USB Disk Encryption

Sherlock
New Contributor

This is my end goal:
1. User plugs in USB (which will probably be a launchdaemon)
2. If not encrypted prompts user to encrypt
3. If selects Encryption, encrypt USB. 
4. If not it is read only (which is set up in JAMF currently).

Will need this to be internal and not a software purchase so a script is what I am working on. 

I am having issues figuring out how to encrypt the USB. Below are some articles I've read but doesn't actually show how to encrypt the USB. There are options within diskutil man page but I may be reading or doing something wrong as it does not encrypt the USB and fails. 

Any assistance would be appreciated. 

 

https://www.jamf.com/jamf-nation/discussions/8306/eject-usb-if-its-not-encrypted
https://www.jamf.com/jamf-nation/discussions/21629/restrict-external-usb-devices-but-allow-encrypted...

1 REPLY 1

AJPinto
Honored Contributor III

In the past you could use Core Storage (sudo diskutil cs convert {drive} -passphrase) to encrypt a volume, but that is retired now. Finder can be used to encrypt a drive through the GUI, but I am not aware of any still functioning CLI options to do this. What verbs are you seeing in the diskutil man that are failing?

 

If your security team is worried about non-encrypted flash drives they probably want to invest in proper DLP controls.