Paquet WAPT tis-enable-bitlocker 10.5.0-36 windows

tis-enable-bitlocker

10.5.0-36

Activation du chiffrement BitLocker sur le disque système

554 téléchargements

Télécharger
Voir le résultat de la construction Voir l'analyse de VirusTotal

Description

package : tis-enable-bitlocker
name : Enable BitLocker
version : 10.5.0-36
categories : Security
maintainer : WAPT Team,Tranquil IT,Jimmy PELÉ
installed_size :
editor :
licence : wapt_public
signature_date : 2024-09-30T12:26:00.000000
size : 8.89 Ko
locale :
target_os : windows
impacted_process :
architecture : all

control


package           : tis-enable-bitlocker
version           : 10.5.0-36
architecture      : all
section           : base
priority          : optional
name              : Enable BitLocker
categories        : Security
maintainer        : WAPT Team,Tranquil IT,Jimmy PELÉ
description       : Enabling BitLocker encryption on system drive
depends           : 
conflicts         : 
maturity          : PROD
locale            : 
target_os         : windows
min_wapt_version  : 2.3
sources           : 
installed_size    : 
impacted_process  : 
description_fr    : Activation du chiffrement BitLocker sur le disque système
description_pl    : Włączenie szyfrowania BitLocker na dysku systemowym
description_de    : Aktivieren der BitLocker-Verschlüsselung auf dem Systemlaufwerk
description_es    : Activación del cifrado BitLocker en la unidad del sistema
description_pt    : Ativar a encriptação BitLocker na unidade do sistema
description_it    : Abilitazione della crittografia BitLocker sull'unità di sistema
description_nl    : BitLocker-encryptie inschakelen op systeemschijf
description_ru    : Включение шифрования BitLocker на системном диске
audit_schedule    : 1d
editor            : 
keywords          : 
licence           : wapt_public
homepage          : 
package_uuid      : 845875fb-e217-4e89-90c9-d6a76525dc7b
valid_from        : 
valid_until       : 
forced_install_on : 
changelog         : 
min_os_version    : 10.0
max_os_version    : 
icon_sha256sum    : b895508a66d6cea028c2a7781604a358298ba9c8082602ab633e8bff7f2b844c
signer            : Tranquil IT
signer_fingerprint: 8c5127a75392be9cc9afd0dbae1222a673072c308c14d88ab246e23832e8c6bb
signature_date    : 2024-09-30T12:26:00.000000
signed_attributes : package,version,architecture,section,priority,name,categories,maintainer,description,depends,conflicts,maturity,locale,target_os,min_wapt_version,sources,installed_size,impacted_process,description_fr,description_pl,description_de,description_es,description_pt,description_it,description_nl,description_ru,audit_schedule,editor,keywords,licence,homepage,package_uuid,valid_from,valid_until,forced_install_on,changelog,min_os_version,max_os_version,icon_sha256sum,signer,signer_fingerprint,signature_date,signed_attributes
signature         : vhgUxvZMKTfbMgM4OAyD7RMF8VyYiaEIMHY0I84VYB3j0IYoyov/zyQmzmhMssXFjxXROsZ1pnB28drtEmHcdlfXDP+dRDRBgV+du5EVRUDkPRnlWeAdcrgqq1AKouiPFI6TjEVAjLYw9cO3odm1M3P9IUu9hK2vX4Ciiz2HpVaENYNGTxp6bqWdajIXE9ehF2PDR5WX2Ey06wrD7pfPltoxIN76LdXD1sgccxfAy1AFvXE4q0tDGvgBFsNNJiICaFwCVI8uxyMP+sqCByo9X8EtJ39hGqrDAM8DOi/Oozjg4K+dKMAep4+4CruCRtq33fkrtKf4Vevs6mWEr2m8qg==

Setup.py


# -*- coding: utf-8 -*-
from setuphelpers import *

r"""
Sources:
https://learn.microsoft.com/windows/security/operating-system-security/data-protection/bitlocker/faq
https://learn.microsoft.com/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment
https://learn.microsoft.com/powershell/module/bitlocker/get-bitlockervolume

https://learn.microsoft.com/en-us/windows/win32/secprov/getconversionstatus-win32-encryptablevolume#parameters


BitLocker Powershell informations:
PS C:\waptdev\enable-bitlocker\windows> Get-BitLockerVolume | Get-Member -Name *

   TypeName: Microsoft.BitLocker.Structures.BitLockerVolume

Name                 MemberType Definition
----                 ---------- ----------
Equals               Method     bool Equals(System.Object obj)
GetHashCode          Method     int GetHashCode()
GetType              Method     type GetType()
ToString             Method     string ToString()
AutoUnlockEnabled    Property   System.Nullable[bool] AutoUnlockEnabled {get;}
AutoUnlockKeyStored  Property   System.Nullable[bool] AutoUnlockKeyStored {get;}
CapacityGB           Property   float CapacityGB {get;}
ComputerName         Property   string ComputerName {get;}
EncryptionMethod     Property   Microsoft.BitLocker.Structures.BitLockerVolumeEncryptionMethodOnGet EncryptionMethod {…
EncryptionPercentage Property   System.Nullable[float] EncryptionPercentage {get;}
KeyProtector         Property   System.Collections.ObjectModel.ReadOnlyCollection[Microsoft.BitLocker.Structures.BitLo…
LockStatus           Property   Microsoft.BitLocker.Structures.BitLockerVolumeLockStatus LockStatus {get;}
MetadataVersion      Property   int MetadataVersion {get;}
MountPoint           Property   string MountPoint {get;}
ProtectionStatus     Property   Microsoft.BitLocker.Structures.BitLockerVolumeProtectionStatus ProtectionStatus {get;}
VolumeStatus         Property   System.Nullable[Microsoft.BitLocker.Structures.BitLockerVolumeStatus] VolumeStatus {ge…
VolumeType           Property   Microsoft.BitLocker.Structures.BitLockerVolumeType VolumeType {get;}
WipePercentage       Property   System.Nullable[float] WipePercentage {get;}


"""
volumestatus_dict = {
    0: "FullyDecrypted",
    1: "FullyEncrypted",
    2: "EncryptionInProgress",
    3: "DecryptionInProgress",
    4: "EncryptionPaused",
    5: "DecryptionPaused",
}
# https://learn.microsoft.com/en-us/windows/win32/secprov/getencryptionmethod-win32-encryptablevolume#parameters
# EncryptionMethod: XtsAes128 = 6; XtsAes256 = 7 #
encryptionmethod_dict = {
    0: "None",
    1: "AES_128_WITH_DIFFUSER",
    2: "AES_256_WITH_DIFFUSER",
    3: "Aes128",
    4: "Aes256",
    5: "HARDWARE_ENCRYPTION",
    6: "XtsAes128",
    7: "XtsAes256",
    -1: "(uint32)",
}
target_encryption_method = 7
allow_swap_encryption_method = False  # Not implemented yet


def install():

    # Installing the package
    if get_powershell_str("Get-ComputerInfo", "BiosFirmwareType").upper() == "UEFI":
        # BiosFirmwareType: BIOS = 1; UEFI = 2
        print("OK: This computer BIOS boot in UEFI mode")
    else:
        error("ERROR: This computer BIOS does not boot in UEFI mode, you have to change BIOS mode to continue")

    tpm_state = check_tpm_state()
    bitlockervolume = run_powershell(f"Get-BitLockerVolume -MountPoint {systemdrive}")
    protection_status = bitlockervolume.get("ProtectionStatus", 0)  # ProtectionStatus: Off = 0; On = 1
    volumestatus = volumestatus_dict[bitlockervolume.get("VolumeStatus", 0)]

    if tpm_state == "OK":
        protection_status = bitlockervolume.get("ProtectionStatus", 0)  # ProtectionStatus: Off = 0; On = 1
        volumestatus = volumestatus_dict[bitlockervolume.get("VolumeStatus", 0)]

        # Checking if drive is encrypted
        if protection_status == 1:
            print(f"OK: {systemdrive} OperatingSystem drive is encrypted and Protection status is ON")

            # Checking EncryptionMethod
            drive_encryption_method = bitlockervolume.get("EncryptionMethod", 0)
            if drive_encryption_method != target_encryption_method:
                print(
                    f"INFO: BitLocker encryption method is: {encryptionmethod_dict[drive_encryption_method]} and may should be: {encryptionmethod_dict[target_encryption_method]}"
                )
            else:
                print(f"INFO: BitLocker encryption method is: {encryptionmethod_dict[drive_encryption_method]}")

        # Checking if drive is encypted but protection status is OFF
        elif protection_status == 0 and volumestatus == "FullyEncrypted":
            print(f"WARNING: {systemdrive} OperatingSystem drive is encrypted but protection status is OFF")

            # Checking EncryptionMethod
            drive_encryption_method = bitlockervolume.get("EncryptionMethod", 0)
            if drive_encryption_method != target_encryption_method:
                print(
                    f"INFO: BitLocker encryption method is: {encryptionmethod_dict[drive_encryption_method]} and may should be: {encryptionmethod_dict[target_encryption_method]}"
                )
            else:
                print(f"INFO: BitLocker encryption method is: {encryptionmethod_dict[drive_encryption_method]}")

            # Resume Protection
            print(f"Resume Protection: {systemdrive} drive with BitLocker encryption method: {encryptionmethod_dict[drive_encryption_method]}")
            resume_bitlocker_pwsh = f"Resume-Bitlocker -MountPoint {systemdrive}"
            print(resume_bitlocker_pwsh)
            bitlockervolume = run_powershell(resume_bitlocker_pwsh)

            # Checking BitLocker state
            if bitlockervolume is not None:
                protection_status = bitlockervolume.get("ProtectionStatus", 0)  # ProtectionStatus: Off = 0; On = 1
                volumestatus = volumestatus_dict[bitlockervolume.get("VolumeStatus", 0)]
                if protection_status == 1:
                    print(f"BitLocker state of {systemdrive} drive is: {volumestatus} and Protection Status is ON")
                else:
                    print(f"BitLocker state of {systemdrive} drive is: {volumestatus} and Protection Status is OFF")
            else:
                if volumestatus != "FullyEncrypted" and force:
                    keyprotectorid = run_powershell(f"(Get-BitLockerVolume {systemdrive}).KeyProtector[0].KeyProtectorId")
                    remove_bitlockerkeyprotector_pwsh = f'Remove-BitlockerKeyProtector -MountPoint {systemdrive} -KeyProtectorId "{keyprotectorid}"'
                    print(remove_bitlockerkeyprotector_pwsh)
                    run_powershell(remove_bitlockerkeyprotector_pwsh)
                    error(f"BitlockerKeyProtector have been removed on {systemdrive} please reinstall this package.")
                else:
                    error(
                        "ERROR: The above PowerShell command appears to be unsuccessful.\nYou can force install this package to remove BitlockerKeyProtector."
                    )

        else:

            # Encrypting drive
            print(f"Encrypting: {systemdrive} drive with BitLocker encryption method: {encryptionmethod_dict[target_encryption_method]}")
            enable_bitlocker_pwsh = f"Enable-Bitlocker -MountPoint {systemdrive} -EncryptionMethod {encryptionmethod_dict[target_encryption_method]} -SkipHardwareTest -TpmProtector"
            print(enable_bitlocker_pwsh)

            if volumestatus != "EncryptionInProgress":
                bitlockervolume = run_powershell(enable_bitlocker_pwsh)
            else:
                print("Skipping the above PowerShell command because EncryptionInProgress.")

            # Checking BitLocker state
            if bitlockervolume is not None:
                volumestatus = volumestatus_dict[bitlockervolume.get("VolumeStatus", 0)]
                print(f"BitLocker state of {systemdrive} drive is: {volumestatus}")
            else:
                if volumestatus != "EncryptionInProgress" and force:
                    keyprotectorid = run_powershell(f"(Get-BitLockerVolume {systemdrive}).KeyProtector[0].KeyProtectorId")
                    remove_bitlockerkeyprotector_pwsh = f'Remove-BitlockerKeyProtector -MountPoint {systemdrive} -KeyProtectorId "{keyprotectorid}"'
                    print(remove_bitlockerkeyprotector_pwsh)
                    run_powershell(remove_bitlockerkeyprotector_pwsh)
                    error(f"BitlockerKeyProtector have been removed on {systemdrive} please reinstall this package.")
                else:
                    error(
                        "ERROR: The above PowerShell command appears to be unsuccessful.\nYou can force install this package to remove BitlockerKeyProtector."
                    )

    elif tpm_state == "WARNING":
        print("WARNING: This computer is not ready to silently enable BitLocker, you must fix his TPM chip state")

    elif tpm_state == "ERROR":
        print("ERROR: This computer cannot silently enable BitLocker, since no TPM chip have been found. You can only enable BitLocker manually")

    # Adding BitLocker Key Protector
    keyprotectortype_list = ",".join(
        run(f'powershell.exe -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -OutputFormat text -Command "(Get-BitLockerVolume -MountPoint {systemdrive}).volumestatus"').splitlines()
        )
    if not "RecoveryPassword" in keyprotectortype_list:
        run(f'powershell.exe -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -OutputFormat text -Command "Add-BitLockerKeyProtector -MountPoint {systemdrive} -RecoveryPasswordProtector"')


def audit():
    audit_status = "OK"
    is_package_installed = False

    for package in [p["package"] for p in WAPT.installed()]:
        if "audit-bitlocker" in package:
            is_package_installed = True
            break

    if not is_package_installed:
        print('WARNING: You have to install "tis-audit-bitlocker" to Backup-BitLockerKeyProtector in AD.')
        print('IMPORTANT: You have to create a customize package of "tis-audit-bitlocker" to Backup-BitLockerKeyProtector in WAPT.')
        audit_status = "WARNING"
    else:
        print("OK: BitLocker seems audited.")

    return audit_status


def check_tpm_state():
    audit_status = "OK"
    get_tpm = run_powershell("Get-Tpm")
    if get_tpm["TpmPresent"] == False:
        print("ERROR: No TPM chip found on this system")
        audit_status = "ERROR"
    else:
        print("OK: TPM chip found on this system")
        if get_tpm["TpmReady"] == False:
            print("WARNING: TPM chip not ready")
            audit_status = "WARNING"
        else:
            print("OK: TPM chip ready")
    WAPT.write_audit_data_if_changed("enable-bitlocker", "TpmPresent", get_tpm["TpmPresent"])
    WAPT.write_audit_data_if_changed("enable-bitlocker", "TpmReady", get_tpm["TpmReady"])
    if get_tpm["ManufacturerVersion"]:
        WAPT.write_audit_data_if_changed("enable-bitlocker", "ManufacturerVersion", get_tpm["ManufacturerVersion"].split("\x00")[0].strip())
    return audit_status

manifest.sha256


                                
38d056ab130f7bf7c481c12636a4e9959de36561d3dfcbe54c6e3571bc0c1dc3 : WAPT/certificate.crt 
9337dd19cda59b49199ef3cafb64b61c72f2d68945697a84af760060f085e265 : WAPT/control 
b895508a66d6cea028c2a7781604a358298ba9c8082602ab633e8bff7f2b844c : WAPT/icon.png 
18e26534daaf956768de24abc1f8ce7aad4eb3619a0c0a42c8abd36c1e4ab8f5 : luti.json 
2b2591895ec886fb4299eebc48bd014f2d4fb47478cd78ed9887e0d223575ed8 : setup.py

Choisir les langues

Choisir l'architecture

Choisir le système d'exploitation

Choisir une catégorie

Filter sur la licence des paquets

tis-enable-bitlocker

Description

control

Setup.py