Currently here:
https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/edec0b247f770dd13912fd11293e02bf5981891a/packages/os/ephemeral-storage.rules#L10

and in a couple of other rules, there is a whitelist of device prefixes that does not include sd* devices. I was hoping to rely on the BOTTLEROCKET_DEVICE_TYPE to trigger automatic encryption using udev rules, but since sd* is not included by default, I have now added my own rule that tags them also using ghostdog.

Would you want to upstream this as part of the core ruleset?