< Julian Scala> you will want to use the `disk encryption` t osquery #macos

<@U013P6HTZA5> you will want to use the `disk_encr...

fritz

10/15/2020, 9:00 PM

@Julian Scala you will want to use the

disk_encryption

table: https://osquery.io/schema/4.5.1#disk_encryption

Copy code

+--------------+--------------------------------------+-----------+-----------------+-----+--------------------------------------+-------------------+
| name         | uuid                                 | encrypted | type            | uid | user_uuid                            | encryption_status |
+--------------+--------------------------------------+-----------+-----------------+-----+--------------------------------------+-------------------+
| /dev/disk0   |                                      | 0         |                 |     |                                      | undefined         |
| /dev/disk0s1 | 53623F23-DEFD-45A4-AC8E-4EA90F1F7774 | 0         |                 |     |                                      | undefined         |
| /dev/disk0s2 | 06324AB6-396F-4A65-8758-93E466C8D9B2 | 0         |                 |     |                                      | undefined         |
| /dev/disk1   |                                      | 0         |                 |     |                                      | undefined         |
| /dev/disk1s1 | 08BF6B16-4B16-4696-A5CD-3593688AE41B | 0         |                 |     |                                      | undefined         |
| /dev/disk1s2 | F7952460-D68F-46B3-A301-8041163928D3 | 0         |                 |     |                                      | undefined         |
| /dev/disk2   | 0C3B8700-7BFA-45CE-A839-1595641F5DBF | 0         |                 |     |                                      | undefined         |
| /dev/disk2s1 | DC311620-BDEC-40EC-9329-C172D333BD82 | 1         | APFS Encryption | 502 | 425D5A4B-8EF2-4EBF-8B57-C9A919D0CDD1 | encrypted         |
| /dev/disk2s2 | FFC488C5-DD0D-420B-BEC2-8AB9B34A033C | 0         |                 |     |                                      | undefined         |
| /dev/disk2s3 | A7405C6A-2D9A-435B-8877-AB28BB767F60 | 0         |                 |     |                                      | undefined         |
| /dev/disk2s4 | 92E31DE7-E6FB-4537-90C7-E8EBCF258139 | 1         | APFS Encryption |     |                                      | encrypted         |
| /dev/disk2s5 | F2099E1B-164B-4970-9208-2F441A69AAD2 | 1         | APFS Encryption | 502 | 425D5A4B-8EF2-4EBF-8B57-C9A919D0CDD1 | encrypted         |
| /dev/disk3   |                                      | 0         |                 |     |                                      | undefined         |
| /dev/disk3s1 |                                      | 0         |                 |     |                                      | undefined         |
| /dev/disk4   |                                      | 0         |                 |     |                                      | undefined         |
| /dev/disk4s1 | AE5EF4ED-8490-489F-91BF-7751C3272849 | 0         |                 |     |                                      | undefined         |
+--------------+--------------------------------------+-----------+-----------------+-----+--------------------------------------+-------------------+

This can be joined against

block_devices

and/or

mounts

to further enrich the output:

Copy code

SELECT 
  path, 
  encrypted, 
  de.type, 
  encryption_status, 
  device 
FROM disk_encryption de 
CROSS JOIN mounts m 
WHERE de.name = m.device 
AND path = '/';

+------+-----------+-----------------+-------------------+--------------+
| path | encrypted | type            | encryption_status | device       |
+------+-----------+-----------------+-------------------+--------------+
| /    | 1         | APFS Encryption | encrypted         | /dev/disk2s5 |
+------+-----------+-----------------+-------------------+--------------+

Open in Slack

Previous Next