AGX Orin Boot Drive LUKS Encryption

I am using a 64GB AGX Orin with a Connecttech Carrier board, Jetpack 5.1.3, and Jetson Linux 35.5. I have been following the encryption documentation at Disk Encryption — NVIDIA Jetson Linux Developer Guide 1 documentation. I am able to flash eMMC, flash eMMC encrypted with LUKS, and flash an NVMe drive to boot from, but I haven’t been able to flash a bootable NVMe encrypted with LUKS.

My application requires that the boot drive with the root file system be encrypted with LUKS, and only unencrypted on boot when a password is entered to meet Data at Rest requirements. The current status of the eMMC with LUKS is that it’s encrypted, but automatically unlocks on boot which has no value to me. I would also like to use a USB drive to act as a key to unencrypt on boot and allow headless operation.

For a LUKS NVMe boot configuration, I’ve gone through the initrd encrypted rootfs encryption process several times tweaking options based on the Disk Encryption documentation and the readme files associated with all the scripts ran. I was hoping that since a passphrase is specified it would meet my needs. So far I can get to the point where initrd runs, claims everything was flashed successfully, etc, but only get a blank screen upon booting from the NVMe.

  1. Is there a path to meet my needs of a LUKS encrypted rootfs that requires a password to unlock? Other encryption methods like Sedutils/PBA might be acceptable, but there is little information aside from what’s provided by NVIDIA.

  2. If there is a combination of what’s in the documentation that would give me the results I want, could you specify the key steps and flags in the flash commands to make it happen?

Thanks,
Tom

Hi tom1992,

Do you mean that you can enable disk-encryption for NVMe and flash successfully, but you have the boot issue?

If so, please share the full serial console log for further check.

It’s hard to say if flashing was really successful if it didn’t boot, but I did get the message on the host PC that flashing was complete/successful/etc and to reboot the system to boot from the NVMe. Which then yielded a black screen, which doesn’t happen if I do things without encryption.

Can you confirm that it’s possible to LUKS encrypt and boot from the NVMe with a user-set password? If so I’ll run through things again and get the log, otherwise there’s no point.

I would also like to check the full flash log in your case if there’s no flash successful message showing.

It seems an available use case.
Please refer to How to Flash an Encrypted Rootfs to an External Storage Device for details.

There was a flash successful message, sorry if my wording was confusing. It just didn’t boot when I power cycled the board. I’ll run through things Monday and get back to you with the logs - you want the output from the UART, right? And to be clearer with the password thing, I’m looking for a password to decrypt the drive before getting into the OS., I know I can set a password for Ubuntu. So you enter one password to decrypt, then another to sign in.

I want to check the flash log from your host during flash.
and also the serial console log from your target during boot up.

Do you mean the password to log-in the target? Or the key for the disk-encryption?

On other non-ARM based systems, Ubuntu has an option to encrypt the boot drive with LUKS. So in that case upon boot you enter a password to unlock the drive, followed by a password to log-in as a user to the OS.

If the implementation for the LUKS NVMe boot drive is only like LUKS on the eMMC (ie ‘encrypted’ from an anti-tamper perspective, but boots right up without a decryption password) it has no use to me. I am trying to meet Data at Rest requirements.