filevault_2_encryption_check Extension Attribute

midnigh7
New Contributor

Anyone else running Rich Trouton's Filevault 2 Encryption Check Extension attribute, along with workstations on High Sierra?

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/filevault_2_encryption_check

Looks like I'm seeing incorrect results with this. Looks like the conversion to AFPS may have messed with this. Just looking to verify that this is the case for more than my environment.

Haven't had a moment to look into this much more.

-Midnigh7-

3 REPLIES 3

sdagley
Esteemed Contributor II

@midnigh7 That script won't work on an APFS formatted volume

bartlomiejsojka
Contributor

I've actually updated the code for APFS a month ago for my env. – still kinda WIP, but @midnigh7 question has finally made me upload it to Git. You can find it here. Note however, that I've heavily refactored it to my liking, so you'll either have to update your dependencies or modify results in your fork.

mottertektura
Contributor

I also reworked Rich Trouton's Filevault 2 Encryption Check Extension Attribute to work with APFS. Still testing it, but so far I think it's working...

@bartlomiej.sojka 's EA looks like it's more concise though...

#!/bin/bash

CORESTORAGESTATUS="/private/tmp/corestorage.txt"
ENCRYPTSTATUS="/private/tmp/encrypt_status.txt"
ENCRYPTDIRECTION="/private/tmp/encrypt_direction.txt"

osvers_major=$(sw_vers -productVersion | awk -F. '{print $1}')
osvers_minor=$(sw_vers -productVersion | awk -F. '{print $2}')

# Checks to see if the OS on the Mac is 10.x.x. If it is not, the 
# following message is displayed without quotes:
#
# "Unknown Version Of Mac OS X"

if [[ ${osvers_major} -ne 10 ]]; then
  echo "<result>Unknown Version Of Mac OS X</result>"
fi

# Checks to see if the OS on the Mac is 10.7 or higher.
# If it is not, the following message is displayed without quotes:
#
# "FileVault 2 Encryption Not Available For This Version Of Mac OS X"

if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -lt 7 ]]; then
  echo "<result>FileVault 2 Encryption Not Available For This Version Of Mac OS X</result>"
fi

if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 7 ]] && [[ ${osvers_minor} -lt 13 ]]; then
  diskutil cs info / >> $CORESTORAGESTATUS 2>&1

    # If the Mac is running 10.7 through 10.12, but the boot volume
    # is not a CoreStorage volume, the following message is 
    # displayed without quotes:
    #
    # "FileVault 2 Encryption Not Enabled"

    if grep -iE '/ is not a CoreStorage disk' $CORESTORAGESTATUS 1>/dev/null; then
       echo "<result>FileVault 2 Encryption Not Enabled</result>"
       rm -f "$CORESTORAGESTATUS"
       exit 0
    fi

    # If the Mac is running 10.7 through 10.12 and the boot volume
    # is a CoreStorage volume, the script then checks to see if 
    # the machine is encrypted, encrypting, or decrypting.
    # 
    # If encrypted, the following message is 
    # displayed without quotes:
    # "FileVault 2 Encryption Complete"
    #
    # If encrypting, the following message is 
    # displayed without quotes:
    # "FileVault 2 Encryption Proceeding."
    # How much has been encrypted of of the total
    # amount of space is also displayed. If the
    # amount of encryption is for some reason not
    # known, the following message is 
    # displayed without quotes:
    # "FileVault 2 Encryption Status Unknown. Please check."
    #
    # If decrypting, the following message is 
    # displayed without quotes:
    # "FileVault 2 Decryption Proceeding"
    # How much has been decrypted of of the total
    # amount of space is also displayed
    #
    # If fully decrypted, the following message is 
    # displayed without quotes:
    # "FileVault 2 Decryption Complete"
    #

    # Get the Logical Volume UUID (aka "UUID" in diskutil cs info)
    # for the boot drive's CoreStorage volume.

    LV_UUID=`diskutil cs info / | awk '/UUID/ {print $2;exit}'`

    # Get the Logical Volume Family UUID (aka "Parent LVF UUID" in diskutil cs info)
    # for the boot drive's CoreStorage volume.

    LV_FAMILY_UUID=`diskutil cs info / | awk '/Parent LVF UUID/ {print $4;exit}'`

    CONTEXT=`diskutil cs list $LV_FAMILY_UUID | awk '/Encryption Context/ {print $3;exit}'`

    if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -eq 7 || ${osvers_minor} -eq 8 ]]; then
        CONVERTED=`diskutil cs list $LV_UUID | awk '/Size (Converted)/ {print $5,$6;exit}'`
    fi

    if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 9 ]]; then
        CONVERTED=`diskutil cs list $LV_UUID | awk '/Conversion Progress/ {print $3;exit}'`    
    fi

    ENCRYPTIONEXTENTS=`diskutil cs list $LV_FAMILY_UUID | awk '/Has Encrypted Extents/ {print $4;exit}'`
    ENCRYPTION=`diskutil cs list $LV_FAMILY_UUID | awk '/Encryption Type/ {print $3;exit}'`
    SIZE=`diskutil cs list $LV_UUID | awk '/Size (Total)/ {print $5,$6;exit}'`

    # This section does 10.7-specific checking of the Mac's
    # FileVault 2 status

   if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -eq 7 ]]; then
      if [ "$CONTEXT" = "Present" ]; then
        if [ "$ENCRYPTION" = "AES-XTS" ]; then
          diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Status/ {print $3;exit}' >> $ENCRYPTSTATUS
            if grep -iE 'Complete' $ENCRYPTSTATUS 1>/dev/null; then 
              echo "<result>FileVault 2 Encryption Complete</result>"
            else
              if  grep -iE 'Converting' $ENCRYPTSTATUS 1>/dev/null; then
                diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Direction/ {print $3;exit}' >> $ENCRYPTDIRECTION
                  if grep -iE 'Forward' $ENCRYPTDIRECTION 1>/dev/null; then
                    echo "<result>FileVault 2 Encryption Proceeding. $CONVERTED of $SIZE Encrypted</result>"
                  else
                    echo "<result>FileVault 2 Encryption Status Unknown. Please check.</result>"
                  fi
               fi
             fi
        else
            if [ "$ENCRYPTION" = "None" ]; then
              diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Direction/ {print $3;exit}' >> $ENCRYPTDIRECTION
                if grep -iE 'Backward' $ENCRYPTDIRECTION 1>/dev/null; then
                  echo "<result>FileVault 2 Decryption Proceeding. $CONVERTED of $SIZE Decrypted</result>"
                elif grep -iE '-none-' $ENCRYPTDIRECTION 1>/dev/null; then
                  echo "<result>FileVault 2 Decryption Completed</result>"
                fi
            fi 
        fi
      fi  
    fi
   fi



    # This section does checking of the Mac's FileVault 2 status
    # on 10.8.x through 10.10.x

    if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 8 ]] && [[ ${osvers_minor} -lt 11 ]]; then
      if [[ "$ENCRYPTIONEXTENTS" = "No" ]]; then
              echo "<result>FileVault 2 Encryption Not Enabled</result>"
      elif [[ "$ENCRYPTIONEXTENTS" = "Yes" ]]; then
          diskutil cs list $LV_FAMILY_UUID | awk '/Fully Secure/ {print $3;exit}' >> $ENCRYPTSTATUS
            if grep -iE 'Yes' $ENCRYPTSTATUS 1>/dev/null; then 
              echo "<result>FileVault 2 Encryption Complete</result>"
            else
              if  grep -iE 'No' $ENCRYPTSTATUS 1>/dev/null; then
                diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Direction/ {print $3;exit}' >> $ENCRYPTDIRECTION
                  if grep -iE 'forward' $ENCRYPTDIRECTION 1>/dev/null; then
                    echo "<result>FileVault 2 Encryption Proceeding. $CONVERTED of $SIZE Encrypted</result>"
                  else
                  if grep -iE 'backward' $ENCRYPTDIRECTION 1>/dev/null; then
                        echo "<result>FileVault 2 Decryption Proceeding. $CONVERTED of $SIZE Decrypted</result>"
                          elif grep -iE '-none-' $ENCRYPTDIRECTION 1>/dev/null; then
                            echo "<result>FileVault 2 Decryption Completed</result>"
                    fi
                  fi
              fi
            fi  
      fi
    fi

    # This section does checking of the Mac's FileVault 2 status
    # on 10.11.x through 10.12.x

    if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 11 ]] && [[ ${osvers_minor} -lt 13 ]]; then
      if [[ "$ENCRYPTION" = "None" ]] && [[ $(diskutil cs list "$LV_UUID" | awk '/Conversion Progress/ {print $3;exit}') == "" ]]; then
          echo "<result>FileVault 2 Encryption Not Enabled</result>"
      elif [[ "$ENCRYPTION" = "None" ]] && [[ $(diskutil cs list "$LV_UUID" | awk '/Conversion Progress/ {print $3;exit}') == "Complete" ]]; then
          echo "<result>FileVault 2 Decryption Completed</result>"
      elif [[ "$ENCRYPTION" = "AES-XTS" ]]; then
          diskutil cs list $LV_FAMILY_UUID | awk '/High Level Queries/ {print $4,$5;exit}' >> $ENCRYPTSTATUS
            if grep -iE 'Fully Secure' $ENCRYPTSTATUS 1>/dev/null; then 
              echo "<result>FileVault 2 Encryption Complete</result>"
            else
              if grep -iE 'Not Fully' $ENCRYPTSTATUS 1>/dev/null; then
                if [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $4;exit}') != "" ]]; then 
                  diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Status/ {print $4;exit}' >> $ENCRYPTDIRECTION
                    if grep -iE 'forward' $ENCRYPTDIRECTION 1>/dev/null; then
                      echo "<result>FileVault 2 Encryption Proceeding. $CONVERTED of $SIZE Encrypted</result>"
                    elif grep -iE 'backward' $ENCRYPTDIRECTION 1>/dev/null; then
                      echo "<result>FileVault 2 Decryption Proceeding. $CONVERTED of $SIZE Decrypted</result>"
                    fi
                elif [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $4;exit}') == "" ]]; then
                  if [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $3;exit}') == "Complete" ]]; then
                      echo "<result>FileVault 2 Decryption Completed</result>"
                  fi
                fi
              fi
      fi  
    fi

fi

if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 13 ]]; then

# If the OS on the Mac is 10.13 or higher, check to see if the
# boot drive is formatted with APFS or HFS+

boot_filesystem_check=$(/usr/sbin/diskutil info / | awk '/Type (Bundle)/ {print $3}')

# If the drive is formatted with APFS, the fdesetup tool will
# be available and is able to display the encryption status.

    if [[ "$boot_filesystem_check" = "apfs" ]]; then

    # If encrypted, the following message is 
    # displayed without quotes:
    # "FileVault is On."
    #
    # If encrypting, the following message is 
    # displayed without quotes:
    # "Encryption in progress:"
    # How much has been encrypted of of the total
    # amount of space is also displayed.
    #
    # If decrypting, the following message is 
    # displayed without quotes:
    # "Decryption in progress:"
    # How much has been decrypted of of the total
    # amount of space is also displayed
    #
    # If not encrypted, the following message is 
    # displayed without quotes:
    # "FileVault is Off."

    ENCRYPTSTATUS=$(fdesetup status | xargs)
        if [[ -z $(echo "$ENCRYPTSTATUS" | awk '/Encryption | Decryption/') ]]; then
            ENCRYPTSTATUS=$(fdesetup status | head -1)
            echo "<result>$ENCRYPTSTATUS</result>"
        else
            ENCRYPTSTATUS=$(fdesetup status | tail -1)
            echo "<result>$ENCRYPTSTATUS</result>"
        fi
    fi

    if [[ "$boot_filesystem_check" = "hfs" ]]; then
    diskutil cs info / >> $CORESTORAGESTATUS 2>&1
        if grep -iE '/ is not a CoreStorage disk' $CORESTORAGESTATUS 1>/dev/null; then
            echo "<result>FileVault 2 Encryption Not Enabled</result>"
            rm -f "$CORESTORAGESTATUS"
            exit 0
        fi
        # If the Mac is running 10.7 or higher and the boot volume
        # is a CoreStorage volume, the script then checks to see if 
        # the machine is encrypted, encrypting, or decrypting.
        # 
        # If encrypted, the following message is 
        # displayed without quotes:
        # "FileVault 2 Encryption Complete"
        #
        # If encrypting, the following message is 
        # displayed without quotes:
        # "FileVault 2 Encryption Proceeding."
        # How much has been encrypted of of the total
        # amount of space is also displayed. If the
        # amount of encryption is for some reason not
        # known, the following message is 
        # displayed without quotes:
        # "FileVault 2 Encryption Status Unknown. Please check."
        #
        # If decrypting, the following message is 
        # displayed without quotes:
        # "FileVault 2 Decryption Proceeding"
        # How much has been decrypted of of the total
        # amount of space is also displayed
        #
        #    If fully decrypted, the following message is 
        # displayed without quotes:
        # "FileVault 2 Decryption Complete"
        #

        # Get the Logical Volume UUID (aka "UUID" in diskutil cs info)
        # for the boot drive's CoreStorage volume.

        LV_UUID=`diskutil cs info / | awk '/UUID/ {print $2;exit}'`

        # Get the Logical Volume Family UUID (aka "Parent LVF UUID" in diskutil cs info)
        # for the boot drive's CoreStorage volume.

        LV_FAMILY_UUID=`diskutil cs info / | awk '/Parent LVF UUID/ {print $4;exit}'`

        CONTEXT=`diskutil cs list $LV_FAMILY_UUID | awk '/Encryption Context/ {print $3;exit}'`

        CONVERTED=`diskutil cs list $LV_UUID | awk '/Conversion Progress/ {print $3;exit}'`

        ENCRYPTIONEXTENTS=`diskutil cs list $LV_FAMILY_UUID | awk '/Has Encrypted Extents/ {print $4;exit}'`
        ENCRYPTION=`diskutil cs list $LV_FAMILY_UUID | awk '/Encryption Type/ {print $3;exit}'`
        SIZE=`diskutil cs list $LV_UUID | awk '/Size (Total)/ {print $5,$6;exit}'`

    # This section does checking of the Mac's FileVault 2 status if the boot drive is formatted with HFS+

        if [[ "$ENCRYPTION" = "None" ]] && [[ $(diskutil cs list "$LV_UUID" | awk '/Conversion Progress/ {print $3;exit}') == "" ]]; then
            echo "<result>FileVault 2 Encryption Not Enabled</result>"
        elif [[ "$ENCRYPTION" = "None" ]] && [[ $(diskutil cs list "$LV_UUID" | awk '/Conversion Progress/ {print $3;exit}') == "Complete" ]]; then
            echo "<result>FileVault 2 Decryption Completed</result>"
        elif [[ "$ENCRYPTION" = "AES-XTS" ]]; then
            diskutil cs list $LV_FAMILY_UUID | awk '/High Level Queries/ {print $4,$5;exit}' >> $ENCRYPTSTATUS
            if grep -iE 'Fully Secure' $ENCRYPTSTATUS 1>/dev/null; then 
                echo "<result>FileVault 2 Encryption Complete</result>"
            else
                if grep -iE 'Not Fully' $ENCRYPTSTATUS 1>/dev/null; then
                    if [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $4;exit}') != "" ]]; then 
                    diskutil cs list $LV_FAMILY_UUID | awk '/Conversion Status/ {print $4;exit}' >> $ENCRYPTDIRECTION
                        if grep -iE 'forward' $ENCRYPTDIRECTION 1>/dev/null; then
                            echo "<result>FileVault 2 Encryption Proceeding. $CONVERTED of $SIZE Encrypted</result>"
                        elif grep -iE 'backward' $ENCRYPTDIRECTION 1>/dev/null; then
                            echo "<result>FileVault 2 Decryption Proceeding. $CONVERTED of $SIZE Decrypted</result>"
                        fi
                    elif [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $4;exit}') == "" ]]; then
                        if [[ $(diskutil cs list "$LV_FAMILY_UUID" | awk '/Conversion Status/ {print $3;exit}') == "Complete" ]]; then
                            echo "<result>FileVault 2 Decryption Completed</result>"
                        fi
                    fi
                fi
            fi  
        else
            echo "<result>Unknown filesystem.</result>"
        fi
    fi
fi

# Remove the temp files created during the script

if [ -f "$CORESTORAGESTATUS" ]; then
   rm -f "$CORESTORAGESTATUS"
fi

if [ -f "$ENCRYPTSTATUS" ]; then
   rm -f "$ENCRYPTSTATUS"
fi

if [ -f "$ENCRYPTDIRECTION" ]; then
   rm -f "$ENCRYPTDIRECTION"
fi

exit 0