UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Rancher RKE2 keystore must implement encryption to prevent unauthorized disclosure of information at rest within Rancher RKE2.


Overview

Finding ID Version Rule ID IA Controls Severity
V-254573 CNTR-R2-001500 SV-254573r918261_rule Medium
Description
Encrypting secrets at rest in etcd. By default, RKE2 will create an encryption key and configuration file and pass these to the Kubernetes API server. The result is that RKE2 automatically encrypts Kubernetes Secret objects when writing them to etcd.
STIG Date
Rancher Government Solutions RKE2 Security Technical Implementation Guide 2023-11-30

Details

Check Text ( C-58057r859287_chk )
Review the encryption configuration file.

As root or with root permissions, run the following command:
view /var/lib/rancher/rke2/server/cred/encryption-config.json

Ensure the RKE2 configuration file on all RKE2 servers, located at /etc/rancher/rke2/config.yaml, does NOT contain:

secrets-encryption: false

If secrets encryption is turned off, this is a finding.
Fix Text (F-58006r918248_fix)
Enable secrets encryption.

Edit the RKE2 configuration file on all RKE2 servers, located at /etc/rancher/rke2/config.yaml, so that it contains:

secrets-encryption: true