I’ve just spent the past few days trying to get a file directory encryption scheme working on the Jetson Nano. While this is trivial on desktop Ubuntu 18.04 (both
Fscrypt set up and work perfectly), attempting this on the Jetson required kernel rebuilding and all kinds of challenging-to-the-new-comer operations! Here are the relevant areas required:
- Jetson HW
- Jetson Setup & Installation
- Linux Kernel
- Linux Kernel Recompilation
- Linux Kernel Security
- EXT4 Filesystem
Sadly, none of these are areas of great familiarity for me, let alone expertise, so this was hard work. First up was
ecryptfs. The kernel needed changing for this, but ultimately there were kernel errors no matter what I did. Then reading that
ecryptfs was no longer maintained, I turned my attention to
fscrypt. Same long procedure and same sad outcome.
Below are the steps to install
fscrypt by the book, and the results taken along the way, including, the ultimate kernel errors on the Jetson Nano.
The Kernel Error is
[ 547.987897] tegra-se 70012000.se: invalid key size
If someone who has some more expertise could say what’s going wrong and ideally help get this working that would be amazing. Failing that some definitive statements about what does and doesn’t work would save the next person some time and let me grieve and move on.
Kernel flags are described in the GitHub project
- For ext4, the kernel must be v4.1 or later, and the kernel configuration must have either CONFIG_FS_ENCRYPTION=y (for kernels v5.1+) or CONFIG_EXT4_ENCRYPTION=y or =m (for older kernels). Also, the filesystem must have the encrypt feature flag enabled; see here for how to enable it.
- selects FS_ENCRYPTION
- selects CRYPTO, CRYPTO_AES, CRYPTO_CBC, CRYPTO_ECB, CRYPTO_XTS, CRYPTO_CTS, CRYPTO_CTR, KEYS
Examining the source, (keyinfo.c) there’s a reference to a new crypto system option - SPECK
Weirdly, SPECK is not an option in later kernels (4.15)
- selects CRYPT_ALGAPI
Interesting configs which may be related
When the above failed (eg.
[ 547.987897] tegra-se 70012000.se: invalid key size), additionally adding
Kconfig Record in the fs/crypt directory
config FS_ENCRYPTION tristate "FS Encryption (Per-file encryption)" select CRYPTO select CRYPTO_AES select CRYPTO_CBC select CRYPTO_ECB select CRYPTO_XTS select CRYPTO_CTS select CRYPTO_CTR select KEYS help Enable encryption of files and directories. This feature is similar to ecryptfs, but it is more memory efficient since it avoids caching the encrypted and decrypted pages in the page cache.
The source reveals no other undeclared dependencies to the causal observer.
Kernel is built, Jetson flashed.
Post Install Kernel Check
This is on the newly flashed Nano
$ zgrep -h ENCRYPTION /proc/config.gz CONFIG_EXT4_ENCRYPTION=y CONFIG_EXT4_FS_ENCRYPTION=y CONFIG_FS_ENCRYPTION=y
$ zgrep -h KEYS /proc/config.gz CONFIG_BIG_KEYS=y CONFIG_ENCRYPTED_KEYS=y
$ zgrep -h SPECK /proc/config.gz CONFIG_CRYPTO_SPECK=y # CONFIG_CRYPTO_SPECK_NEON is not set
First - Pam Setup
Name: keyinit fix Default: yes Priority: 0 Session-Type: Additional Session: optional pam_keyinit.so force revoke
Then, enable the file system for encryption
sudo tune2fs -O encrypt /dev/device
(No errors, No kernel errors)
Grab User Code
$ sudo apt-get install fscrypt libpam-fscrypt
(No errors, no kernel errors)
Set fscrypt up on the partition
$ sudo fscrypt setup
$ fscrypt status filesystems supporting encryption: 1 filesystems with fscrypt metadata: 0 MOUNTPOINT DEVICE FILESYSTEM ENCRYPTION FSCRYPT / /dev/mmcblk0p1 ext4 supported No
$ sudo fscrypt setup / Metadata directories created at "/.fscrypt". Filesystem "/" (/dev/mmcblk0p1) ready for use with ext4 encryption.
(No Kernel errors)
fscrypt is now enabled. Status request now reports fscrypt is now fully active.
$ fscrypt status filesystems supporting encryption: 1 filesystems with fscrypt metadata: 1 MOUNTPOINT DEVICE FILESYSTEM ENCRYPTION FSCRYPT / /dev/mmcblk0p1 ext4 supported Yes
(Status matches my desktop at the same point in the process)
$ fscrypt status filesystems supporting encryption: 1 filesystems with fscrypt metadata: 1 MOUNTPOINT DEVICE FILESYSTEM ENCRYPTION FSCRYPT / /dev/sda2 ext4 supported Yes
Finally, we attempt to create a folder
$ cd Documents $ mkdir secret
$ fscrypt encrypt secret Should we create a new protector? [y/N] y Your data can be protected with one of the following sources: 1 - Your login passphrase (pam_passphrase) 2 - A custom passphrase (custom_passphrase) 3 - A raw 256-bit key (raw_key) Enter the source number for the new protector [2 - custom_passphrase]: secret Enter the source number for the new protector [2 - custom_passphrase]: 2 Enter a name for the new protector: secret Enter custom passphrase for protector "secret": Confirm passphrase: "secret" is now encrypted, unlocked, and ready for use.
(no dmesg errors or warnings)
All is well. It has all gone so smoothly.
$ cat > things secret things $ cp things secret/
cp: cannot create regular file 'secret/things': Required key not available
$ dmesg ... [ 547.982991] tegra-se 70012000.se: invalid key size [ 547.987897] tegra-se 70012000.se: invalid key size [ 547.992849] tegra-se 70012000.se: invalid key size [ 547.997757] tegra-se 70012000.se: invalid key size [ 548.002631] tegra-se 70012000.se: invalid key size
[Edit - for clarity to emphasize that fscrypt is failing in the kernel]
[Edit - to remove some distracting output]