OpenShift keystore must implement encryption to prevent unauthorized disclosure of information at rest within the container platform.

STIG ID: CNTR-OS-000780  |  SRG: SRG-APP-000429-CTR-001060 |  Severity: medium |  CCI: CCI-002476 |  Vulnerability Id: V-257564 | 

Vulnerability Discussion

By default, etcd data is not encrypted in OpenShift Container Platform. Enable etcd encryption for the cluster to provide an additional layer of data security. For example, it can help protect the loss of sensitive data if an etcd backup is exposed to the incorrect parties. When users enable etcd encryption, the following OpenShift API server and Kubernetes API server resources are encrypted:

Secrets

Config maps

Routes

OAuth access tokens

OAuth authorize tokens

When users enable etcd encryption, encryption keys are created. These keys are rotated on a weekly basis. Users must have these keys to restore from an etcd backup.

Check

Review the API server encryption by running by executing the following:

oc edit apiserver

EXAMPLE OUTPUT
spec:
encryption:
type: aescbc

If the encryption type is not "aescbc", this is a finding.

Fix

Set API encryption type by executing the following:

oc edit apiserver

Set the encryption field type to aescbc:
spec:
encryption:
type: aescbc

Additional details about the configuration can be found in the documentation:
https://docs.openshift.com/container-platform/4.8/security/encrypting-etcd.html
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.