Splunk SOAR (f.k.a. Phantom)

How can I encrypt the keystore partition of my Splunk Phantom deployment?

Splunk Employee
Splunk Employee


Splunk Phantom ingests objects from connected assets, such as your firewall, services like VirusTotal, MaxMind, and more. Many of these assets require that Splunk Phantom provide credentials, such as a username and password or an authentication token to connect. Splunk Phantom stores these credentials in an encrypted form in its database, but in order to use these credentials,  they must be decrypted first. The decryption keys are stored in Splunk Phantom's keystore partition. 


  • If you encrypt the keystore partition, an administrator with the decryption password must provide the password each time Splunk Phantom is booted or rebooted. 
  • Encrypting the keystore partition only protects the keystore partition when Splunk Phantom is shut down. If an attacker gains access to the operating system or the hypervisor while Splunk Phantom is running, that attacker can access the decrypted keystore.
  • Make a full backup of your Splunk Phantom deployment. See Splunk Phantom backup and restore overview 


  • SSH access to the operating system of your Splunk Phantom deployment on a user account with either root or sudo permissions.


This procedure is for Splunk Phantom 4.x releases. Do this procedure during a maintenance window or other scheduled downtime.  

If you are encrypting the keystore partition in a clustered Splunk Phantom deployment, you must do this procedure on each Splunk Phantom node.  

WARNING: If you lose or forget the encryption passphrase, you cannot mount the Splunk Phantom keystore partition. 

  1.  SSH to your Splunk Phantom deployment. 

  2.  As root, or a user with sudo permissions, install the disk encryption package and any dependencies.
    # yum install cryptsetup-luks

  3.  Make a backup of the keystore partition.
    # mkdir /root/keystore# cp -p --preserve=context /opt/phantom/keystore/* /root/keystore

  4.  Unmount the keystore partition.
    # umount /opt/phantom/keystore

  5.  Format the keystore partition as an encrypted volume.
    # cryptsetup luksFormat /dev/mapper/centos-opt_phantom_keystore

  6.  Unlock the encrypted volume.
    # cryptsetup luksOpen /dev/mapper/centos-opt_phantom_keystore keystore

  7.  Create the filesystem on the encrypted volume.
    # mkfs.ext4 /dev/mapper/keystore

  8.  Edit /etc/crypttab to add this line:
    keystore /dev/mapper/centos-opt_phantom_keystore none luks

  9.  Edit /etc/fstab. Modify the keystore line from:

    to this:
    /dev/mapper/keystore /opt/phantom/keystore   ext4    defaults,noexec,nosuid,nodev        1 2

  10. Mount the encrypted volume.
    # mount /opt/phantom/keystore

  11. Move the backup of the keystore to the encrypted volume. 
    # mv /root/keystore/* /opt/phantom/keystore 

  12. Disable the Splunk Phantom boot splash screen. Edit /etc/default/grub and remove the 'rhgb' parameter from this line:
    GRUB_CMDLINE_LINUX="rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet splash vga=791" 

  13. Reboot your Splunk Phantom instance.


Check to make sure Splunk Phantom is decrypting credentials. 

  1. Log in to the Splunk Phantom web ui. 
  2. From the Main Menu select Apps.
  3. Choose an app that requires credentials such as a username and password or authentication token. 
  4. Select a configured asset. 
  5. From the apps’ Asset Settings tab, click Test Connectivity.


If Splunk Phantom does not mount the keystore partition: 

  1. SSH into your Splunk Phantom instance as root or a user with sudo permissions.

  2. Run this command:
    # mount / -o remount

If there are errors in either /etc/crypttab or /etc/fstab, correct them, then reboot Splunk Phantom. 

Labels (4)
0 Karma
Get Updates on the Splunk Community!

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...