Detections
Analytics

1.1.3.1 Ensure all information at rest is encrypted

Information

Linux Unified Key Setup-on-disk-format (LUKS) provides a set of tools that simplifies managing the encrypted devices. With LUKS, you can encrypt block devices and enable multiple user keys to decrypt a master key. For bulk encryption of the partition, use this master key.

Red Hat Enterprise Linux uses LUKS to perform block device encryption. By default, the option to encrypt the block device is unchecked during the installation. If you select the option to encrypt your disk, the system prompts you for a passphrase every time you boot the computer. This passphrase unlocks the bulk encryption key that decrypts your partition. If you want to modify the default partition table, you can select the partitions that you want to encrypt. This is set in the partition table settings.

The default cipher used for LUKS is aes-xts-plain64 The default key size for LUKS is 512 bits The default key size for LUKS with Anaconda XTS mode is 512 bits

The following are the available ciphers:

 - Advanced Encryption Standard (AES)
 - Twofish
 - Serpent

Systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.

Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).

Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184

Note: Data in transit isn't protected, so data shared between devices and through email is still vulnerable to hacking.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure the operating system to prevent unauthorized modification of all information at rest by using disk encryption.

Encrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed. To encrypt an entire partition, dedicate a partition for encryption in the partition layout.

Impact:

If users forget their password and lose their recovery key, the device will be inaccessible to them, and they will be locked out just like an intruder.

See Also

https://workbench.cisecurity.org/benchmarks/19886

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|14.8

Plugin: Unix

Control ID: 9cb3cc5f9e50bd8b2fcfd4368a50c8935d067825b85bb7df258ab7480f194c98