Disk Encryption for FortiSIEM Hardware Appliance

This document provides instructions for encrypting disks on a FortiSIEM hardware appliance with EventDB on local disk. If the appliance is utilizing NFS or Elastic storage, additional steps will need to be performed for the actual data directories on these servers in addition to the Supervisor.

Key Notes:

1. Disk encryption must be done prior to FortiSIEM is installed.

2. Do not encrypt the root disk as it presents an operational challenge during boot up to provide a passphrase. The root disk contains binaries and some internal system and application logs, not data.

3. Disk encryption key management is an operational challenge. If you want strong security, then you must protect encryption keys with a passphrase and that requires a human to type them and mount the “opened” disks. The less secure alternative is to use keys that are not protected by a passphrase and stored in a file on the root partition.

4. On an existing installation, first backup the 3 volumes into another remote location, then encrypt the disks and then copy the data back.

Follow these steps for a fresh installed FortiSIEM.

Step 0: Download the Encryption Package

Step 1: Backup Current Directories

Step 2: Encrypt each Non-Event-Data Disk

Step 3: Restore /opt and /querydata

Step 4: Initialize FortiSIEM

Step 5: Encrypt Disk Data for /data

Step 0: Download the Encryption Package

Step 0.a Setup Network Connectivity

Make sure you have network connectivity. If DHCP is not set up in your network to receive network parameters automatically, then temporarily set up a static network IP and DNS configuration to allow you to perform Step 0.b below.

Run the following commands after substituting actual values for <ipaddr>, <netmask>, <gateway>, and <dns-ip>.

ifconfig eth0 <ipaddr> netmask <netmask>
route add default gw <gateway> eth0
echo “nameserver <dns-ip>” > /etc/resolv.conf

Step 0.b Download and Install

The cryptsetup package is not included in FortiSIEM. Take the following steps to install this package.

• To install, run the following command:
  

  dnf install cryptsetup -y
  

• To verify if the package is installed, run the following command:
  

  dnf search cryptsetup

Step 0.c Keep Record of Key Directory Permissions and Ownerships

For these to-be-encrypted directories: /svn, /cmdb, /opt, /querydata, it is important to keep records of ownership and permissions. If there are any changes, then FortiSIEM may not work correctly, and the following reference will help to take corrective actions.

# ls -Rla <path> > /tmp/<path>.out

For root path:

# ls -la / | grep "opt\|svn\|cmdb\|querydata" > /tmp/rootpath.out

Example:

# ls -Rla /opt > /tmp/opt.out

# ls -Rla /svn > /tmp/svn.out

# ls -Rla /querydata > /tmp/querydata.out

# ls -Rla /cmdb > /tmp/cmdb.out

Step 1: Backup Current Directories

Back up the following non-empty directories (/opt, /querydata), since the encryption steps requires these disks to be wiped before being encrypted.

# tar cvzf /tmp/opt.tgz /opt

# tar cvzf /tmp/querydata.tgz /querydata

Step 2: Encrypt each Non-Event-Data Disk

Follow the instructions below to encrypt the following non-event-data disks: /cmdb, /svn, /querydata and /opt. Repeat steps 2a – 2h for each of these disks.

Step 2a: Unmount the Filesystem

Use umount to unmount each disk.

# umount <disk name>

Examples:

# umount /opt

# umount /cmdb

# umount /svn

# umount /querydata

Step 2b: Wipe the Disks of Previous Filesystem and Partition Information

Use wipefs to clear the existing filesystem and partition information from each disk.

# wipefs --all /dev/mapper/<VOLUME NAME>

Examples:

# wipefs --all /dev/mapper/FSIEM3500G-phx_opt

# wipefs --all /dev/mapper/FSIEM3500G-phx_cmdb

# wipefs --all /dev/mapper/FSIEM3500G-phx_svn

# wipefs --all /dev/mapper/FSIEM3500G-phx_querydata

Step 2c: Format LUKS Disk and Add one Key

Run the following command to format the LUKS Disk and add the default encryption/decryption key with passphrase to default slot 0.

# cryptsetup luksFormat /dev/mapper/<VOLUME NAME>

Examples:

# cryptsetup luksFormat /dev/mapper/FSIEM3500G-phx_opt

# cryptsetup luksFormat /dev/mapper/FSIEM3500G-phx_cmdb

# cryptsetup luksFormat /dev/mapper/FSIEM3500G-phx_svn

# cryptsetup luksFormat /dev/mapper/FSIEM3500G-phx_querydata

WARNING!
========
This will overwrite data on /dev/mapper/FSIEM3500G-phx_cmdb irrevocably.

Are you sure? (Type 'yes' in capital letters): YES 
Enter passphrase for /dev/mapper/FSIEM3500G-phx_cmdb: Verify passphrase:

There is a total of ~ 32 keyslots for additional keys, which can be used to provide multiple administrators with the ability to unlock the disks, or can be used for periodic rotation of keys.

The following command can be used to dump information about different slots.

# cryptsetup luksDump /dev/mapper/<VOLUME_NAME>

Examples:

# cryptsetup luksDump /dev/mapper/FSIEM3500G-phx_opt

# cryptsetup luksDump /dev/mapper/FSIEM3500G-phx_cmdb

# cryptsetup luksDump /dev/mapper/FSIEM3500G-phx_svn

# cryptsetup luksDump /dev/mapper/FSIEM3500G-phx_querydata

Step 2d: Add a New Key to LUKS Disk

Create a new random key for keyslot 1 by running the following command.

# dd if=/dev/random of=/etc/enc<disk_name>key bs=512 count=1

Examples:

# dd if=/dev/random of=/etc/encoptkey bs=512 count=1

# dd if=/dev/random of=/etc/enccmdbkey bs=512 count=1

# dd if=/dev/random of=/etc/encsvnkey bs=512 count=1

# dd if=/dev/random of=/etc/encquerydatakey bs=512 count=1

Enter the cryptsetup command with the luksAddKey option again. There will be two slots that have enabled keys. Keyslot 0 contains the initial key that was inserted when initialized. Keyslot 1 contains a new key added from step 2d that was copied to a file.

Use the cryptsetup command with the luksAddKey option to add a new LUKS key for the target disk.

# cryptsetup luksAddKey /dev/mapper/<VOLUME NAME> /etc/enc<disk_name>key

Examples:

# cryptsetup luksAddKey /dev/mapper/FSIEM3500G-phx_opt /etc/encoptkey

# cryptsetup luksAddKey /dev/mapper/FSIEM3500G-phx_cmdb /etc/enccmdbkey

# cryptsetup luksAddKey /dev/mapper/FSIEM3500G-phx_svn /etc/encsvnkey

# cryptsetup luksAddKey /dev/mapper/FSIEM3500G-phx_querydata /etc/encquerydatakey

The following command can be used to dump the target volume information and keys.

# cryptsetup luksDump /dev/mapper/<VOLUME_NAME>

Examples:

# cryptsetup luksDump /dev/mapper/FSIEM3500G-phx_opt

# cryptsetup luksDump /dev/mapper/FSIEM3500G-phx_cmdb

# cryptsetup luksDump /dev/mapper/FSIEM3500G-phx_svn

# cryptsetup luksDump /dev/mapper/FSIEM3500G-phx_querydata

Step 2e: Open the Encrypted Disk

Use the cryptsetup command with the luksOpen option to open the encrypted target disk and provide a new encrypted volume name.

# cryptsetup luksOpen /dev/mapper/<VOLUME_NAME> <ENCRYPTED_VOLUME_NAME> --key-file /etc/enc<disk_name>key

Examples:

# cryptsetup luksOpen /dev/mapper/FSIEM3500G-phx_opt encryptedOpt --key-file /etc/encoptkey

# cryptsetup luksOpen /dev/mapper/FSIEM3500G-phx_cmdb encryptedCmdb --key-file /etc/enccmdbkey

# cryptsetup luksOpen /dev/mapper/FSIEM3500G-phx_svn encryptedSvn --key-file /etc/encsvnkey

# cryptsetup luksOpen /dev/mapper/FSIEM3500G-phx_querydata encryptedQuerydata --key-file /etc/encquerydatakey

Step 2f: Allow the Encrypted Disk to Open on Boot

Create an entry in /etc/crypttab, which will open the encrypted disk at boot time using the keyslot 1 key file you saved above.

# echo "<ENCRYPTED_VOLUME_NAME> /dev/mapper/<VOLUME NAME> /etc/enc<DISK_NAME>key luks" >> /etc/crypttab

Examples:

# echo "encryptedOpt /dev/mapper/FSIEM3500G-phx_opt /etc/encoptkey luks" >> /etc/crypttab

# echo "encryptedCmdb /dev/mapper/FSIEM3500G-phx_cmdb /etc/enccmdbkey luks" >> /etc/crypttab

# echo "encryptedSvn /dev/mapper/FSIEM3500G-phx_svn /etc/encsvnkey luks" >> /etc/crypttab

# echo "encryptedQuerydata /dev/mapper/FSIEM3500G-phx_querydata /etc/encquerydatakey luks" >> /etc/crypttab

Step 2g: Create an xfs Filesystem on the “Opened” Encrypted Disk

Use the mkfs.xfs command to create an xfs file system on the disk.

# mkfs.xfs /dev/mapper/<ENCRYPTED_VOLUME_NAME>

Examples:

# mkfs.xfs /dev/mapper/encryptedOpt

# mkfs.xfs /dev/mapper/encryptedCmdb

# mkfs.xfs /dev/mapper/encryptedSvn

# mkfs.xfs /dev/mapper/encryptedQuerydata

Step 2h: Replace the Mount Point

Next steps are to configure fstab to mount the new encrypted volumes and discard the old volume names.

Prerequisite

Take the following steps to make a backup of /etc/fstab.

Note: It is important to make a backup of the original file before modifying.

1. Run the following command to back up your file.
   

   # cp -a /etc/fstab /etc/fstab.original

2. Next, run vi, or some other text editor.
   

   # vi /etc/fstab

3. Find the target disk: /cmdb, /svn, or /querydata.

4. Replace the line containing the following information:
   

   /dev/mapper/<ENCRYPTED VOLUME NAME> <DISK NAME> xfs defaults,nodev 0 1
   

   Examples:

   Original:

   /dev/mapper/FSIEM3500G-phx_opt /opt xfs defaults,noatime 0 0

   /dev/mapper/FSIEM3500G-phx_cmdb /cmdb xfs defaults,noatime 0 0

   /dev/mapper/FSIEM3500G-phx_svn /svn xfs defaults,noatime 0 0

   /dev/mapper/FSIEM3500G-phx_querydata /querydata xfs defaults,noatime 0 0

   Change to:

   /dev/mapper/encryptedOpt /opt xfs defaults,nodev 0 1

   /dev/mapper/encryptedCmdb /cmdb xfs defaults,nodev 0 1

   /dev/mapper/encryptedSvn /svn xfs defaults,nodev 0 1

   /dev/mapper/encryptedQuerydata /querydata xfs defaults,nodev 0 1

Mounting the Encrypted Disk

Use the mount command to remount the encrypted volume.

# mount <DISK_NAME>

Examples:

# mount /opt

# mount /cmdb

# mount /svn

# mount /querydata

Check if the volume is mounted correctly, by running the df command.

# df <disk_name>

Examples:

# df /opt
Filesystem 1K-blocks Used Available Use% Mounted on 
/dev/mapper/encryptedOpt 524015116 3687456 520327660 1% /opt


# df /cmdb
Filesystem 1K-blocks Used Available Use% Mounted on 
/dev/mapper/encryptedCmdb 125751296 910576 124840720 1% /cmdb

# df /svn	1K-blocks	Used Available Use% Mounted on	
Filesystem			
/dev/mapper/encryptedSvn	125751296	910576 124840720	1% /svn	

# df /querydata	1K-blocks	Used Available Use% Mounted on	
Filesystem			
/dev/mapper/encryptedQuerydata 209596416	1495124 208101292   1% /querydata	

Step 3: Restore /opt and /querydata

Because we backed up the data from /opt and /querydata on /tmp, we need to restore it onto the corresponding disk now. Run the following as root.

# cd /

# mv /tmp/opt.tgz /

# mv /tmp/querydata.tgz /

# tar xvzf opt.tgz

# tar xvzf querydata.tgz

Validate and verify the file structure, ownership and permissions by comparing it to the restored data with the recorded files in step 0.c located under /tmp.

/tmp:
-rw-r--r--   1 root root        122 Feb  8 20:26 cmdb.out
-rw-r--r--   1 root root    6300087 Feb  8 20:26 opt.out
-rw-r--r--   1 root root        902 Feb  8 20:32 querydata.out
-rw-r--r--   1 root root        113 Feb  8 20:27 svn.out

Lastly, reboot the FortiSIEM appliance to verify persistent mounting of the encrypted disks.

# reboot

Step 4: Initialize FortiSIEM

This involves the following steps:

1. Run configFSM.sh as usual, and complete the system install.

2. Upload a license to the system.

3. Configure local storage with 'hardware' keyboard, which will mount /data. Now FortiSIEM is fully up and running except that /data is not encrypted.

4. Stop all services.

5. Backup the files from /data to another disk (they will be small).

6. Follow step 1 for /data.

Step 5: Encrypt Disk Data for /data

Encrypting the data disk can only be performed after FortiSIEM has been initialized fully, the license has been uploaded, and the online storage configured from the GUI. This is because the storage scripts create LVM volumes and mount them without encryption first.

Step 5a: Stop all Services

# phtools --stop ALL

# systemctl stop crond

# systemctl stop phxctl.service

# systemctl stop phFortiInsightAI.service

# systemctl stop svnlite.service

# phxctl stop

# systemctl stop rsyslog

# /opt/glassfish/bin/asadmin stop-domain domain1

# systemctl stop postgresql-13

Step 5b: Backup /data into /opt/

# ls -Rla /data > /tmp/data.out

# cd /data

# tar cvzf /opt/data.tgz *

Step 5c: Now Follow Step 2 to Apply to /data

Replace the volume name, disk name, encryption key file name, and device mapper names appropriately.

Once /data is remounted, restore the backed up files from the tarball in /opt/.

# cd /data

# tar xvzf /opt/data.tgz .

Step 5d: Reboot the FortiSIEM Appliance

When the reboot has completed, SSH into the Supervisor and verify that the /data volume has mounted and services are running.

1. Verify Data disk has mounted.
   

   # df /data
   

2. Verify all processes has come up.
   

   # phstatus