Introduction
Splunk Phantom ingests objects from connected assets, such as your firewall, services like VirusTotal, MaxMind, and more. Many of these assets require that Splunk Phantom provide credentials, such as a username and password or an authentication token to connect. Splunk Phantom stores these credentials in an encrypted form in its database, but in order to use these credentials, they must be decrypted first. The decryption keys are stored in Splunk Phantom's keystore partition.
Cautions
- If you encrypt the keystore partition, an administrator with the decryption password must provide the password each time Splunk Phantom is booted or rebooted.
- Encrypting the keystore partition only protects the keystore partition when Splunk Phantom is shut down. If an attacker gains access to the operating system or the hypervisor while Splunk Phantom is running, that attacker can access the decrypted keystore.
- Make a full backup of your Splunk Phantom deployment. See Splunk Phantom backup and restore overview
Prerequisites
- SSH access to the operating system of your Splunk Phantom deployment on a user account with either root or sudo permissions.
Procedure
This procedure is for Splunk Phantom 4.x releases. Do this procedure during a maintenance window or other scheduled downtime.
If you are encrypting the keystore partition in a clustered Splunk Phantom deployment, you must do this procedure on each Splunk Phantom node.
WARNING: If you lose or forget the encryption passphrase, you cannot mount the Splunk Phantom keystore partition.
- SSH to your Splunk Phantom deployment.
- As root, or a user with sudo permissions, install the disk encryption package and any dependencies.
# yum install cryptsetup-luks
- Make a backup of the keystore partition.
# mkdir /root/keystore# cp -p --preserve=context /opt/phantom/keystore/* /root/keystore
- Unmount the keystore partition.
# umount /opt/phantom/keystore
- Format the keystore partition as an encrypted volume.
# cryptsetup luksFormat /dev/mapper/centos-opt_phantom_keystore
- Unlock the encrypted volume.
# cryptsetup luksOpen /dev/mapper/centos-opt_phantom_keystore keystore
- Create the filesystem on the encrypted volume.
# mkfs.ext4 /dev/mapper/keystore
- Edit /etc/crypttab to add this line:
keystore /dev/mapper/centos-opt_phantom_keystore none luks
- Edit /etc/fstab. Modify the keystore line from:
/dev/mapper/centos-opt_phantom_keystore
to this:
/dev/mapper/keystore /opt/phantom/keystore ext4 defaults,noexec,nosuid,nodev 1 2
- Mount the encrypted volume.
# mount /opt/phantom/keystore
- Move the backup of the keystore to the encrypted volume.
# mv /root/keystore/* /opt/phantom/keystore
- Disable the Splunk Phantom boot splash screen. Edit /etc/default/grub and remove the 'rhgb' parameter from this line:
GRUB_CMDLINE_LINUX="rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet splash vga=791"
- Reboot your Splunk Phantom instance.
Testing
Check to make sure Splunk Phantom is decrypting credentials.
- Log in to the Splunk Phantom web ui.
- From the Main Menu select Apps.
- Choose an app that requires credentials such as a username and password or authentication token.
- Select a configured asset.
- From the apps’ Asset Settings tab, click Test Connectivity.
Troubleshooting
If Splunk Phantom does not mount the keystore partition:
- SSH into your Splunk Phantom instance as root or a user with sudo permissions.
- Run this command:
# mount / -o remount
If there are errors in either /etc/crypttab or /etc/fstab, correct them, then reboot Splunk Phantom.