stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
9d5f33e45027f516d5ce6cbc7e90f5b894c1aff9
git.stella-ops.org/docs/doctor/articles/security/encryption.md
master c58a236d70 Doctor plugin checks: implement health check classes and documentation 
Implement remediation-aware health checks across all Doctor plugin modules
(Agent, Attestor, Auth, BinaryAnalysis, Compliance, Crypto, Environment,
EvidenceLocker, Notify, Observability, Operations, Policy, Postgres, Release,
Scanner, Storage, Vex) and their backing library counterparts (AI, Attestation,
Authority, Core, Cryptography, Database, Docker, Integration, Notify,
Observability, Security, ServiceGraph, Sources, Verification).

Each check now emits structured remediation metadata (severity, category,
runbook links, and fix suggestions) consumed by the Doctor dashboard
remediation panel.

Also adds:
- docs/doctor/articles/ knowledge base for check explanations
- Advisory AI search seed and allowlist updates for doctor content
- Sprint plan for doctor checks documentation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 12:28:00 +02:00

2.8 KiB
Raw Blame History

checkId, plugin, severity, tags
checkId plugin severity tags
check.security.encryption stellaops.doctor.security warn
security
encryption
cryptography

Encryption Keys

What It Checks

Validates encryption key configuration and algorithms. The check only runs when an encryption configuration section exists (Encryption, DataProtection, or Cryptography). It inspects:

Setting Threshold/Condition Severity
Algorithm Contains DES, 3DES, RC4, MD5, or SHA1 fail — weak algorithm
KeySize Less than 128 bits fail — key too small
KeyRotationDays Greater than 365 warn — infrequent rotation
DataProtection:KeysPath Directory does not exist warn — keys path missing

Defaults if not explicitly configured: algorithm is AES-256.

Evidence collected includes: configured algorithm, key size, key rotation period, and data protection keys path.

Why It Matters

Encryption protects data at rest and data protection keys used by ASP.NET Core for cookie encryption, anti-forgery tokens, and TempData. Weak algorithms (DES, 3DES, RC4) have known vulnerabilities and can be broken with modern hardware. Small key sizes reduce the keyspace, making brute-force attacks feasible. Without key rotation, a compromised key provides indefinite access to all encrypted data.

Common Causes

  • Weak encryption algorithm configured (DES, 3DES, RC4, MD5, SHA1)
  • Encryption key size too small (less than 128 bits)
  • Key rotation period greater than 365 days or not configured
  • Data protection keys directory does not exist on disk

How to Fix

Docker Compose

Set encryption configuration:

environment:
  Encryption__Algorithm: "AES-256"
  Encryption__KeySize: "256"
  Encryption__KeyRotationDays: "90"
  DataProtection__KeysPath: "/app/keys"

volumes:
  - stellaops-keys:/app/keys

Bare Metal / systemd

Edit appsettings.json:

{
  "Encryption": {
    "Algorithm": "AES-256",
    "KeySize": 256,
    "KeyRotationDays": 90
  },
  "DataProtection": {
    "KeysPath": "/var/lib/stellaops/keys"
  }
}

Create the keys directory:

sudo mkdir -p /var/lib/stellaops/keys
sudo chown stellaops:stellaops /var/lib/stellaops/keys
sudo chmod 700 /var/lib/stellaops/keys

Kubernetes / Helm

Set in Helm values and use a PersistentVolume for key storage:

encryption:
  algorithm: "AES-256"
  keySize: 256
  keyRotationDays: 90

dataProtection:
  persistentVolume:
    enabled: true
    size: "100Mi"

Verification

stella doctor run --check check.security.encryption

Related Checks

  • check.core.crypto.available — verifies cryptographic algorithms are available at the OS level
  • check.security.secrets — ensures encryption keys are not stored as plain text in configuration
  • check.security.tls.certificate — validates TLS certificate for encryption in transit