add disk encryption check

2026-04-22 02:06:39 +00:00 · 2026-01-17 19:56:50 +01:00
parent 245481f33b
commit 279e96e6b1
23 changed files with 1637 additions and 760 deletions
--- a/client/system/disk_encryption_linux.go
+++ b/client/system/disk_encryption_linux.go
@@ -0,0 +1,98 @@
+//go:build linux && !android
+
+package system
+
+import (
+	"bufio"
+	"context"
+	"os"
+	"path/filepath"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+)
+
+// detectDiskEncryption detects LUKS encryption status on Linux by reading sysfs.
+func detectDiskEncryption(ctx context.Context) DiskEncryptionInfo {
+	info := DiskEncryptionInfo{}
+
+	encryptedDevices := findEncryptedDevices()
+	mountPoints := parseMounts(encryptedDevices)
+
+	info.Volumes = mountPoints
+	return info
+}
+
+// findEncryptedDevices scans /sys/block for dm-crypt (LUKS) encrypted devices.
+func findEncryptedDevices() map[string]bool {
+	encryptedDevices := make(map[string]bool)
+
+	sysBlock := "/sys/block"
+	entries, err := os.ReadDir(sysBlock)
+	if err != nil {
+		log.Debugf("read /sys/block: %v", err)
+		return encryptedDevices
+	}
+
+	for _, entry := range entries {
+		dmUuidPath := filepath.Join(sysBlock, entry.Name(), "dm", "uuid")
+		data, err := os.ReadFile(dmUuidPath)
+		if err != nil {
+			continue
+		}
+		uuid := strings.TrimSpace(string(data))
+		if strings.HasPrefix(uuid, "CRYPT-") {
+			dmNamePath := filepath.Join(sysBlock, entry.Name(), "dm", "name")
+			if nameData, err := os.ReadFile(dmNamePath); err == nil {
+				dmName := strings.TrimSpace(string(nameData))
+				encryptedDevices["/dev/mapper/"+dmName] = true
+			}
+			encryptedDevices["/dev/"+entry.Name()] = true
+		}
+	}
+
+	return encryptedDevices
+}
+
+// parseMounts reads /proc/mounts and maps devices to mount points with encryption status.
+func parseMounts(encryptedDevices map[string]bool) []DiskEncryptionVolume {
+	var volumes []DiskEncryptionVolume
+
+	mountsFile, err := os.Open("/proc/mounts")
+	if err != nil {
+		log.Debugf("open /proc/mounts: %v", err)
+		return volumes
+	}
+	defer func() {
+		if err := mountsFile.Close(); err != nil {
+			log.Debugf("close /proc/mounts: %v", err)
+		}
+	}()
+
+	scanner := bufio.NewScanner(mountsFile)
+	for scanner.Scan() {
+		fields := strings.Fields(scanner.Text())
+		if len(fields) < 2 {
+			continue
+		}
+		device, mountPoint := fields[0], fields[1]
+
+		encrypted := encryptedDevices[device]
+
+		if !encrypted && strings.HasPrefix(device, "/dev/mapper/") {
+			for encDev := range encryptedDevices {
+				if device == encDev {
+					encrypted = true
+					break
+				}
+			}
+		}
+
+		volumes = append(volumes, DiskEncryptionVolume{
+			Path:      mountPoint,
+			Encrypted: encrypted,
+		})
+	}
+
+	return volumes
+}