I’m working on some on-premises code (written in Rust) and I need to check if full-disk encryption is in use on the boxes that this is installed on. We will primarily be installing on windows boxes, but if anyone has any resources for mac/linux as well, I would appreciate it. I have had zero luck searching for results as they all mention manually enabling/checking.
If someone has any other suggestions, I am still interested, but someone else pointed me to this question: https://security.stackexchange.com/questions/94453/how-can-i-tell-if-bitlocker-is-successfully-enabled-on-remote-hosts which suggests that i use the command:
manage-bde -status c:
To make that work on a remote host you can call:
manage-bde -status -computername **computername**
Simplest solution is to use the
-ProtectionAsErrorLevel option. If it returns 0 all volumes are protected. if it returns 1 not all volumes are protected.
-protectionaserrorlevelCauses the Manage-bde command-line tool to send the return code of
0when the volume is protected and
1when the volume is unprotected; most commonly used for batch scripts to determine if a drive is BitLocker-protected. You can also use
-pas an abbreviated version of this command.
Thank you! I feel a bit derpy for missing that line
If you’re looking for Mac encryption, the easiest tool is
$ fdesetup status FileVault is On. $ fdesetup isactive true
Thank you @cocoaphony, I did need that as well. Now if someone knows a consistent command for linux, I’ll really be in business
I don’t have an encrypted Linux system handy, but the tool I think you want is
cryptsetup. It’s part of dm-crypt. I just can’t remember how to get the list of mappings. Maybe
cryptsetup status /, but you may need to know the name of the mapping and I can’t remember how to get it.
You may have to use
dmsetup directly. Something like
dmsetup status <device_name> might tell you, or maybe
dmsetup table and look for
crypt in column 3.