I can see that the script /usr/sbin/gen_luks.sh performs the task as described by the documentation.
But I could not look up where the final step is taken care of:
After device reboots, /dev/mapper/crypt_DATA is created, unlocked, and mounted at /mnt/crypt_DATA.
Could you please describe which SW component is in charge of encrypting the newly referenced partition?
I’m aware that L4T 35.4.1 mentions:
Disk Encryption describes the Jetson Linux implementation of Linux Unified Key Setup (LUKS), the Linux standard for disk encryption. This release does not support this feature.
It would be interesting to know if the handling of /opt/nvidia/cryptluks is already supported (and I could not find it), or work in progress (partial implementation available), or not yet released at all.
you may see-also README_initrd_flash.txt for the steps.
for example
Workflow 10: Disk encryption support on external device
For disk encryption for external device on Jetson Xavier, you can flash the external
device with the below command:
- Run this command from the Linux_for_Tegra folder:
$ sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --external-device <external-device> \
-c <external-partition-layout> \
[-p "-i encryption.key" ] --external-only \
-S <APP-size> jetson-xavier external
Where:
- all the parameters are the same as above.
- <external-partition-layout> is the external storage partition layout containing
APP, APP_ENC and UDA encrypted partition. In this folder, flash_l4t_nvme_rootfs_enc.xml
is provided as an example.
you’ll also need to add ROOTFS_ENC=1 property to the flash commands,
so that, it’ll load the corresponding flash configuration file to have APP_ENC partition.
Thanks for your reply. I read it as the described workflow in the documentation is not yet supported, but this is the closest pointer you have to offer in the L4T. Thanks for sharing.
Please do not hesitate to let me know if there is a misunderstanding.