show FV banner if the disk is encrypted but we don't get a key (#15317)

for #15068 # Checklist for submitter If some of the following don't apply, delete the relevant line.  - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2026-05-24 01:18:42 +00:00 · 2023-11-27 18:23:01 -03:00 · 2023-11-27 18:23:01 -03:00 · 4d56d25f11
commit 4d56d25f11
parent 557b53e5df
5 changed files with 42 additions and 7 deletions
--- a/changes/15068-host-disk-encryption
+++ b/changes/15068-host-disk-encryption
@ -0,0 +1,2 @@
+* Fixed a bug causing the disk encryption key banner to not appear if the host
+  had disk encryption turned on manually without FV escrow.
--- a/server/datastore/mysql/hosts.go
+++ b/server/datastore/mysql/hosts.go
@ -3294,7 +3294,11 @@ VALUES
  (?, ?, ?, ?)
 ON DUPLICATE KEY UPDATE
  /* if the key has changed, set decrypted to its initial value so it can be calculated again if necessary (if null) */
-  decryptable = IF(base64_encrypted = VALUES(base64_encrypted), decryptable, VALUES(decryptable)),
+  decryptable = IF(
+    base64_encrypted = VALUES(base64_encrypted) AND base64_encrypted != '',
+    decryptable,
+    VALUES(decryptable)
+  ),
  base64_encrypted = VALUES(base64_encrypted),
  client_error = VALUES(client_error)
 `, hostID, encryptedBase64Key, clientError, decryptable)
--- a/server/datastore/mysql/hosts_test.go
+++ b/server/datastore/mysql/hosts_test.go
@ -6798,6 +6798,16 @@ func testHostsSetOrUpdateHostDisksEncryptionKey(t *testing.T, ds *Datastore) {
 	err = ds.SetOrUpdateHostDiskEncryptionKey(context.Background(), host3.ID, "ghi", "", ptr.Bool(false))
 	require.NoError(t, err)
 	checkEncryptionKeyStatus(t, ds, host3.ID, "ghi", ptr.Bool(false))
+
+	// set an empty key (backfill for issue #15068)
+	err = ds.SetOrUpdateHostDiskEncryptionKey(context.Background(), host3.ID, "", "", nil)
+	require.NoError(t, err)
+	checkEncryptionKeyStatus(t, ds, host3.ID, "", nil)
+
+	// setting the decryptable value works even if the key is still empty
+	err = ds.SetOrUpdateHostDiskEncryptionKey(context.Background(), host3.ID, "", "", ptr.Bool(false))
+	require.NoError(t, err)
+	checkEncryptionKeyStatus(t, ds, host3.ID, "", ptr.Bool(false))
 }

 func testHostsSetDiskEncryptionKeyStatus(t *testing.T, ds *Datastore) {
--- a/server/service/osquery_utils/queries.go
+++ b/server/service/osquery_utils/queries.go
@ -19,6 +19,7 @@ import (
 	"github.com/fleetdm/fleet/v4/server/contexts/publicip"
 	"github.com/fleetdm/fleet/v4/server/fleet"
 	apple_mdm "github.com/fleetdm/fleet/v4/server/mdm/apple"
+	"github.com/fleetdm/fleet/v4/server/ptr"
 	"github.com/fleetdm/fleet/v4/server/service/async"
 	"github.com/go-kit/kit/log"
 	"github.com/go-kit/kit/log/level"
@ -1505,9 +1506,16 @@ func directIngestDiskEncryptionKeyFileDarwin(
 		return nil
 	}

-	// it's okay if the key comes empty, this can happen and if the disk is
-	// encrypted it means we need to reset the encryption key
-	return ds.SetOrUpdateHostDiskEncryptionKey(ctx, host.ID, rows[0]["filevault_key"], "", nil)
+	// at this point we know that the disk is encrypted, if the key is
+	// empty then the disk is not decryptable. For example an user might
+	// have removed the `/var/db/FileVaultPRK.dat` or the computer might
+	// have been encrypted without FV escrow enabled.
+	var decryptable *bool
+	base64Key := rows[0]["filevault_key"]
+	if base64Key == "" {
+		decryptable = ptr.Bool(false)
+	}
+	return ds.SetOrUpdateHostDiskEncryptionKey(ctx, host.ID, base64Key, "", decryptable)
 }

 // directIngestDiskEncryptionKeyFileLinesDarwin ingests the FileVault key from the `file_lines`
@ -1556,9 +1564,17 @@ func directIngestDiskEncryptionKeyFileLinesDarwin(
 		return ctxerr.Wrap(ctx, err, "decoding hex string")
 	}

-	// it's okay if the key comes empty, this can happen and if the disk is
-	// encrypted it means we need to reset the encryption key
-	return ds.SetOrUpdateHostDiskEncryptionKey(ctx, host.ID, base64.StdEncoding.EncodeToString(b), "", nil)
+	// at this point we know that the disk is encrypted, if the key is
+	// empty then the disk is not decryptable. For example an user might
+	// have removed the `/var/db/FileVaultPRK.dat` or the computer might
+	// have been encrypted without FV escrow enabled.
+	var decryptable *bool
+	base64Key := base64.StdEncoding.EncodeToString(b)
+	if base64Key == "" {
+		decryptable = ptr.Bool(false)
+	}
+
+	return ds.SetOrUpdateHostDiskEncryptionKey(ctx, host.ID, base64Key, "", decryptable)
 }

 func directIngestMacOSProfiles(
--- a/server/service/osquery_utils/queries_test.go
+++ b/server/service/osquery_utils/queries_test.go
@ -1184,6 +1184,9 @@ func TestDirectIngestDiskEncryptionKeyDarwin(t *testing.T) {
 		if host.ID != hostID {
 			return errors.New("host ID mismatch")
 		}
+		if encryptedBase64Key == "" && (decryptable == nil || *decryptable == true) {
+			return errors.New("decryptable should be false if the key is empty")
+		}
 		return nil
 	}