Kolide check failing to detect FDE when ecryptfs is stacked on top

Question

Kolide check failing to detect FDE when ecryptfs is stacked on top

Opened this issue 2 months ago · 0 comments

We have a Linux user with FDE:

user@host:~$ lsblk
NAME                MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
nvme0n1             259:0    0 953.9G  0 disk
├─nvme0n1p1         259:1    0   512M  0 part  /boot/efi
├─nvme0n1p2         259:2    0   1.7G  0 part  /boot
└─nvme0n1p3         259:3    0 951.7G  0 part
  └─nvme0n1p3_crypt 252:0    0 951.7G  0 crypt
    ├─vgmint-root   252:1    0 929.4G  0 lvm   /
    └─vgmint-swap_1 252:2    0   1.9G  0 lvm   [SWAP]

But the user is apparently stacking ecryptfs on top of the FDE for their home directory and this is tripping up Kolide which is incorrectly reporting that the user's home directory is not encrypted: