add disk encryption check

shared/management/client/grpc.go

@@ -550,6 +550,14 @@ func infoToMetaData(info *system.Info) *proto.PeerSystemMeta {
 		})
 	}
 
+	diskEncryptionVolumes := make([]*proto.DiskEncryptionVolume, 0, len(info.DiskEncryption.Volumes))
+	for _, vol := range info.DiskEncryption.Volumes {
+		diskEncryptionVolumes = append(diskEncryptionVolumes, &proto.DiskEncryptionVolume{
+			Path:      vol.Path,
+			Encrypted: vol.Encrypted,
+		})
+	}
+
 	return &proto.PeerSystemMeta{
 		Hostname:         info.Hostname,
 		GoOS:             info.GoOS,
@@ -585,5 +593,8 @@ func infoToMetaData(info *system.Info) *proto.PeerSystemMeta {
 
 			LazyConnectionEnabled: info.LazyConnectionEnabled,
 		},
+		DiskEncryption: &proto.DiskEncryptionInfo{
+			Volumes: diskEncryptionVolumes,
+		},
 	}
 }

shared/management/http/api/openapi.yml

@@ -1232,6 +1232,8 @@ components:
           $ref: '#/components/schemas/PeerNetworkRangeCheck'
         process_check:
           $ref: '#/components/schemas/ProcessCheck'
+        disk_encryption_check:
+          $ref: '#/components/schemas/DiskEncryptionCheck'
     NBVersionCheck:
       description: Posture check for the version of NetBird
       type: object
@@ -1346,6 +1348,22 @@ components:
           description: Path to the process executable file in a Windows operating system
           type: string
           example: "C:\ProgramData\NetBird\netbird.exe"
+    DiskEncryptionCheck:
+      description: Posture check for disk encryption status
+      type: object
+      properties:
+        linux_path:
+          description: Mount path to check on Linux (e.g., "/", "/home")
+          type: string
+          example: "/"
+        darwin_path:
+          description: Mount path to check on macOS (e.g., "/")
+          type: string
+          example: "/"
+        windows_path:
+          description: Drive letter to check on Windows (e.g., "C:", "D:")
+          type: string
+          example: "C:"
     Location:
       description: Describe geographical location information
       type: object

shared/management/http/api/types.gen.go

@@ -370,6 +370,9 @@ type AvailablePorts struct {
 
 // Checks List of objects that perform the actual checks
 type Checks struct {
+	// DiskEncryptionCheck Posture check for disk encryption status
+	DiskEncryptionCheck *DiskEncryptionCheck `json:"disk_encryption_check,omitempty"`
+
 	// GeoLocationCheck Posture check for geo location
 	GeoLocationCheck *GeoLocationCheck `json:"geo_location_check,omitempty"`
 
@@ -476,6 +479,18 @@ type DNSSettings struct {
 	DisabledManagementGroups []string `json:"disabled_management_groups"`
 }
 
+// DiskEncryptionCheck Posture check for disk encryption status
+type DiskEncryptionCheck struct {
+	// DarwinPath Mount path to check on macOS (e.g., "/")
+	DarwinPath *string `json:"darwin_path,omitempty"`
+
+	// LinuxPath Mount path to check on Linux (e.g., "/", "/home")
+	LinuxPath *string `json:"linux_path,omitempty"`
+
+	// WindowsPath Drive letter to check on Windows (e.g., "C:", "D:")
+	WindowsPath *string `json:"windows_path,omitempty"`
+}
+
 // Event defines model for Event.
 type Event struct {
 	// Activity The activity that occurred during the event

shared/management/proto/management.proto

@@ -154,6 +154,19 @@ message Flags {
   bool disableSSHAuth = 15;
 }
 
+// DiskEncryptionVolume represents encryption status of a single volume.
+message DiskEncryptionVolume {
+  // Mount path (Linux/macOS) or drive letter (Windows)
+  string path = 1;
+  // Whether the volume is encrypted
+  bool encrypted = 2;
+}
+
+// DiskEncryptionInfo holds disk encryption detection results.
+message DiskEncryptionInfo {
+  repeated DiskEncryptionVolume volumes = 1;
+}
+
 // PeerSystemMeta is machine meta data like OS and version.
 message PeerSystemMeta {
   string hostname = 1;
@@ -173,6 +186,7 @@ message PeerSystemMeta {
   Environment environment = 15;
   repeated File files = 16;
   Flags flags = 17;
+  DiskEncryptionInfo diskEncryption = 18;
 }
 
 message LoginResponse {