highfilesystemunverified
Ensure data-at-rest is protected by disk encryption
disk-encryption-at-rest · RHEL ≥ 10 · 1 impl
Description
RHEL 10 must implement cryptographic mechanisms (LUKS disk encryption) to prevent unauthorized disclosure or modification of information at rest. When no OS-level encryption is present, manual confirmation is required that an approved and documented alternative (e.g. hypervisor or storage-array encryption) applies.
Rationale
Data at rest on unencrypted storage can be read directly if the media or a virtual disk image is stolen or improperly decommissioned. LUKS encrypts the block device so the data is unreadable without the key.
Check → Remediate
Checkcommand
if lsblk -o TYPE 2>/dev/null | grep -qiw crypt \ || blkid 2>/dev/null | grep -qi 'TYPE="crypto_LUKS"'; then echo "OK: LUKS disk encryption is present on this system" exit 0 fi if systemd-detect-virt -q 2>/dev/null; then echo "MANUAL REVIEW REQUIRED: no OS-level (LUKS) disk encryption detected on this virtual machine. Verify data-at-rest encryption is provided by an approved and documented hypervisor or storage-array mechanism; otherwise this is a CAT I finding." exit 0 fi echo "FAIL: no OS-level (LUKS) disk encryption on this physical host, where no hypervisor/array encryption can apply (CAT I)." exit 1
- expected_exit:
- 0
Remediatemanual
- note:
- Encrypt data-at-rest with LUKS (typically configured at install time via the installer's disk-encryption option, as reinstalling is required to encrypt an existing unencrypted root). Alternatively, document the approved hypervisor/storage-array encryption that satisfies this control.
Framework references
STIG
V-280935 / RHEL-10-000510
NIST 800-53
SC-28SC-28(1)
#encryption#luks#data-at-rest#stig#manual