Introduction Splunk Phantom ingests objects from connected assets, such as your firewall, services like VirusTotal, MaxMind, and more. Many of these assets require that Splunk Phantom provide credentials, such as a username and password or an authentication token to connect. Splunk Phantom stores these credentials in an encrypted form in its database, but in order to use these credentials, they must be decrypted first. The decryption keys are stored in Splunk Phantom's keystore partition. Cautions If you encrypt the keystore partition, an administrator with the decryption password must provide the password each time Splunk Phantom is booted or rebooted. Encrypting the keystore partition only protects the keystore partition when Splunk Phantom is shut down. If an attacker gains access to the operating system or the hypervisor while Splunk Phantom is running, that attacker can access the decrypted keystore. Make a full backup of your Splunk Phantom deployment. See Splunk Phantom backup and restore overview Prerequisites SSH access to the operating system of your Splunk Phantom deployment on a user account with either root or sudo permissions. Procedure This procedure is for Splunk Phantom 4.x releases. Do this procedure during a maintenance window or other scheduled downtime. If you are encrypting the keystore partition in a clustered Splunk Phantom deployment, you must do this procedure on each Splunk Phantom node. WARNING: If you lose or forget the encryption passphrase, you cannot mount the Splunk Phantom keystore partition. SSH to your Splunk Phantom deployment. As root, or a user with sudo permissions, install the disk encryption package and any dependencies. # yum install cryptsetup-luks Make a backup of the keystore partition. # mkdir /root/keystore# cp -p --preserve=context /opt/phantom/keystore/* /root/keystore Unmount the keystore partition. # umount /opt/phantom/keystore Format the keystore partition as an encrypted volume. # cryptsetup luksFormat /dev/mapper/centos-opt_phantom_keystore Unlock the encrypted volume. # cryptsetup luksOpen /dev/mapper/centos-opt_phantom_keystore keystore Create the filesystem on the encrypted volume. # mkfs.ext4 /dev/mapper/keystore Edit /etc/crypttab to add this line: keystore /dev/mapper/centos-opt_phantom_keystore none luks Edit /etc/fstab. Modify the keystore line from: /dev/mapper/centos-opt_phantom_keystore to this: /dev/mapper/keystore /opt/phantom/keystore ext4 defaults,noexec,nosuid,nodev 1 2 Mount the encrypted volume. # mount /opt/phantom/keystore Move the backup of the keystore to the encrypted volume. # mv /root/keystore/* /opt/phantom/keystore Disable the Splunk Phantom boot splash screen. Edit /etc/default/grub and remove the 'rhgb' parameter from this line: GRUB_CMDLINE_LINUX="rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet splash vga=791" Reboot your Splunk Phantom instance. Testing Check to make sure Splunk Phantom is decrypting credentials. Log in to the Splunk Phantom web ui. From the Main Menu select Apps. Choose an app that requires credentials such as a username and password or authentication token. Select a configured asset. From the apps’ Asset Settings tab, click Test Connectivity. Troubleshooting If Splunk Phantom does not mount the keystore partition: SSH into your Splunk Phantom instance as root or a user with sudo permissions. Run this command: # mount / -o remount If there are errors in either /etc/crypttab or /etc/fstab, correct them, then reboot Splunk Phantom.
... View more