Disk encryption
The Disk Encryption device posture attribute ensures that disks are encrypted on a device.
Prerequisites
- Cloudflare WARP client is deployed on the device. For a list of supported modes and operating systems, refer to WARP client checks.
Enable the disk encryption check
- In Zero Trust, go to Settings > WARP Client.
- Scroll down to WARP client checks and select Add new.
- Select Disk Encryption.
- Enter a descriptive name for the check.
- Select your operating system.
- Either enable disk encryption for all volumes, or input the specific volume(s) you want to check for encryption (for example,
C
). - Select Save.
Next, go to Logs > Posture and verify that the disk encryption check is returning the expected results.
How WARP checks for encryption
Operating systems determine disk encryption in various ways. The following information will allow you to understand how the client determines disk encryption status on various systems.
On macOS
Open a terminal window.
Run the
/usr/sbin/system_profiler SPStorageDataType
command to return a list of drivers on the system and note the value of Mount Point.$ /usr/sbin/system_profiler SPStorageDataTypeStorage:Data:Free: 428.52 GB (428,519,702,528 bytes)Capacity: 494.38 GB (494,384,795,648 bytes)Mount Point: /System/Volumes/DataRun the
diskutil info
command for a specific Mount Point and look for the value returned for FileVault. It must show Yes for the disk to be considered encrypted.$ diskutil info /System/Volumes/Data | grep FileVaultFileVault: Yes
On Windows
- Open a PowerShell window.
- Run the
Get-BitLockerVolume
command to list all volumes detected on the system. - Protection Status must be set to On for the disk to be considered encrypted.
On Linux
List all hard drives on the system:
$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTnvme0n1 259:0 0 476.9G 0 disk ├─nvme0n1p1 259:1 0 512M 0 part /boot/efi├─nvme0n1p2 259:2 0 488M 0 part /boot└─nvme0n1p3 259:3 0 476G 0 part └─nvme0n1p3_crypt 253:0 0 475.9G 0 crypt ├─my--vg-root 253:1 0 474.9G 0 lvm / └─my--vg-swap_1 253:2 0 976M 0 lvm [SWAP]
On Linux, encryption is reported per mounted partition, not physical drive. In the example above, the root and swap partitions are considered encrypted because they are located within a crypt
container. The /boot
and /boot/efi
partitions remain unencrypted.
On iOS, Android and ChromeOS
These platforms are always encrypted and so no disk encryption check is supported.