1.2.31 Ensure that encryption providers are appropriately configured

Information

Where etcd encryption is used, appropriate providers should be configured.

Rationale:

Where etcd encryption is used, it is important to ensure that the appropriate set of encryption providers is used. Currently, the aescbc, kms and secretbox are likely to be appropriate options.

Impact:

When you enable etcd encryption, the following OpenShift API server and Kubernetes API server resources are encrypted:

Secrets

ConfigMaps

Routes

OAuth access tokens

OAuth authorize tokens

When you enable etcd encryption, encryption keys are created. These keys are rotated on a weekly basis. You must have these keys in order to restore from an etcd backup.

Solution

Follow the OpenShift documentation for encrypting etcd data.

Default Value:

By default, no encryption provider is set.

See Also

https://workbench.cisecurity.org/benchmarks/16094

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|14.8

Plugin: OpenShift

Control ID: 0f572085c21a24cad999e092309759438721e33eea6b98b01796a07ca63c129e