Splunk Phantom ingests objects from connected assets, such as your firewall, services like VirusTotal, MaxMind, and more. Many of these assets require that Splunk Phantom provide credentials, such as a username and password or an authentication token to connect. Splunk Phantom stores these credentials in an encrypted form in its database, but in order to use these credentials, they must be decrypted first. The decryption keys are stored in Splunk Phantom's keystore partition.
If you encrypt the keystore partition, an administrator with the decryption password must provide the password each time Splunk Phantom is booted or rebooted.
Encrypting the keystore partition only protects the keystore partition when Splunk Phantom is shut down. If an attacker gains access to the operating system or the hypervisor while Splunk Phantom is running, that attacker can access the decrypted keystore.
SSH access to the operating system of your Splunk Phantom deployment on a user account with either root or sudo permissions.
This procedure is for Splunk Phantom 4.x releases. Do this procedure during a maintenance window or other scheduled downtime.
If you are encrypting the keystore partition in a clustered Splunk Phantom deployment, you must do this procedure on each Splunk Phantom node.
WARNING: If you lose or forget the encryption passphrase, you cannot mount the Splunk Phantom keystore partition.
SSH to your Splunk Phantom deployment.
As root, or a user with sudo permissions, install the disk encryption package and any dependencies. # yum install cryptsetup-luks
Make a backup of the keystore partition. # mkdir /root/keystore# cp -p --preserve=context /opt/phantom/keystore/* /root/keystore
Unmount the keystore partition. # umount /opt/phantom/keystore
Format the keystore partition as an encrypted volume. # cryptsetup luksFormat /dev/mapper/centos-opt_phantom_keystore
Unlock the encrypted volume. # cryptsetup luksOpen /dev/mapper/centos-opt_phantom_keystore keystore
Create the filesystem on the encrypted volume. # mkfs.ext4 /dev/mapper/keystore
Edit /etc/crypttab to add this line: keystore /dev/mapper/centos-opt_phantom_keystore none luks
Edit /etc/fstab. Modify the keystore line from: /dev/mapper/centos-opt_phantom_keystore
to this: /dev/mapper/keystore /opt/phantom/keystore ext4 defaults,noexec,nosuid,nodev 1 2
Mount the encrypted volume. # mount /opt/phantom/keystore
Move the backup of the keystore to the encrypted volume. # mv /root/keystore/* /opt/phantom/keystore
Disable the Splunk Phantom boot splash screen. Edit /etc/default/grub and remove the 'rhgb' parameter from this line: GRUB_CMDLINE_LINUX="rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet splash vga=791"
Reboot your Splunk Phantom instance.
Check to make sure Splunk Phantom is decrypting credentials.
Log in to the Splunk Phantom web ui.
From the Main Menu select Apps.
Choose an app that requires credentials such as a username and password or authentication token.
Select a configured asset.
From the apps’ Asset Settings tab, click Test Connectivity.
If Splunk Phantom does not mount the keystore partition:
SSH into your Splunk Phantom instance as root or a user with sudo permissions.
Run this command: # mount / -o remount
If there are errors in either /etc/crypttab or /etc/fstab, correct them, then reboot Splunk Phantom.