Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 13:37:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 91

Update contributor docs for Bitlocker (#43241)

Browse source 
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #40809
This commit is contained in:
Victor Lyuboslavsky 2026-04-13 09:02:43 -05:00 committed by GitHub
parent 7b49a20f7c
commit adfe6b59bb
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 21 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
docs/Contributing/architecture/mdm/disk-encryption.md
View file

@ -118,10 +118,18 @@ When disk encryption is enabled, the server sends a notification to orbit, which
[Win32_EncryptableVolume class](https://learn.microsoft.com/en-us/windows/win32/secprov/getencryptionmethod-win32-encryptablevolume)
to encrypt the used space of the disk with TPM and Numerical Password protectors and generate an encryption key.
If the disk is already encrypted, it will first be decrypted and then re-encrypted.
If the disk is already encrypted, orbit rotates the recovery key: it adds a new Fleet-managed
Numerical Password protector, removes old recovery key protectors, and escrows the new key. The disk
is never decrypted. This matches how other MDM platforms handle pre-encrypted disks and avoids issues
with secondary drives that use BitLocker auto-unlock (which prevents decrypting the OS drive).
After the disk is encrypted, orbit sends the key back to the server using an orbit-authenticated
endpoint (`POST /api/fleet/orbit/disk_encryption_key`).
After the disk is encrypted (or the key is rotated), orbit sends the key back to the server using an
orbit-authenticated endpoint (`POST /api/fleet/orbit/disk_encryption_key`).
The server determines whether the disk is encrypted by checking both `conversion_status` (whether
the data is encrypted) and `protection_status` (whether the TPM protector is active) from the
osquery `bitlocker_info` table. If the disk is encrypted but protection is off (e.g., BitLocker
suspended for a BIOS update), the host shows "Action required" in the Fleet UI.
```mermaid
sequenceDiagram
@ -135,14 +143,19 @@ sequenceDiagram
host->>fleet: Enroll in Fleet MDM
fleet->>host: Orbit/osquery installed
fleetd->>fleet: request vitals queries
fleet->>fleetd: Return reports including encryption status
fleet->>fleetd: Return reports including encryption status<br>(protection_status and conversion_status)
fleetd->>fleet: return report data including encryption status
fleet->>fleetd: Enable notifs.EnforceBitLockerEncryption in orbit<br>config because Host is encrypted but no<br>key is escrowed or host is not encrypted
fleetd->>host: Decrypt OS volume(if encrypted)
fleetd->>fleetd: Wait for decryption
alt Disk not encrypted
fleetd->>host: Create TPM and Numerical Password protectors
host->>fleetd: Return recovery key after creating protectors
fleetd->>host: Encrypt OS volume
else Disk already encrypted
fleetd->>host: Add new Numerical Password protector
host->>fleetd: Return new recovery key
fleetd->>host: Remove old recovery key protectors
fleetd->>host: Ensure TPM protector exists
end
fleetd->>fleet: Send recovery key
fleetd->>fleet: request vitals reports
fleet->>fleetd: Return vitals reports including query<br>to check encryption status

4
docs/Contributing/product-groups/mdm/mdm-overview.md
View file

@ -160,9 +160,9 @@ If we're not able to decrypt the key for a host, the key needs to be rotated. Ro
Disk encryption in Windows is performed entirely by orbit.
When disk encryption is enabled, the server sends a notification to orbit, who calls the [Win32_EncryptableVolume class](https://learn.microsoft.com/en-us/windows/win32/secprov/getencryptionmethod-win32-encryptablevolume) to encrypt/decrypt the disk and generate an encryption key.
When disk encryption is enabled, the server sends a notification to orbit, which calls the [Win32_EncryptableVolume class](https://learn.microsoft.com/en-us/windows/win32/secprov/getencryptionmethod-win32-encryptablevolume) to encrypt the disk and generate an encryption key. If the disk is already encrypted, orbit rotates the recovery key (adds a new Fleet-managed protector, removes old ones) without decrypting.
After the disk is encrypted, orbit sends the key back to the server using an orbit-authenticated endpoint (`POST /api/fleet/orbit/disk_encryption_key`)
After the disk is encrypted (or the key is rotated), orbit sends the key back to the server using an orbit-authenticated endpoint (`POST /api/fleet/orbit/disk_encryption_key`)
### Load testing