API for checking if Full Disk Encryption is in use?


#1

I’m working on some on-premises code (written in Rust) and I need to check if full-disk encryption is in use on the boxes that this is installed on. We will primarily be installing on windows boxes, but if anyone has any resources for mac/linux as well, I would appreciate it. I have had zero luck searching for results as they all mention manually enabling/checking.


#2

If someone has any other suggestions, I am still interested, but someone else pointed me to this question: https://security.stackexchange.com/questions/94453/how-can-i-tell-if-bitlocker-is-successfully-enabled-on-remote-hosts which suggests that i use the command:
manage-bde -status c:


#3

To make that work on a remote host you can call:

manage-bde -status -computername **computername**

#4

@jessehouwing One thing I am having trouble finding is what that command actually returns. The docs don’t include return values :frowning:


#5

Simplest solution is to use the -ProtectionAsErrorLevel option. If it returns 0 all volumes are protected. if it returns 1 not all volumes are protected.

-protectionaserrorlevel Causes the Manage-bde command-line tool to send the return code of 0 when the volume is protected and 1 when the volume is unprotected; most commonly used for batch scripts to determine if a drive is BitLocker-protected. You can also use -p as an abbreviated version of this command.


#6

Thank you! I feel a bit derpy for missing that line :slight_smile:


#7

If you’re looking for Mac encryption, the easiest tool is fdesetup:

$ fdesetup status
FileVault is On. 

$ fdesetup isactive
true

#8

Thank you @cocoaphony, I did need that as well. Now if someone knows a consistent command for linux, I’ll really be in business :stuck_out_tongue:


#9

I don’t have an encrypted Linux system handy, but the tool I think you want is cryptsetup. It’s part of dm-crypt. I just can’t remember how to get the list of mappings. Maybe cryptsetup status /, but you may need to know the name of the mapping and I can’t remember how to get it.

You may have to use dmsetup directly. Something like dmsetup status <device_name> might tell you, or maybe dmsetup table and look for crypt in column 3.