Purpose: Audit of encryption controls for data at rest and in transit across the VeriPath infrastructure.
Date: 15 May 2026
Evidence requirement: "Confirmation of encryption on devices (BitLocker/FileVault) and secure connections (HTTPS, VPN)"
The VPS uses a single ext4 partition (/dev/vda1) without LUKS or any full-disk encryption. All data stored on this disk inherits this risk:
| Data Asset | Location | Encrypted? |
|---|---|---|
| Root filesystem | /dev/vda1 ext4 |
❌ No |
| PostgreSQL databases | Docker volumes on /dev/vda1 |
❌ No |
| Docker overlay storage | /var/lib/docker/ on /dev/vda1 |
❌ No |
| Application code & config | /opt/, /etc/ on /dev/vda1 |
❌ No |
| Wiki.js page backups | /backups/wiki/ on /dev/vda1 |
❌ No |
| System backups | /root/backups/ on /dev/vda1 |
❌ No |
Risk: If the VPS disk is decommissioned, reallocated, or physically removed, all patient data, credentials, and configuration could be recovered without an encryption key.
Check if the VPS provider offers encryption at the hypervisor/storage layer. Most providers (Hetzner, OVH, DigitalOcean, etc.) offer this as a toggle:
# Check your provider
cat /etc/cloud/cloud.cfg | grep -i "name\|provider"
If available, this is the simplest fix — no reinstall needed. The provider encrypts the block storage transparently.
If the provider does not offer managed encryption, the VPS must be reinstalled with LUKS full-disk encryption:
lsblk -o NAME,FSTYPE,MOUNTPOINT | grep crypto
cryptsetup status vda1_crypt # or similar
Regardless of the disk encryption outcome, backup files should also be individually encrypted:
# Encrypt a backup with GPG symmetric encryption
gpg --symmetric --cipher-algo AES256 /backups/wiki/pre_work/pre_20260515.sql.gz
# This creates pre_20260515.sql.gz.gpg — requires a passphrase to decrypt
This protects backup files if they are copied off-server or if the disk is compromised.
| Service | URL | TLS | Redirect |
|---|---|---|---|
| Website | veripath.co.uk | ✅ TLS 1.2/1.3 | HTTP → HTTPS |
| Wiki.js | wiki.veripath.co.uk | ✅ TLS 1.2/1.3 | HTTP → HTTPS |
| Keycloak | auth.veripath.co.uk | ✅ TLS 1.2/1.3 | HTTP → HTTPS |
| DefectDojo | security.veripath.co.uk | ✅ TLS 1.2/1.3 | HTTP → HTTPS |
| Forgejo | git.veripath.co.uk | ✅ TLS 1.2/1.3 | HTTP → HTTPS |
All external-facing services terminate TLS at nginx using valid certificates. HTTP traffic is redirected to HTTPS. No shortfall.
Recommendation: None required. Re-verify annually or when certificates are renewed.
Services communicate within a Docker bridge network (172.18.0.0/16) using plain HTTP and unencrypted PostgreSQL protocol. This is standard for containerised deployments because:
Risk: Low, provided the host is not compromised.
Recommendation: Accept the risk. Document that internal container traffic is not encrypted, consistent with standard practice for isolated Docker networks. If the VPS is ever exposed to a multi-tenant Docker environment, this should be revisited.
The DSPT requirement for "encryption on devices" refers to the workstations used by staff (your and Peter's laptops). This cannot be verified remotely from the VPS.
| User | Device | Check | Status |
|---|---|---|---|
| Matthew | [Your laptop] | BitLocker (Windows) or FileVault (macOS) enabled? | ⬜ Unconfirmed |
| Peter | [Peter's laptop] | BitLocker (Windows) or FileVault (macOS) enabled? | ⬜ Unconfirmed |
Windows (BitLocker):
Settings → Privacy & Security → Device Encryption → On
Or run as admin: manage-bde -status
macOS (FileVault):
System Settings → Privacy & Security → FileVault → On
Recommendation: Confirm both devices are encrypted and record the confirmation as evidence for the DSPT checklist.
| Area | Status | Action Required |
|---|---|---|
| External HTTPS (TLS) | ✅ Compliant | None |
| Internal Docker network | ✅ Acceptable risk | Document in evidence statement |
| VPS disk encryption | ❌ Shortfall | Enable provider encryption or reinstall with LUKS |
| Backup file encryption | ❌ Shortfall | Add GPG encryption step to backup scripts |
| Workstation encryption (BitLocker/FileVault) | ⬜ Unconfirmed | Check Matthew's and Peter's laptops |