Disk encryption enabled
What this checks
Checks that full-disk encryption is active. On macOS, checks FileVault status via fdesetup status. On Linux, checks for LUKS-encrypted volumes via lsblk -f. An unencrypted disk on a self-hosted AI server means that anyone with physical access or anyone who can mount the disk via a recovery mode or removed drive can read all your data, credentials, and model weights without a password.
Why it matters
Mac Mini and home-server deployments are particularly at risk: the machine is often in a shared space, physically accessible, and rarely monitored. Without disk encryption, a stolen or briefly accessed machine gives full access to OpenClaw config, API keys, conversation history, and any local models. Disk encryption is the simplest and highest-impact mitigation for physical access risks.
How to fix it
macOS Enable FileVault
# Check current status:
fdesetup status
# Enable FileVault (will prompt for password):
sudo fdesetup enable
# Or via System Settings โ Privacy & Security โ FileVault โ Turn OnFileVault enables in the background the machine stays usable during encryption. A restart is required to begin. Save your recovery key securely (not on the same machine).
Linux Enable LUKS
LUKS must be configured at install time for a clean setup. If your existing disk is unencrypted, the safest approach is to backup, reinstall with encryption enabled, and restore. Most modern Linux installers (Ubuntu, Fedora, Debian) offer full-disk encryption as a checkbox during installation.
# Verify existing LUKS volumes:
lsblk -f | grep -i luks
# Check if root partition is encrypted:
cryptsetup status /dev/mapper/luks-*Technical details
| Field | Value |
|---|---|
| Control ID | NC-OS-002 |
| Domain | OS |
| Severity | High |
| Status | Expanded (Plugin only) |
| Data source | fdesetup status (macOS) / lsblk -f (Linux) |
| Mode | Mode 2 (System-level requires plugin expanded mode) |
| Introduced in | Library v0.2.0 |
False positive notes
Cloud VPS instances (AWS EC2, DigitalOcean, etc.) with encrypted EBS volumes may not show LUKS encryption the encryption is handled at the infrastructure layer, below the OS. If your VPS provider encrypts volumes at rest, exclude this control with a note.
Suppress this finding
clawvitals exclude NC-OS-002 reason "AWS EBS volume encrypted at rest by provider"