• Cryptography
  • Metadata
  • All encryption shall use the best reasonably available encryption standards
  • Encryption methods
  • File encryption
  • Full-drive encryption
  • Encryption keys
  • Legal compliance
  • Enforcement
  • References

Cryptography

MedStack Confidential

Metadata

• responsible officer: CTO
• date
  • effective: 2018-06-20
  • revised: 2018-05-15
  • reviewed: 2018-06-20

All encryption shall use the best reasonably available encryption standards

• AES-256 cipher
• 2048-bit keys

Encryption methods

• Only standard encryption methods will be used.
• Use independent expert guidance to determine what protocols and configurations to use.
• Keep protocols and configurations up to date when older versions are found to be insecure.

File encryption

• PGP encryption using Gnu Privacy Guard (GPG) shall be used for encrypting files and archives.

Full-drive encryption

• Drives shall be encrypted using LUKS or a drive-encryption system provided by the Cloud Provider.
  • LUKS (Linux Unified Key System) when used shall be encrypted using dm-crypt and the following parameters
    • The cipher suite used is AES-XTS-Plain64
    • The key size of 512 is split in half by XTS, resulting in AES256
    • The Hash algorithm for key derivation is SHA256
    • Iteration time for PBKDF2 is 2000ms
    • The random number generator is urandom

Encryption keys

• Restrict the installation of keys as much as reasonably possible
  • Store encryption (public) on the server that performs the encryption.
  • Do not store decryption (private) keys on a server unless they are needed.
  • Maintain a physically secured digital archive of the decryption keys.
• Protect keys from unauthorized use and copying
  • Password-protect key stores where possible (such as on development systems)
• Rotate keys when
  • a suspected breach occurs
  • an entity with access to the key must have their access removed

    Code	Section	Title	Text
    ISO	A.10.1.2	Key management	A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle.

Legal compliance

• Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations.

  Code	Section	Title	Text
  ISO	A.18.1.5	Regulation of cryptographic controls	Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations.

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title	Text
ISO	A.10.1	Cryptographic controls	Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authen- ticity and/or integrity of information.
ISO	A.10.1.1	Policy on the use of cryptographic controls	A policy on the use of cryptographic controls for protection of information shall be developed and implemented.
HIPAA	164.312(a)(2)(iv)	Encryption and decryption	Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.

November 13, 2019

Powered by