1.2.31 Ensure that encryption providers are appropriately configured

Information

Where etcd encryption is used, appropriate providers should be configured.

Where etcd encryption is used, it is important to ensure that the appropriate set of encryption providers is used. Currently, the aescbc kms and secretbox are likely to be appropriate options.

Solution

Follow the OpenShift documentation for

encrypting etcd data

.

Impact:

When you enable etcd encryption, the following OpenShift API server and Kubernetes API server resources are encrypted:

- Secrets
- ConfigMaps
- Routes
- OAuth access tokens
- OAuth authorize tokens

When you enable etcd encryption, encryption keys are created. These keys are rotated on a weekly basis. You must have these keys in order to restore from an etcd backup.

See Also

https://workbench.cisecurity.org/benchmarks/19464

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|14.8

Plugin: OpenShift

Control ID: a8b2a4f19adcdedcebdcde50869adabc6fc6405d181ca357b3d3cb9b97b2c526