OpenShift keystore must implement encryption to prevent unauthorized disclosure of information at rest within the container platform.

An XCCDF Rule

Description

<VulnDiscussion>By default, etcd data is not encrypted in OpenShift Container Platform. Enable etcd encryption for the cluster to provide an additional layer of data security. For example, it can help protect the loss of sensitive data if an etcd backup is exposed to the incorrect parties. When users enable etcd encryption, the following OpenShift API server and Kubernetes API server resources are encrypted: Secrets Config maps Routes OAuth access tokens OAuth authorize tokens When users enable etcd encryption, encryption keys are created. These keys are rotated on a weekly basis. Users must have these keys to restore from an etcd backup.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-257564r961602_rule
Severity: Medium
References: CCI-002476
Updated: 17 days ago

Set API encryption type by executing the following:

oc edit apiserver

Set the encryption field type to aescbc:
spec:  encryption:
    type: aescbc 

Additional details about the configuration can be found in the documentation:
https://docs.openshift.com/container-platform/4.8/security/encrypting-etcd.html

OpenShift keystore must implement encryption to prevent unauthorized disclosure of information at rest within the container platform.

Description

Remediation - Manual Procedure