mirror of
https://github.com/fleetdm/fleet
synced 2026-04-21 13:37:30 +00:00
58563852f0
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #40809 **Orbit agent: key rotation replaces decrypt-then-re-encrypt:** - When the disk is already encrypted, orbit now adds a new Fleet-managed recovery key protector, removes old ones, and escrows the new key. The disk is never decrypted. - If key escrow fails, the rotated key is cached in memory and retried on subsequent ticks without rotating again. - Removes `DecryptVolume` and `decrypt()` (no longer called from production code). **Server: osquery query returns both protection_status and conversion_status:** - The `disk_encryption_windows` query now returns both columns instead of just checking `protection_status = 1`. This lets the server correctly identify a disk as encrypted via `conversion_status = 1` even when `protection_status = 0`. - New `directIngestDiskEncryptionWindows` function parses both values, handles parse errors, and normalizes `protection_status = 2` (unknown) to NULL. **Server: new `bitlocker_protection_status` column and status logic:** - Adds `bitlocker_protection_status` column to `host_disks` (DB migration). - When a disk is encrypted and key is escrowed but protection is off, the host shows "Action required" with a detail message explaining the issue, instead of misleadingly showing "Verified." - `protection_status = 2` (unknown) and `NULL` (older orbit hosts) are treated as protection on for backward compatibility. - The `profiles_verified` and `profiles_verifying` branches in the combined profiles+BitLocker summary now handle `bitlocker_action_required`, counting those hosts as "pending". Contributor docs updates: https://github.com/fleetdm/fleet/pull/43241 Public docs updates: https://github.com/fleetdm/fleet/pull/43243/changes # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually ## Database migrations - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. ## fleetd/orbit/Fleet Desktop - [x] Verified compatibility with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)) - [x] If the change applies to only one platform, confirmed that `runtime.GOOS` is used as needed to isolate changes - [x] Verified that fleetd runs on macOS, Linux and Windows - [x] Verified auto-update works from the released version of component to the new version (see [tools/tuf/test](../tools/tuf/test/README.md)) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Release Notes * **Bug Fixes** * Fixed Windows BitLocker encryption/decryption request loop on systems with secondary drives and auto-unlock. * **New Features** * Added BitLocker recovery key rotation capability, allowing safe key updates without full disk re-encryption. * Enhanced BitLocker protection status tracking to correctly display "Action required" when protection is disabled. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
1 line
446 B
Text
1 line
446 B
Text
- Fixed a Windows BitLocker encrypt/decrypt loop on machines with secondary drives using auto-unlock. Fleet now detects disk encryption using `conversion_status` (not just `protection_status`), preventing the server from repeatedly requesting encryption when the disk is already encrypted. Added `bitlocker_protection_status` tracking so the UI shows "Action required" when BitLocker protection is off instead of misleadingly showing "Verified."
|