|Operating systems||WARP mode required||Zero Trust plans|
|macOS, Windows, Linux||WARP with Gateway||All plans|
The Disk Encryption device posture attribute ensures that disks are encrypted on a device.
Enable the disk encryption check
- In Zero Trust, go to Settings > WARP Client.
- Scroll down to WARP client checks and select Add new.
- Select Disk Encryption.
- Enter a descriptive name for the check.
- Select your operating system.
- Either enable disk encryption for all volumes, or input the specific volume(s) you want to check for encryption (for example,
- Select Save.
Next, go to Logs > Posture and verify that the disk encryption check is returning the expected results.
How WARP checks for encryption
Operating systems determine disk encryption in various ways. The following information will allow you to understand how the client determines disk encryption status on various systems.
Open a terminal window.
/usr/sbin/system_profiler SPStorageDataTypecommand to return a list of drivers on the system and note the value of Mount Point.$ /usr/sbin/system_profiler SPStorageDataTypeStorage:Data:Free: 428.52 GB (428,519,702,528 bytes)Capacity: 494.38 GB (494,384,795,648 bytes)Mount Point: /System/Volumes/Data
diskutil infocommand for a specific Mount Point and look for the value returned for FileVault. It must show Yes for the disk to be considered encrypted.$ diskutil info /System/Volumes/Data | grep FileVaultFileVault: Yes
- Open a Powershell window.
- Run the
Get-BitLockerVolumecommand to list all volumes detected on the system.
- Protection Status must be set to On for the disk to be considered encrypted.
List all hard drives on the system:
$ lsblkNAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTnvme0n1 259:0 0 476.9G 0 disk├─nvme0n1p1 259:1 0 512M 0 part /boot/efi├─nvme0n1p2 259:2 0 488M 0 part /boot└─nvme0n1p3 259:3 0 476G 0 part└─nvme0n1p3_crypt 253:0 0 475.9G 0 crypt├─my--vg-root 253:1 0 474.9G 0 lvm /└─my--vg-swap_1 253:2 0 976M 0 lvm [SWAP]
On Linux, encryption is reported per mounted partition, not physical drive. In the example above, the root and swap partitions are considered encrypted because they are located within a
crypt container. The
/boot/efi partitions remain unencrypted.
On iOS, Android and ChromeOS
These platforms are always encrypted and so no disk encryption check is supported.