存資料，控制權受到限制。因此，這些資安團隊發現很 難遵守相關的資安政策與法規命令。 解決方案：CipherTrust Transparent Encryption for Kubernetes CipherTrust Transparent Encryption for Kubernetes 提供用於加密、存取控制和資料存取日誌記錄的容器內核 功能，使企業能夠對Kubernetes 環境中的資料建立堅實 都統一經由 CipherTrust Manager 集中管理。 優勢 CipherTrust Transparent Encryption for Kubernetes 效益有 : • 合規性 - CipherTrust Transparent Encryption 的這 項擴充，解決了保護機敏資料的合規要求與法規命令， 例如支付卡、健康照護紀錄或者其他機敏資產。 • 防止受到特權用戶的威脅 Transparent Encryption for Kubernetes 都將實現強 大的資料安全政策。無需對應用程式、容器或基礎架構 進行任何變更的情況下，企業可以選擇部署並使用容器 以提高成本效益、控制或效能。 CipherTrust Transparent CipherTrust Transparent Encryption for Kubernetes Encryption for Kubernetes

as appropriate (Automated) 1.2.33 Ensure that the --encryption-provider-config argument is set as appropriate (Automated) 1.2.34 Ensure that encryption providers are appropriately configured (Automated) --tls-private-key-file=/etc/kubernetes/ssl/kube- apiserver-key.pem --encryption-provider-config=/etc/ kubernetes/ssl/encryption.yaml --requestheader-extra-headers- prefix=X-Remote-Extra- --profiling=false --tls-private-key-file=/etc/kubernetes/ssl/kube- apiserver-key.pem --encryption-provider-config=/etc/ kubernetes/ssl/encryption.yaml --requestheader-extra-headers- prefix=X-Remote-Extra- --profiling=false

secrets Encryption Always encrypt before writing to disk Rotation Change a secret regularly in case of compromise Isolation Separate where secrets are used vs managed Encryption at different different layers (or turtles) disks file system etcd Recommendation: Use two-layers of encryption, e.g., full-disk & application-layer … then tries to decrypt it https://xkcd.com/538/, https://xkcd.com/license document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data, including the following: 3.6.4 Cryptographic key changes for keys that have

4.14. Security 4.14.1. Realms 4.14.2. Users, groups, roles, and passwords 4.14.3. Passwords encryption 4.14.4. Managing authentication by key 4.14.5. RBAC 4.14.6. SecurityMBean 4.14.7. Security Schema and Deployer 5.14.3. Architecture 5.14.4. Available realm and login modules 5.14.5. Encryption service 5.14.6. Role discovery policies 5.14.7. Default role policies 5.15. Troubleshooting specifying a hostKeyPassword might require installing the BouncyCastle provider to support the desired encryption algorithm. • hostKeyPub is the location of the public key of the server. • sshRole is the default

General 5/4/2020 [SP 800-67 r2] NIST SP 800-67 Rev. 2, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher 11/17/2017 [SP 800-90A r1] NIST SP 800-90A Rev. 1, Recommendation 186-4] FIPS 186-4, Digital Signature Standard (DSS) 7/19/2013 [FIPS 197] FIPS 197, Advanced Encryption Standard (AES) 11/26/2001 [FIPS 198-1] FIPS 198-1, The Keyed Hash Message Authentication Code Cryptographic Library Page 3 of 16 Acronyms and Definitions Term Definition AES Advanced Encryption Standard API Application Programming Interface CAVP Cryptographic Algorithm Validation Program

ENCRYPTION SERVICE The EncryptionService is a service registered in the OSGi registry providing means to encrypt and check encrypted passwords. This service acts as a factory for Encryption objects objects actually performing the encryption. This service is used in all Karaf login modules to support encrypted passwords. Configuring properties Each login module supports the following additional set SECURITY FRAMEWORK 181 encryption.name Name of the encryption service registered in OSGi (cf. paragraph below) encryption.enabled Boolean used to turn on encryption encryption.prefix Prefix for encrypted

Install the encryption provider configuration on all control plane nodes Profile Applicability Level 1 Description Rancher_Hardening_Guide.md 11/30/2018 3 / 24 Create a Kubernetes encryption configuration controls: 1.1.34 - Ensure that the --experimental-encryption-provider-config argument is set as appropriate (Scored) 1.1.35 - Ensure that the encryption provider is set to aescbc (Scored) Audit On the the control plane hosts for the Rancher HA cluster run: stat /etc/kubernetes/encryption.yaml Ensure that: The file is present The file mode is 0600 The file owner is root:root The file contains:

3 Description Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 3.4.4 Disk Encryption Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 3.5 System Settings . . . . 1.5 RDP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 7.1.6 RDP Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 7.1.7 Multiple Connections to . . . . . . . . . . . . . 349 9.22 Encryption of VMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350 9.22.1 Limitations of VM Encryption . . . . . . . . . . . . . . . . . .

Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 iii Contents 4.4.4 Disk Encryption Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 4.5 System Settings . . . . 1.5 RDP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 8.1.6 RDP Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 8.1.7 Multiple Connections to . . . . . . . . . . . . 370 10.22 Encryption of VMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 10.22.1 Limitations of VM Encryption . . . . . . . . . . . . . . . . . .

Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 iii Contents 4.4.4 Disk Encryption Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 4.5 System Settings . . . . 1.5 RDP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 8.1.6 RDP Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 8.1.7 Multiple Connections to . . . . . . . . . . . . 371 10.22 Encryption of VMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372 10.22.1 Limitations of VM Encryption . . . . . . . . . . . . . . . . . .