CME-407

Data-at-Rest Encryption (LUKS/dm-crypt)

Harden Data High Confidence

Description

Encrypts data volumes and partitions at the block device layer using LUKS2/dm-crypt, ensuring that sensitive data including credentials, tokens, PII, and configuration secrets is encrypted when stored on disk. Prevents unauthorized data access through physical media theft, backup exposure, or filesystem-level read vulnerabilities. Combined with TPM-backed key sealing, provides boot-time integrity verification and automatic unlocking for authorized systems.

CVSS Vector Impacts

Metric Transition Rationale
Confidentiality (C) H L Even if an attacker gains file read access through a path traversal or application vulnerability, the underlying block device encryption prevents reading the actual cleartext data without the encryption key.

CWE Relationships

CWE-312 CWE-311 CWE-316

Verification

Check for LUKS-encrypted volumes

$ lsblk -o NAME,TYPE,FSTYPE | grep crypt
# Expected: At least one crypt volume present
Platform: linux
← CME-406: Signed Package Enforcement (GPG) CME-501: Read-Only Root Filesystem →