← Rules Catalog
highfilesystemunverified

Ensure data-at-rest is protected by disk encryption

disk-encryption-at-rest · RHEL ≥ 10 · 1 impl

Description

RHEL 10 must implement cryptographic mechanisms (LUKS disk encryption) to prevent unauthorized disclosure or modification of information at rest. When no OS-level encryption is present, manual confirmation is required that an approved and documented alternative (e.g. hypervisor or storage-array encryption) applies.

Rationale

Data at rest on unencrypted storage can be read directly if the media or a virtual disk image is stolen or improperly decommissioned. LUKS encrypts the block device so the data is unreadable without the key.

Check → Remediate

Checkcommand
if lsblk -o TYPE 2>/dev/null | grep -qiw crypt \
   || blkid 2>/dev/null | grep -qi 'TYPE="crypto_LUKS"'; then
  echo "OK: LUKS disk encryption is present on this system"
  exit 0
fi
if systemd-detect-virt -q 2>/dev/null; then
  echo "MANUAL REVIEW REQUIRED: no OS-level (LUKS) disk encryption detected on this virtual machine. Verify data-at-rest encryption is provided by an approved and documented hypervisor or storage-array mechanism; otherwise this is a CAT I finding."
  exit 0
fi
echo "FAIL: no OS-level (LUKS) disk encryption on this physical host, where no hypervisor/array encryption can apply (CAT I)."
exit 1
expected_exit:
0
Remediatemanual
note:
Encrypt data-at-rest with LUKS (typically configured at install time via the installer's disk-encryption option, as reinstalling is required to encrypt an existing unencrypted root). Alternatively, document the approved hypervisor/storage-array encryption that satisfies this control.

Framework references

STIG

V-280935 / RHEL-10-000510

NIST 800-53

SC-28SC-28(1)
#encryption#luks#data-at-rest#stig#manual