Check Core Storage Drives for Encryption

What the Core Storage Encryption Checker does

This Automox Worklet™ audits all mounted volumes on macOS endpoints to identify drives that are not encrypted. The Worklet uses diskutil to examine each volume in /Volumes/, checking for Core Storage encryption information or APFS file system indicators. Volumes without either encryption type are flagged as unencrypted.

The Worklet intelligently excludes disk images from the check, as these are typically temporary mounts that do not require persistent encryption. The focus is on physical drives and partitions that store user data.

Why audit storage encryption status

Unencrypted storage presents a significant data protection risk. If an endpoint is lost or stolen, unencrypted drives allow anyone with physical access to read sensitive data. Compliance frameworks including HIPAA, PCI-DSS, and SOC 2 often require encryption of data at rest.

External drives, USB storage, and secondary internal drives may not be covered by FileVault encryption on the boot volume. This Worklet identifies these gaps in your encryption coverage, allowing you to take corrective action before a data breach occurs.

Regular encryption auditing demonstrates due diligence for compliance purposes. You can document that your organization actively monitors for unencrypted storage and addresses findings.

How encryption auditing works

1. Evaluation phase: The Worklet immediately exits with a non-compliant status to trigger remediation. This design runs the audit check on every execution, which is appropriate for a reporting Worklet that does not make changes to the system.

2. Remediation phase: The Worklet iterates through all volumes in /Volumes/, runs diskutil info on each, and examines the output for Core Storage Information or APFS Information sections. Disk images are skipped based on the Protocol field. Unencrypted volumes are reported to the Activity Log with their drive names.

Encryption audit requirements

• macOS endpoint (workstation or server)

• diskutil command (included with macOS)

• Volumes must be mounted at the time of the check

Expected audit output

After running, the Activity Log displays a list of any unencrypted volumes found, identified by their mount names. If all volumes are encrypted (either Core Storage or APFS), the Worklet reports that no unencrypted Core Storage volumes were found.

Use the audit results to identify endpoints requiring remediation. For volumes that should be encrypted, you may need to enable FileVault, use Disk Utility to encrypt the volume, or remove the unencrypted storage from the endpoint.

How to validate check core storage drives for encryption changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for check core storage drives for encryption.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit.

4. Validate remediation effects from script operations such as exit, then rerun evaluation for compliance.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for check core storage drives for encryption. This supports repeatable security workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as exit and remediation operations such as exit. Use these indicators to verify that endpoint changes match intended policy outcomes.