Entropy is required by security for generating keys and communicating securely over the network. Entropy is often collected from a variety of sources on a system.

FIPS entropy handling is the default behavior if the following conditions are true.

  1. The hardware supports RDSEED.
  2. The disableHwrng VMkernel boot option isn’t present or is FALSE.
  3. The entropySources VMkernel boot option isn’t present, is 0 (zero), or is 4.
Warning: When you configure an ESXi host with entropySources for external entropy only (that is, entropySources is set to 8), you must keep supplying the external entropy to the host using the entropy API. If the entropy becomes exhausted in the host, then the host becomes unresponsive. To recover from this situation, reboot the host. If the host is still unresponsive, you must reinstall ESXi.

Starting with ESXi 8.0 Update 1, you can configure external entropy sources in the kickstart file for scripted installation. You can configure ESXi in a highly secure environment to consume entropy from external entropy sources, such as a Hardware Security Module (HSM), and align with standards such as BSI Common criteria, EAL4, and NIST FIPS CMVP, by using the scripted installation method. For more information about configuring external entropy sources, see the VMware ESXi Installation and Setup documentation.

You can configure the ESXi Entropy subsystem using the following VMkernel boot options:

Table 1. ESXi Entropy VMkernel Boot Options
VMkernel Boot Option Option Type Description Default Value
disableHwrng (available prior to vSphere 8.0) Boolean Deactivates the RDRAND and the RDSEED entropy sources when set to TRUE (overrides "entropySources"). FALSE

Activates hardware random number generator entropy sources if present.
entropySources (available starting in vSphere 8.0) Integer, Bitmask Specifies which entropy sources to activate.
  • 0 (default)

Bitmask values:

  • 1=interrupts
  • 2=RDRAND
  • 4=RDSEED
  • 8=entropyd (EAL4 entropy handling is activated)
Specifying entropySources=9 activates the interrupts and the userspace entropy sources, and deactivates the RDRAND and the RDSEED entropy sources.		 0 (zero)

If RDSEED is supported, the default is FIPS compliance. Otherwise the default is all entropy sources except entropyd.
Note: Before making a change to use only RDRAND, RDSEED, or both entropy sources, check your vendor documentation to ensure that your ESXi host supports those configurations. If your host does not support those configurations, vCenter Server notifies you with an alert, and the host falls back to using the interrupt and userspace entropy sources.

Prerequisites

You must have root access on the ESXi host.

Procedure

  1. Use SSH or another remote console connection to start a session on the ESXi host.
  2. Log in as root.
  3. Set the desired entropy VMkernel boot options.
    1. To deactivate the RDRAND and the RDSEED entropy sources for disableHwrng: 
      esxcli system settings kernel set -s disableHwrng -v TRUE
    2. To set entropySources: 
      esxcli system settings kernel set -s entropySources -v entropy_source_value
      See the preceding table for the values that you can set for entropySources.