Until today, Kolide has leveraged Osquery’s
disk_encryption table to report the Full Disk Encryption status of macOS in our check labeled “ FileVault2 Primary Disk Encryption”.
However, we have discovered that Osquery considers the built-in SSD on M1 Macs and Macs with the T2 Secure Enclave to be “encrypted”, even though their files can be trivially accessed by anyone with physical possession of the device without the user’s password. Enabling FileVault is the only sure way to protect the data on your Mac.
Since our FileVault check was created to help our customer’s ensure the data on their Macs are safe in the event the device is stolen, lost, or otherwise in the possession of an bad-actor, we have taken the following corrective actions:
- We have released a new version of our Kolide agent (0.11.17) which contains an accurate attestation about the status of FileVault.
- We have updated our Check to utilize the new features of our agent.
- Since the latest release of Osquery is unable to obtain the status of FileVault, we have contributed our own patch for the benefit of the community.
- We have written an informative blog post about this situation to better educate Mac Admins who might be unfamiliar with the differences between Full Disk Encryption and FileVault on modern Macs.
We feel that these actions will better help not only Kolide customers, but anyone else who relies on Osquery for similar information.
As always, please let us know if you any follow-up questions or concerns.