November 18

Linux: Reporting whether a Linux laptop has encryption turned on

Overview

    The following information outlines how the BASH script showsecure works.
In this process we are using a combination of to linux system commands to determine whether a drive is encrypted.
We are using LUKS encryption during the installation process of a Linux install.
During a typical Red Hat installation three partitions are created:
1. efi - location for bootable firmware (Replaces MBR)
2. boot - The main system files that are called by the EFI to be able to boot the partition
3. root - All other Linux data needed to run Linux

LUKS default cipher is aes-cbc-essiv:sha256 
LUKS encrypts the entire block device

Process

    On boot the Linux kernel device mapper calls the LUKS partition.
    The User is immediately prompted for a password to unlock the drive.
    If the correct password is supplied the Linux Kernel maps the encrypted drive for access and the boot process continues.

Weekly Monitoring

    We can prove a drive is encrypted by looking at the block id information.
    In the script below we are looking for two things:

1. Is there a mapped luks drive partition? - Determined with the fdisk command
2. Is the mapped drive the root partition /dev/sda3? - Determined with the blkid command

    A cronjob runs once a week to verify that a drive has been encrypted.
    If the UUID's matched from both check then an emailed is sent stating that the drive encryption is active.
    If the UUID's do not match the an email is sent stating that the drive has not been encrypted.


script

cat showsecure 
-------------------------
!/bin/bash
---- Query Drive Data
driveinfo1=$(/usr/sbin/fdisk -l | /usr/bin/grep "Disk /dev/mapper/luks")
driveinfo2=$(/usr/sbin/blkid | /usr/bin/grep "/dev/sda3")

---- Parse the UUID information looking for a LUKS encryption match
check1=$(echo $driveinfo1 | /usr/bin/grep -oP '(?<=luks-).*(?=:)')
check2=$(echo $driveinfo2 | /usr/bin/grep -oP '(?<=UUID=").*(?=" T)')

----  Comment out the above and uncomment these to prove failure response
-check1=1234567
-check2=7654321

---- Prep information file that will be emailed
   grabhost=$(hostname)
        echo "Linu30 9 * * 3 /root/scripts/showsecure
x Encryption Infomation" > /root/scripts/driveinfo.txt
        echo "Computer: "$grabhost >> /root/scripts/driveinfo.txt

---- Check for LUKS encryption and send report on status
---- Alert on success
if [ "$check1" = "$check2" ]
 then 	
        echo "Drive Encryption Status: Active : ID:" $check1 >> /root/scripts/driveinfo.txt
        mail -s "Linux Encryption Report:" [email protected] [email protected] < /root/scripts/driveinfo.txt

 else
---- Alert on failure
        echo "Drive Encryption Status: !!! Drive is not Encrypted !!! : ID:" $check1 >> /root/scripts/driveinfo.txt
        mail -s "Linux Encryption Report:" [email protected] [email protected] < /root/scripts/driveinfo.txt

fi;
-------------------------
crontab
30 9 * * 3 /root/scripts/showsecure 


Copyright 2021. All rights reserved.

Posted November 18, 2021 by Timothy Conrad in category "Linux

About the Author

If I were to describe myself with one word it would be, creative. I am interested in almost everything which keeps me rather busy. Here you will find some of my technical musings. PGP: 4CB8 91EB 0C0A A530 3BE9 6D76 B076 96F1 6135 0A1B