Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-SkillsFramework mappings
MITRE ATT&CK
When to Use
Use this skill when:
- Encrypting Windows endpoints to protect data at rest for compliance (PCI DSS, HIPAA, GDPR)
- Deploying BitLocker across enterprise fleet via Intune, SCCM, or GPO
- Configuring TPM-based encryption with PIN or USB startup key for enhanced security
- Managing BitLocker recovery keys in Active Directory or Azure AD
Do not use this skill for Linux disk encryption (use LUKS/dm-crypt) or macOS (use FileVault).
Prerequisites
- Windows 10/11 Pro, Enterprise, or Education edition
- TPM 2.0 chip (recommended; TPM 1.2 supported with limitations)
- UEFI firmware with Secure Boot enabled (recommended)
- Separate system partition (200 MB minimum, created automatically by Windows installer)
- Active Directory or Azure AD for recovery key escrow
Workflow
Step 1: Verify TPM and System Requirements
# Check TPM status
Get-Tpm
# ManufacturerId, ManufacturerVersion, TpmPresent, TpmReady, TpmEnabled
# Check TPM version (2.0 required for best compatibility)
(Get-WmiObject -Namespace "root\cimv2\security\microsofttpm" -Class Win32_Tpm).SpecVersion
# Check UEFI/Secure Boot
Confirm-SecureBootUEFI
# Returns True if Secure Boot is enabled
# Check BitLocker readiness
$vol = Get-BitLockerVolume -MountPoint "C:"
$vol.VolumeStatus # Should be "FullyDecrypted"
$vol.ProtectionStatus # Should be "Off"Step 2: Configure BitLocker GPO Settings
Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption
Operating System Drives:
- Require additional authentication at startup: Enabled
- Allow BitLocker without compatible TPM: Disabled (enforce TPM)
- Configure TPM startup: Allow TPM
- Configure TPM startup PIN: Allow startup PIN with TPM
- Configure TPM startup key: Allow startup key with TPM
- Choose how BitLocker-protected OS drives can be recovered: Enabled
- Allow data recovery agent: True
- Configure storage of recovery information to AD DS: Enabled
- Save recovery info to AD DS for OS drives: Store recovery passwords and key packages
- Do not enable BitLocker until recovery information is stored: Enabled
- Choose drive encryption method and cipher strength:
- OS drives: XTS-AES 256-bit (Windows 10 1511+)
- Fixed drives: XTS-AES 256-bit
- Removable drives: AES-CBC 256-bit (for cross-platform compatibility)
Fixed Data Drives:
- Choose how BitLocker-protected fixed drives can be recovered: Enabled
- Store recovery passwords in AD DS: Enabled
Removable Data Drives:
- Control use of BitLocker on removable drives: Enabled
- Configure use of passwords for removable drives: Require complexityStep 3: Enable BitLocker - Command Line
# Enable BitLocker with TPM-only protector (transparent to user)
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 `
-TpmProtector -SkipHardwareTest
# Enable BitLocker with TPM + PIN (recommended for laptops)
$pin = ConvertTo-SecureString "123456" -AsPlainText -Force
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 `
-TpmAndPinProtector -Pin $pin
# Add recovery password protector
Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
# Backup recovery key to Active Directory
Backup-BitLockerKeyProtector -MountPoint "C:" `
-KeyProtectorId (Get-BitLockerVolume -MountPoint "C:").KeyProtector[1].KeyProtectorId
# Encrypt fixed data drives
Enable-BitLocker -MountPoint "D:" -EncryptionMethod XtsAes256 `
-RecoveryPasswordProtector -AutoUnlockEnabledStep 4: Deploy via Intune (Enterprise)
Intune → Endpoint Security → Disk encryption → Create Profile
Platform: Windows 10 and later
Profile: BitLocker
Settings:
BitLocker base settings:
- Encryption for operating system drives: Require
- Encryption for fixed data drives: Require
- Encryption for removable data drives: Require
Operating system drive settings:
- Additional authentication at startup: Require
- TPM startup: Allowed
- TPM startup PIN: Required (for high-security endpoints)
- Encryption method: XTS-AES 256-bit
- Recovery: Escrow to Azure AD
Fixed drive settings:
- Encryption method: XTS-AES 256-bit
- Recovery: Escrow to Azure AD
Assign to: All managed Windows devices (or specific groups)Step 5: Manage Recovery Keys
# View recovery key on local system
(Get-BitLockerVolume -MountPoint "C:").KeyProtector |
Where-Object {$_.KeyProtectorType -eq "RecoveryPassword"} |
Select-Object KeyProtectorId, RecoveryPassword
# Retrieve recovery key from Active Directory (requires RSAT)
Get-ADObject -Filter {objectClass -eq "msFVE-RecoveryInformation"} `
-SearchBase "CN=COMPUTER01,OU=Workstations,DC=corp,DC=example,DC=com" `
-Properties msFVE-RecoveryPassword |
Select-Object -ExpandProperty msFVE-RecoveryPassword
# Retrieve recovery key from Azure AD
# Azure Portal → Azure AD → Devices → [device] → BitLocker keys
# Or via Microsoft Graph API:
# GET /devices/{id}/bitlockerRecoveryKeysStep 6: Monitor Encryption Status
# Check encryption status across fleet
manage-bde -status C:
# Expected output for encrypted drive:
# Conversion Status: Fully Encrypted
# Percentage Encrypted: 100.0%
# Encryption Method: XTS-AES 256
# Protection Status: Protection On
# Key Protectors: TPM, Numerical Password
# PowerShell compliance check
$vol = Get-BitLockerVolume -MountPoint "C:"
if ($vol.ProtectionStatus -eq "On" -and $vol.VolumeStatus -eq "FullyEncrypted") {
Write-Host "COMPLIANT: BitLocker enabled and fully encrypted"
} else {
Write-Host "NON-COMPLIANT: BitLocker status - Protection: $($vol.ProtectionStatus), Volume: $($vol.VolumeStatus)"
}Key Concepts
| Term | Definition |
|---|---|
| TPM (Trusted Platform Module) | Hardware security chip that stores BitLocker encryption keys and provides measured boot integrity |
| XTS-AES 256 | Encryption cipher used by BitLocker; XTS mode provides better protection for disk encryption than CBC |
| Recovery Key | 48-digit numerical password used to unlock BitLocker-encrypted drive when TPM authentication fails |
| Key Protector | Method used to unlock BitLocker (TPM, TPM+PIN, recovery password, startup key, smart card) |
| Used Space Only Encryption | Encrypts only sectors containing data; faster initial encryption but may leave remnant data in free space |
| Full Disk Encryption | Encrypts entire volume including free space; slower but more secure for drives that previously contained data |
Tools & Systems
- BitLocker (built-in): Windows full disk encryption feature
- manage-bde.exe: Command-line BitLocker management tool
- BitLocker Recovery Password Viewer: RSAT tool for viewing recovery keys in Active Directory
- MBAM (Microsoft BitLocker Administration and Monitoring): Enterprise BitLocker management (legacy, replaced by Intune)
- Microsoft Intune: Cloud-based BitLocker policy deployment and recovery key management
Common Pitfalls
- Not escrowing recovery keys before encryption: If recovery keys are not saved to AD/Azure AD before encryption, they may be permanently lost if the TPM fails.
- Using TPM-only without PIN: TPM-only mode is transparent but vulnerable to cold boot attacks and evil maid attacks. Add a startup PIN for laptops leaving the office.
- Encrypting used space only on repurposed drives: If a drive previously contained sensitive data, "used space only" encryption leaves deleted data unencrypted in free space. Use full disk encryption for repurposed drives.
- Forgetting removable drives: USB drives and external disks are common data loss vectors. Enforce BitLocker To Go for removable media.
- No pre-provisioning for SCCM deployments: Pre-provision BitLocker during OSD task sequence to encrypt before OS deployment, avoiding the lengthy post-deployment encryption process.
Source materials
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 3
api-reference.md1.6 KB
API Reference: Implementing Disk Encryption with BitLocker
manage-bde CLI
# Check status
manage-bde -status C:
# Enable BitLocker with TPM
manage-bde -on C: -RecoveryPassword -EncryptionMethod AES256
# Backup recovery key to AD
manage-bde -protectors -adbackup C: -ID {protector-id}
# Lock/unlock
manage-bde -lock D:
manage-bde -unlock D: -RecoveryPassword 123456-...PowerShell BitLocker Cmdlets
# Get BitLocker volume
Get-BitLockerVolume -MountPoint "C:"
# Enable with TPM + PIN
Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 `
-TpmAndPinProtector -Pin (ConvertTo-SecureString "1234" -AsPlainText -Force)
# Add recovery password
Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
# Backup to AD
Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $idCompliance Checks
| Check | Severity | Requirement |
|---|---|---|
| BitLocker enabled | CRITICAL | All OS drives |
| AES-256 encryption | MEDIUM | FIPS/enterprise |
| TPM protector | HIGH | Hardware-backed |
| Recovery key escrowed | HIGH | AD DS or Azure AD |
| Full disk encrypted | MEDIUM | Not used-space only |
Microsoft Graph API (Intune)
import requests
headers = {"Authorization": "Bearer <token>"}
resp = requests.get(
"https://graph.microsoft.com/v1.0/deviceManagement/managedDevices"
"?$select=deviceName,isEncrypted",
headers=headers)References
standards.md1.8 KB
Standards & References - Implementing Disk Encryption with BitLocker
Primary Standards
NIST SP 800-111 - Guide to Storage Encryption Technologies
- Publisher: NIST
- URL: https://csrc.nist.gov/publications/detail/sp/800-111/final
- Scope: Guidance on planning, implementing, and maintaining storage encryption solutions
FIPS 140-2/3 - Security Requirements for Cryptographic Modules
- Publisher: NIST
- Relevance: BitLocker uses FIPS 140-2 validated cryptographic modules when configured in FIPS-compliant mode
Compliance Mappings
| Framework | Requirement | BitLocker Coverage |
|---|---|---|
| PCI DSS 4.0 | 3.5.1 - Render PAN unreadable in storage | BitLocker full disk encryption |
| HIPAA | 164.312(a)(2)(iv) - Encryption/decryption | BitLocker protects ePHI at rest |
| GDPR | Article 32(1)(a) - Encryption of personal data | BitLocker for data-at-rest protection |
| NIST 800-53 | SC-28 Protection of Information at Rest | BitLocker encryption |
| NIST 800-171 | 3.13.16 - Confidentiality of CUI at rest | BitLocker on CUI systems |
| ISO 27001 | A.10.1.1 - Cryptographic controls policy | BitLocker implementation |
Microsoft References
- BitLocker Overview: https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/
- BitLocker Group Policy Reference: https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings
- BitLocker Recovery Guide: https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan
- TPM Recommendations: https://learn.microsoft.com/en-us/windows/security/hardware-security/tpm/tpm-recommendations
workflows.md1.9 KB
Workflows - Implementing Disk Encryption with BitLocker
Workflow 1: Enterprise BitLocker Deployment
[Pre-deployment assessment]
│
├── Verify TPM 2.0 across fleet
├── Confirm UEFI/Secure Boot
├── Plan recovery key escrow (AD DS or Azure AD)
│
▼
[Configure GPO/Intune policy]
│
├── Set encryption method (XTS-AES 256)
├── Configure key protectors (TPM + PIN for laptops, TPM for desktops)
├── Enable recovery key escrow
│
▼
[Pilot deployment (test group)]
│
├── Verify encryption completes without errors
├── Test recovery key retrieval
├── Verify no boot issues
│
▼
[Production rollout (phased)]
│
▼
[Monitor encryption status via Intune/SCCM reports]
│
▼
[Verify 100% coverage, address failures]Workflow 2: BitLocker Recovery Process
[User locked out (BitLocker recovery screen)]
│
▼
[User provides Recovery Key ID to helpdesk]
│
▼
[Helpdesk retrieves recovery key]
│
├── AD DS: RSAT BitLocker Recovery Password Viewer
├── Azure AD: Azure Portal → Devices → BitLocker keys
├── Intune: Intune Portal → Devices → Recovery keys
│
▼
[User enters 48-digit recovery key]
│
▼
[Investigate why recovery was triggered]
│
├── BIOS/firmware update ──► [Expected, no action]
├── TPM failure ──► [Replace TPM or re-encrypt]
├── Boot configuration change ──► [Review change, re-seal TPM]
└── Potential tampering ──► [Security investigation]Workflow 3: Key Rotation
[Quarterly key rotation policy]
│
▼
[Generate new recovery password]
│
▼
[Backup new key to AD/Azure AD]
│
▼
[Remove old recovery password protector]
│
▼
[Verify new key works in test recovery]Scripts 2
agent.py6.3 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Agent for auditing and managing BitLocker disk encryption across endpoints."""
import json
import argparse
import subprocess
from datetime import datetime
def get_bitlocker_status():
"""Get BitLocker status on local machine via manage-bde."""
try:
result = subprocess.run(
["manage-bde", "-status"], capture_output=True, text=True, timeout=30)
volumes = []
current = {}
for line in result.stdout.splitlines():
line = line.strip()
if line.startswith("Volume"):
if current:
volumes.append(current)
current = {"volume": line}
elif ":" in line:
key, _, value = line.partition(":")
current[key.strip()] = value.strip()
if current:
volumes.append(current)
return volumes
except (subprocess.TimeoutExpired, FileNotFoundError):
return []
def parse_bitlocker_report(report_path):
"""Parse BitLocker compliance report (CSV or JSON)."""
entries = []
if report_path.endswith(".json"):
with open(report_path) as f:
entries = json.load(f)
else:
import csv
with open(report_path, newline="", encoding="utf-8-sig") as f:
entries = list(csv.DictReader(f))
return entries
def audit_bitlocker_compliance(devices):
"""Audit BitLocker compliance across fleet."""
findings = []
for device in devices:
hostname = device.get("hostname", device.get("ComputerName", ""))
protection = device.get("protection_status", device.get("ProtectionStatus", ""))
encryption = device.get("encryption_method", device.get("EncryptionMethod", ""))
key_protector = device.get("key_protector", device.get("KeyProtector", ""))
recovery_key = device.get("recovery_key_escrowed",
device.get("RecoveryKeyEscrowed", ""))
if "off" in str(protection).lower() or protection == "0":
findings.append({
"hostname": hostname, "issue": "bitlocker_disabled",
"severity": "CRITICAL",
})
if encryption and "aes" not in str(encryption).lower():
findings.append({
"hostname": hostname, "issue": "weak_encryption_method",
"value": encryption, "severity": "HIGH",
})
if "128" in str(encryption):
findings.append({
"hostname": hostname, "issue": "aes_128_not_256",
"severity": "MEDIUM",
"recommendation": "Upgrade to AES-256",
})
if not key_protector or "tpm" not in str(key_protector).lower():
findings.append({
"hostname": hostname, "issue": "no_tpm_protector",
"severity": "HIGH",
})
if str(recovery_key).lower() in ("no", "false", "0", ""):
findings.append({
"hostname": hostname, "issue": "recovery_key_not_escrowed",
"severity": "HIGH",
"recommendation": "Escrow recovery key to Active Directory",
})
return findings
def generate_gpo_recommendations():
"""Generate Group Policy recommendations for BitLocker."""
return {
"Computer Configuration": {
"path": "Administrative Templates > Windows Components > BitLocker Drive Encryption",
"settings": [
{"name": "Choose drive encryption method (OS)",
"value": "AES-256", "policy": "Enabled"},
{"name": "Require additional authentication at startup",
"value": "Allow BitLocker without compatible TPM: Disabled",
"policy": "Enabled"},
{"name": "Choose how BitLocker-protected OS drives can be recovered",
"value": "Save to AD DS, Do not enable until stored",
"policy": "Enabled"},
{"name": "Enforce drive encryption type on OS drives",
"value": "Full encryption", "policy": "Enabled"},
],
},
}
def calculate_compliance_metrics(devices, findings):
"""Calculate fleet encryption compliance metrics."""
total = len(devices)
encrypted = total - sum(1 for f in findings if f["issue"] == "bitlocker_disabled")
strong_enc = encrypted - sum(1 for f in findings if f["issue"] in
("weak_encryption_method", "aes_128_not_256"))
escrowed = total - sum(1 for f in findings if f["issue"] == "recovery_key_not_escrowed")
return {
"total_devices": total,
"encrypted": encrypted,
"encryption_rate": round(encrypted / total * 100, 1) if total else 0,
"strong_encryption": strong_enc,
"recovery_keys_escrowed": escrowed,
"escrow_rate": round(escrowed / total * 100, 1) if total else 0,
}
def main():
parser = argparse.ArgumentParser(description="BitLocker Disk Encryption Agent")
parser.add_argument("--report", help="BitLocker report CSV/JSON")
parser.add_argument("--local", action="store_true", help="Check local machine")
parser.add_argument("--output", default="bitlocker_audit_report.json")
parser.add_argument("--action", choices=["audit", "local", "gpo", "full"], default="full")
args = parser.parse_args()
report = {"generated_at": datetime.utcnow().isoformat(), "findings": {}}
if args.action in ("local", "full") and args.local:
status = get_bitlocker_status()
report["findings"]["local_status"] = status
print(f"[+] Local volumes: {len(status)}")
if args.action in ("audit", "full") and args.report:
devices = parse_bitlocker_report(args.report)
findings = audit_bitlocker_compliance(devices)
metrics = calculate_compliance_metrics(devices, findings)
report["findings"]["compliance_audit"] = findings
report["findings"]["metrics"] = metrics
print(f"[+] Devices: {metrics['total_devices']}, Encrypted: {metrics['encryption_rate']}%")
if args.action in ("gpo", "full"):
gpo = generate_gpo_recommendations()
report["findings"]["gpo_recommendations"] = gpo
print("[+] GPO recommendations generated")
with open(args.output, "w") as f:
json.dump(report, f, indent=2, default=str)
print(f"[+] Report saved to {args.output}")
if __name__ == "__main__":
main()
process.py6.2 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""
BitLocker Compliance Checker
Checks BitLocker encryption status across endpoints and generates
compliance reports for audit purposes.
"""
import json
import subprocess
import sys
import os
import csv
from datetime import datetime
def check_bitlocker_status() -> dict:
"""Check BitLocker status on local Windows endpoint."""
ps_cmd = """
$volumes = Get-BitLockerVolume
$results = @()
foreach ($vol in $volumes) {
$protectors = @()
foreach ($kp in $vol.KeyProtector) {
$protectors += @{
Type = $kp.KeyProtectorType.ToString()
Id = $kp.KeyProtectorId
}
}
$results += @{
MountPoint = $vol.MountPoint
VolumeStatus = $vol.VolumeStatus.ToString()
ProtectionStatus = $vol.ProtectionStatus.ToString()
EncryptionMethod = $vol.EncryptionMethod.ToString()
EncryptionPercentage = $vol.EncryptionPercentage
VolumeType = $vol.VolumeType.ToString()
KeyProtectors = $protectors
AutoUnlockEnabled = $vol.AutoUnlockEnabled
AutoUnlockKeyStored = $vol.AutoUnlockKeyStored
}
}
$tpm = Get-Tpm
@{
Hostname = $env:COMPUTERNAME
Volumes = $results
TPM = @{
Present = $tpm.TpmPresent
Ready = $tpm.TpmReady
Enabled = $tpm.TpmEnabled
Activated = $tpm.TpmActivated
}
} | ConvertTo-Json -Depth 4
"""
try:
result = subprocess.run(
["powershell", "-NoProfile", "-Command", ps_cmd],
capture_output=True, text=True, timeout=30,
)
if result.returncode == 0 and result.stdout.strip():
return json.loads(result.stdout)
return {"error": result.stderr or "Failed to check BitLocker status"}
except FileNotFoundError:
return {"error": "PowerShell not available (requires Windows)"}
except subprocess.TimeoutExpired:
return {"error": "Command timed out"}
except json.JSONDecodeError as e:
return {"error": f"Parse error: {e}"}
def assess_compliance(status: dict) -> dict:
"""Assess BitLocker compliance against security baseline."""
findings = {
"hostname": status.get("Hostname", "unknown"),
"overall_compliant": True,
"tpm_status": "compliant",
"volume_findings": [],
}
tpm = status.get("TPM", {})
if not tpm.get("Present") or not tpm.get("Ready"):
findings["tpm_status"] = "non-compliant"
findings["overall_compliant"] = False
for vol in status.get("Volumes", []):
vol_finding = {
"mount_point": vol["MountPoint"],
"compliant": True,
"issues": [],
}
if vol["VolumeStatus"] != "FullyEncrypted":
vol_finding["compliant"] = False
vol_finding["issues"].append(f"Not fully encrypted: {vol['VolumeStatus']}")
if vol["ProtectionStatus"] != "On":
vol_finding["compliant"] = False
vol_finding["issues"].append(f"Protection not enabled: {vol['ProtectionStatus']}")
if vol["EncryptionMethod"] not in ("XtsAes256", "XtsAes128"):
vol_finding["issues"].append(f"Weak encryption method: {vol['EncryptionMethod']}")
protector_types = [kp["Type"] for kp in vol.get("KeyProtectors", [])]
has_recovery = "RecoveryPassword" in protector_types or "NumericalPassword" in protector_types
if not has_recovery:
vol_finding["compliant"] = False
vol_finding["issues"].append("No recovery password protector configured")
has_tpm = any(t in protector_types for t in ["Tpm", "TpmPin", "TpmPinStartupKey"])
if vol["VolumeType"] == "OperatingSystem" and not has_tpm:
vol_finding["compliant"] = False
vol_finding["issues"].append("OS volume missing TPM protector")
if not vol_finding["compliant"]:
findings["overall_compliant"] = False
findings["volume_findings"].append(vol_finding)
return findings
def generate_report(status: dict, compliance: dict, output_path: str) -> None:
"""Generate BitLocker compliance report."""
report = {
"report_generated": datetime.utcnow().isoformat() + "Z",
"hostname": status.get("Hostname", "unknown"),
"overall_compliance": "COMPLIANT" if compliance["overall_compliant"] else "NON-COMPLIANT",
"tpm_status": compliance["tpm_status"],
"tpm_details": status.get("TPM", {}),
"volumes": [],
}
for vol, finding in zip(status.get("Volumes", []), compliance["volume_findings"]):
report["volumes"].append({
"mount_point": vol["MountPoint"],
"status": vol["VolumeStatus"],
"protection": vol["ProtectionStatus"],
"encryption_method": vol["EncryptionMethod"],
"encryption_percent": vol["EncryptionPercentage"],
"key_protectors": [kp["Type"] for kp in vol.get("KeyProtectors", [])],
"compliant": finding["compliant"],
"issues": finding["issues"],
})
with open(output_path, "w", encoding="utf-8") as f:
json.dump(report, f, indent=2)
if __name__ == "__main__":
output_dir = sys.argv[1] if len(sys.argv) > 1 else "."
print("Checking BitLocker status...")
status = check_bitlocker_status()
if "error" in status:
print(f"Error: {status['error']}")
print("This tool requires Windows with BitLocker support.")
sys.exit(1)
print("Assessing compliance...")
compliance = assess_compliance(status)
report_path = os.path.join(output_dir, "bitlocker_compliance.json")
generate_report(status, compliance, report_path)
print(f"Compliance report: {report_path}")
print(f"\n--- BitLocker Compliance ---")
print(f"Hostname: {compliance['hostname']}")
print(f"Overall: {'COMPLIANT' if compliance['overall_compliant'] else 'NON-COMPLIANT'}")
print(f"TPM: {compliance['tpm_status']}")
for vf in compliance["volume_findings"]:
status_icon = "PASS" if vf["compliant"] else "FAIL"
print(f"\n [{status_icon}] {vf['mount_point']}")
for issue in vf["issues"]:
print(f" - {issue}")
Assets 1
template.mdtext/markdown · 1.2 KBKeep exploring