Disk encryption on TX2NX

Hello! I need to encrypt my TX2NX eMMC and/or SSD, if that’s possible. Of course I’ve checked Nvidia Docs (generic-no-api_r2) but the encryption part is just too complicated and there’s no step by step guide on how to encrypt.

So far I understand that - I can generate encrypted rootfs via flash.sh script but it needs some mythical ekb.key:
sudo ROOTFS_ENC=1 ./flash.sh -i "./ekb.key" <board> <rootdev>

So I searched about ekb key and found Tool for EKB Generation but there’s nothing about how to get those keys needed for EKB key generation. For example: <sym_key_file> is the kernel encryption key. - what is that? I don’t even have my kernel encrypted yet - how do I get this?

I just want to know if there’s a tutorial on how to encrypt Jetson TX2NX

hello therealmatiss,

here’s see-also topic, Disk Encryption on TX2 - #5 by JerryChang.
you may enable Jetson Security, you’ll need to program the fuse to burn the keys.
please also check this tutorial, Jetson Security and Secure Boot. this video gives an overview of security features for the Jetson product family and explains in detailed steps the secure boot process, fusing, and deployment aspects.

let’s start with internal storage, i.e. eMMC.
you may check the default flash configuration file, flash_l4t_t186_enc_rfs.xml for reference,
there’re APP and APP_ENC partitions, which the unencrypted APP partition contains the /boot branch of the root file system, including the kernel, DTB, and initrd images; another encrypted APP_ENC partition contains the rest of the root file system.