Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use lsblk instead of cryptsetup for the full-disk-encryption check #1469

Closed
smlx opened this issue Nov 22, 2023 · 1 comment
Closed

Use lsblk instead of cryptsetup for the full-disk-encryption check #1469

smlx opened this issue Nov 22, 2023 · 1 comment

Comments

@smlx
Copy link

smlx commented Nov 22, 2023

lsblk is part of util-linux and provides much more convenient JSON output for parsing compared to cryptsetup status. It is also a much safer command and requires fewer privileges.

For example, here's a check for "does the / partition use full disk encryption?":

lsblk -fJ | jq '.blockdevices[].children[] | select(.children) | select(.children[].mountpoints | index("/")) | .fstype == "crypto_LUKS"'

The other advantage of lsblk is that it allows sandboxing of the Kolide launcher to only allow access to "/" and disallow access to other sensitive mount points. Because it requires more permissions, cryptsetup fails in this kind of sandbox.
@directionless
Copy link
Contributor

directionless commented Nov 27, 2023
edited
Loading

Thank you for the suggestion! We'll try to investigate whether using lsblk is suitable for our purposes here.

(Meanwhile, I'm closing this issue, as launcher exposes both already. But I've added a note in our backlog to evaluate this as a sql update)

@smlx smlx mentioned this issue Nov 20, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@directionless @smlx