This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Has anyone got a SQL query to detect devices that have Opal Encrypted Drives?

We are updating to Windows 10 and some devices with Opal (early version of it) fail the migration as Sophos needs to decrypt the volume before we can wipe it clean.    There doesn't seem to be any SQL key/Table (that I can find) that shows if a volume is hardware or Sophos encrypted.   Regards  Steve (Support have forwarded me to a few SQL query pages, but they don't have the right info)



This thread was automatically locked due to age.
  • Hi  

    There is no official query for this feature from Sophos side even on the article of the few report query. While you have that script ready, you find the list of computers which are using the OPAL drives through the below statement:

    "Management of endpoints with Opal-compliant hard drives in SafeGuard Enterprise is transparent, which means that management functions in general work the same as for other endpoints protected by SafeGuard Enterprise. The type of computer is shown in the Inventory of a container in Users and Computers. The column POA Type tells you if the respective computer is encrypted by SafeGuard Enterprise or uses a self-encrypting, Opal-compliant hard drive."

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Thanks for you help,  I'll have a look at the console.   One other thing do you know were I can obtain the Sophos Opal decryption tool:  OpalEmergencyDecrypt.exe

     

    Regards,

     

    Steve

  • use SafeGuard

    SELECT

    SAFE_GUARD_DIR.SGD_name as 'Machine name',

    IVT_MACHINES.IMA_ENCRYPTED_DRIVES as 'Drive encrypted',

    IVT_MACHINES.IMA_UNENCRYPTED_DRIVES as 'Drive not encrypted',

    IVT_MACHINES.IMA_POA_TYPE as 'POA Type',

    IVT_MACHINES.IMA_LAST_POLICY_RECEIVED as 'Last policy received on',

    IVT_MACHINES.IMA_LAST_SYNCHRONIZATION as 'Last synchronization on'

    FROM IVT_MACHINES INNER JOIN

    SAFE_GUARD_DIR ON IVT_MACHINES.IMA_MACHINE_ID = SAFE_GUARD_DIR.SGD_ID

    WHERE (IVT_MACHINES.IMA_ENCRYPTED_DRIVES IS NOT NULL)

    order by IVT_MACHINES.IMA_MACHINE_ID

     

    Thanks for the update again.   Running this report and extracting the data helps.  

    The numbers for POA type are:

     

    1) SGN

    2) Bitlocker

    3) Opal

     

     

  • Hi  

    I am glad that my comment helps you to find the way to get your SQL query for the report. 

    OpalEmergencyDecrypt.exe tool is available to Sophos support engineers as it is an internal tool and need to be used under the monitoring of Support staff. I'd request you to open a support case here. You can reference this article in the description ask them to provide help on the tool mentioning this is an internal tool.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • In the above script, what does POA type '5' mean?  Is that Bitlocker using the drive's algorithm (these are W10 machines with Bitlocker).  The only one with a '2' is a VMware Workstation instance running windows 8.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • Sorry can't answer that one.  Were on version 7 of Safeguard so later versions might be different (we also only had 3 encryption types)

     

  • Yeah this is on Version 8.2, W10 clients with TPM (I'm thinking maybe the TPM is the difference, the one that is only "bitlocker" is in a VM without a TPM).

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • Hi  

    You can run the SGNSTATE.exe on that client and verify the POA type. POA type has been replaced with Encryption type in the latest versions. Please refer to this article for more information on sgnstate.exe tool.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • I think you missed the point, was looking for a way to do it from the Enterprise management database, not interested in running it on a bunch of clients.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • Hi  

    You can run the command on the one particular client where you received the POA type 5 in the reports and confirm the POA type name as this tool will let you know the name of the POA type "5".

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link