Disk encryption on nvme and mash flashing Jetson agx orin devolpment kit

Robotics & Edge Computing Jetson Systems Jetson AGX Orin
1

Hi,

I need to encrypt user disk on AGX orin development kit,

so guide me here what command to be used while using generic key

2

*** Please note that this reply is generated by LLM automatically ***

To encrypt the user disk on the Jetson AGX Orin development kit, you need to follow these steps:

  1. Prepare the disk encryption key and eks_.img: You need to generate a test EKS image using the example.sh script in the OP-TEE source package. This script is located in the optee/samples/hwkey-agent/host/tool/gen_ekb/ directory. You need to update the keys in the script accordingly.

$ cd optee/samples/hwkey-agent/host/tool/gen_ekb/

Take a look at example.sh and you need to update all keys accordingly

$ ./example.sh


   This will generate an `eks_<platform>.img` file, which you need to copy to the `Linux_for_Tegra/bootloader` folder and overwrite the existing `eks_<platform>.img` file.

2. **Set the environment variable ENC_ROOTFS=1**: You need to set the environment variable `ENC_ROOTFS=1` in the `flash.sh` command line to generate and flash disk encryption enabled rootfs/UDA partition images.

   For example, to enable rootfs disk encryption on the Jetson AGX Orin development kit, you can use the following command:

   ```bash
$ sudo ./flash.sh -u <pkc_keyfile> -v <sbk_keyfile> jetson-agx-orin-devkit internal ENC_ROOTFS=1

Note that you need to replace <pkc_keyfile> and <sbk_keyfile> with the actual paths to your PKC and SBK key files, respectively.

  1. Use the correct command options: When using the flash.sh command, you need to use the -u option to specify the PKC key file and the -v option to specify the SBK key file. If you omit the -v option, the images flashed to the device will not be encrypted.

    For example, to flash a PKC-fused Jetson AGX Orin target with encryption, you can use the following command:

$ sudo ./flash.sh -u <pkc_keyfile> -v <sbk_keyfile> jetson-agx-orin-devkit internal ENC_ROOTFS=1


   To flash an SBKPKC-fused Jetson AGX Orin target with encryption, you can use the following command:

   ```bash
$ sudo ./flash.sh -u <pkc_keyfile> -v <sbk_keyfile> jetson-agx-orin-devkit internal ENC_ROOTFS=1

Note that you need to make sure that the device is connected to the host machine and that the ENC_ROOTFS=1 environment variable is set correctly.

Comparison with other options:

  • If you omit the -u option, the images flashed to the device will not be signed.
  • If you omit the -v option, the images flashed to the device will not be encrypted.
  • If you omit the ENC_ROOTFS=1 environment variable, the rootfs disk will not be encrypted.

Therefore, to encrypt the user disk on the Jetson AGX Orin development kit, you need to use the flash.sh command with the -u and -v options, and set the ENC_ROOTFS=1 environment variable.

*** Please give the thumbs up if you get answers you like. Or provide feedback to help us improve the answer. ***

4

please see-also [Security][Disk Encryption] Creating Encrypted Images with a Generic Key

5

Hi Jerry,

Thanks for your input and one more for single device can we use generic key approach?

Please any reference for this.

6

hello muralikrishnan.t,

FYI, it’s generic-passphrase flag to check the disk encryption key without checking ECID (unique per device).
you may refer to above topic to revise --massflash 1 for running with single device.

7

Hi i am tried with this command but not booting
refer below log
10.621527] ERROR: fail to unlock the encrypted dev /dev/nvme0n1p15.
[ 10.622718] Kernel panic - not syncing:
[ 10.622721] Attempted to kill init! exitcode=0x00000000
[ 10.622724] CPU: 0 PID: 1 Comm: bash Not tainted 5.15.148-tegra #1
[ 10.622727] Hardware name: NVIDIA NVIDIA Jetson AGX Orin Developer Kit/Jetson, BIOS r36.4.0-5de7ef09-dirty 03/10/2026
[ 10.622729] Call trace:
[ 10.622729] dump_backtrace+0x0/0x1d0
[ 10.622740] show_stack+0x34/0x50
[ 10.622743] dump_stack_lvl+0x68/0x8c
[ 10.622747] dump_stack+0x18/0x3c
[ 10.622748] panic+0xc4/0x398
[ 10.622753] do_exit+0xa04/0xa30
[ 10.622755] do_group_exit+0x44/0xb0
[ 10.622758] __arm64_sys_exit_group+0x2c/0x30
[ 10.622760] invoke_syscall+0x5c/0x150
[ 10.622763] el0_svc_common.constprop.0+0x64/0x120
[ 10.622766] do_el0_svc+0x74/0xb0
[ 10.622768] el0_svc+0x28/0x90
[ 10.622771] el0t_64_sync_handler+0xac/0x130
[ 10.622772] el0t_64_sync+0x1a4/0x1a8
[ 10.645752] hid-generic 0003:413C:2113.0001: input,hidraw0: USB HID v1.11 Keyboard [Dell KB216 Wired Keyboard] on usb-3610000.usb-4.2/input0

8

hello muralikrishnan.t,

it’s an error of fail to unlock the encrypted device, which usually due to mismatch disk encryption key.
please see-also developer guide, Tool for EKB Generation, you’ll need to run the EKB generation tool with your key files, and update the EKS image (eks_t234.img) accordingly.

9

Hi,

I created mass flash image and i used for my testing.

Watched some observation with log while flashing. used the tar file for flashing.

On tar this file was not there “p3768-0000-p3767-0000-a0.conf”
production environment this file is required or any changes to be done for custom board.

/home/mxt02/Desktop/verra/top_dir/Linux_for_Tegra/test/mfi_jetson-orin-nx-jemison/jetson-orin-nx-jemison.conf: line 29: /home/mxt02/Desktop/verra/top_dir/Linux_for_Tegra/test/mfi_jetson-orin-nx-jemison/p3768-0000-p3767-0000-a0.conf: No such file or directory

Entry added by NVIDIA initrd flash tool

/home/mxt02/Desktop/verra/top_dir/Linux_for_Tegra/test/mfi_jetson-orin-nx-jemison/tools/kernel_flash/tmp 127.0.0.1(rw,nohide,insecure,no_subtree_check,async,no_root_squash)
rpcbind: another rpcbind is already running. Aborting
Export list for localhost:
/home/mxt02/Desktop/verra/top_dir/Linux_for_Tegra/test/mfi_jetson-orin-nx-jemison/tools/kernel_flash/tmp 127.0.0.1
/home/mxt02/Desktop/verra/top_dir/Linux_for_Tegra/test/mfi_jetson-orin-nx-jemison/jetson-orin-nx-jemison.conf: line 29: /home/mxt02/Desktop/verra/top_dir/Linux_for_Tegra/test/mfi_jetson-orin-nx-jemison/p3768-0000-p3767-0000-a0.conf: No such file or directory
/home/mxt02/Desktop/verra/top_dir/Linux_for_Tegra/test/mfi_jetson-orin-nx-jemison/jetson-orin-nx-jemison.conf: line 29: /home/mxt02/Desktop/verra/top_dir/Linux_for_Tegra/test/mfi_jetson-orin-nx-jemison/p3768-0000-p3767-0000-a0.conf: No such file or directory

Entry added by NVIDIA initrd flash tool

/home/mxt02/Desktop/verra/top_dir/Linux_for_Tegra/test/mfi_jetson-orin-nx-jemison/tools/kernel_flash/tmp 127.0.0.1(rw,nohide,insecure,no_subtree_check,async,no_root_squash)
rpcbind: another rpcbind is already running. Aborting
Export list for localhost:
/home/mxt02/Desktop/verra/top_dir/Linux_for_Tegra/test/mfi_jetson-orin-nx-jemison/tools/kernel_flash/tmp 127.0.0.1
/home/mxt02/Desktop/verra/top_dir/Linux_for_Tegra/test/mfi_jetson-orin-nx-jemison/tools/kernel_flash/l4t_initrd_flash_internal.sh --network usb0 --usb-instance 3-2 --device-instance 0 --flash-only --external-device nvme0n1p1 -c “./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_ab_enc.xml” --network usb0 jetson-orin-nx-jemison external
Start flashing device: 3-2, rcm instance: 0, PID: 51863
Log will be saved to Linux_for_Tegra/initrdlog/flash_3-2_0_20260403-112210.log

10

hello muralikrishnan.t,

let’s keep this thread for tracking your inquiries about disk encryption.
did you resolve ERROR: fail to unlock the encrypted dev /dev/nvme0n1p15. by updating the EKS image, eks_t234.img?

11

Issue resolved