Encrypt Removable Drives on Insertion
  • 16 Oct 2020
  • 2 Minutes To Read
  • Print
  • Share
  • Dark
    Light

Encrypt Removable Drives on Insertion

  • Print
  • Share
  • Dark
    Light

The following example PowerShell script can be used to encrypt files on a removable drive when inserted. It should be run either by the SYSTEM user on system startup via Group Policy, or can be run on logon by normal users via Task Scheduler or Group Policy.

watch_usb.ps1

#Requires -version 2.0
 
<#
.SYNOPSIS
Encrypt files on a removable device when it is inserted.
.DESCRIPTION
This script uses WMI to watch for VolumeChange events.  If a Removable Disk is inserted it will be attached to a
Circle and all files within will be encrypted.
.PARAMETER circle
The ID of the Circle to use when encrypted files.
.PARAMETER deviceId
The Device ID of this endpoint.
.PARAMETER server
The URI of the SecureCircle server.  HTTPS is always assumed.
.EXAMPLE
./watch_usb.ps1 -circle 66d100e2-5ca0-48d1-af23-a3061333cbd6 -deviceId d83c4d9f-3bfa-470c-a1c4-6dcdb91e986a -server securecircle.local
.NOTES
Author: monotone
Date: 2010-01-09
Author: Steve Bouché <steve.bouche@securecircle.com>
Date: 2019-03-13
.LINK
https://answers.microsoft.com/en-us/windows/forum/all/task-scheduler-how-to-automatically-synchronize-my/45a49d83-b1d8-4d37-8896-3d2696cf9795
.LINK
https://securecircle.atlassian.net/servicedesk/customer/kb/view/639729665
#>
 
# Set needed parameters for this script
param (
    [Parameter(Mandatory = $true)][string]$circle,
    [Parameter(Mandatory = $true)][string]$deviceId,
    [Parameter(Mandatory = $true)][string]$server
)
 
# Register to receive VolumeChange WMI events
$SourceID = New-Guid
Register-WmiEvent -Class win32_VolumeChangeEvent -SourceIdentifier $SourceID
 
write-host (get-date -format s) " Beginning script..."
 
# Loop and wait for events
do
{
    # Wait for the VolumeChange events
    $newEvent = Wait-Event -SourceIdentifier $SourceID
 
    # Save the EventType and give it a friendly name for logging
    $eventType = $newEvent.SourceEventArgs.NewEvent.EventType
    $eventTypeName = switch ($eventType)
    {
        1 {
            "Configuration changed"
        }
        2 {
            "Device arrival"
        }
        3 {
            "Device removal"
        }
        4 {
            "docking"
        }
    }
    write-host (get-date -format s) " Event detected = " $eventTypeName
 
    # We are waiting for EventType 2
    if ($eventType -eq 2)
    {
        # Save the drive's letter and label
        $driveLetter = $newEvent.SourceEventArgs.NewEvent.DriveName
        $driveLabel = ([wmi]"Win32_LogicalDisk='$driveLetter'").VolumeName
 
        # Save the drive's type to filter by and give it a friendly name for logging
        $driveType = ([wmi]"Win32_LogicalDisk='$driveLetter'").DriveType
        $driveTypeName = switch ($driveType)
        {
            0 {
                "Unknown"
            }
            1 {
                "No Root Directory"
            }
            2 {
                "Removable Disk"
            }
            3 {
                "Local Disk"
            }
            4 {
                "Network Drive"
            }
            5 {
                "Compact Disc"
            }
            6 {
                "RAM Disk"
            }
        }
 
        write-host (get-date -format s) " Drive name = " $driveLetter
        write-host (get-date -format s) " Drive label = " $driveLabel
        write-host (get-date -format s) " Drive type = " $driveTypeName "|" $driveType
 
        # Execute process if drive matches specified condition(s)
        # If the drive is removable and has the label USBDRIVE the command will execute
        if ($driveType -eq 2 -and $driveLabel -eq 'USBDRIVE')
        {
            write-host (get-date -format s) " Starting task in 3 seconds..."
            start-sleep -seconds 3
 
            # Attach the drive to the circle.  New files written to the drive will be encrypted.
            fhtools --attach --input $driveLetter\ --circle $circle --url $server
 
            # Recursively act on all files, except for System Volume Information
            Get-ChildItem $driveLetter -Recurse -File -Filter * -Exclude "System Volume Information" |
                    Foreach-Object {
                        # Don't touch the file if it is already encrypted
                        fhtools --info --input $_.FullName
                        $infoResult = $LASTEXITCODE
                        if ($infoResult -ne 0)
                        {
                            write-host (get-date -format s) " Encrypting file: " $_.FullName
                            fhtools --containerize --input $_.FullName --circle $circle --endid $deviceId --url $server
                        }
                        else
                        {
                            write-host (get-date -format s) " File is already encrypted: " $_.FullName
                        }
                    }
        }
        else
        {
            write-host (get-date -format s) " Ignoring attached drive, it did not match conditions..."
        }
    }
    Remove-Event -SourceIdentifier $SourceID
} while (1 -eq 1) #Loop until next event
Unregister-Event -SourceIdentifier $SourceID
Was This Article Helpful?