Dynamic Nvme Disk encryption

nkx1 · November 27, 2025, 4:49pm

Hello I am trying to setup an nvme drive to be encrypted and decrypted on boot.

I have been following the instructions here: Disk Encryption — Jetson Linux Developer Guide documentation

So far this is what I have done:

Created a partition on the nvme drive using gdisk

sudo gdisk /dev/nvme0n1
> command: o (create new empty gpt partition record)
> proceed: y 

it may tell us that there is no current partition table on the disk and that it will create new GPT entires in memory.
this will delete all partitions and create a new protective master boot record (MBR).

Next create the new parition by doing:
command: n
partition number: 1
First sector:  (press enter to use default 2048)
Last sector: (press enter to use default remaining space)
hex code (enter to use default of 8300 'Linux Filesystem')

Finally write changes to disk and exit:
comand: w (write to disk)
proceed: y

this will overwrite existing partition and wipe the disk.

we can check if the parition was created properly using lsblk

The new partition can be seen here
nvme0n1
|-nvme0n1p1

Encrypting the disk.

sudo /usr/sbin/gen_luks.sh /dev/nvme0n1p1 crypt_ssd

YES to continue

if asked to format the partition to ext4 also say YES
if asked to reboot also say YES

The system rebooted, the disk name and uuid was written to the file opt/nvidia/cryptluks

however the partition was not encrypted as as TYPE=’crypto_LUKS’ when doing blkid

I was able to encrypt the drive myself using

sudo crptsetup luksFormat /dev/nvme0n1p1

however this prompted me for a passphrase that i need to decrypt the drive which negates the whole point of using gen_luks.

is there something missing in what I am doing?

this post from 2021 suggests that it might not be possible to do this for external drives?

is this still the case?

Thank you.

JerryChang · November 28, 2025, 2:24am

hello nkx1,

may I have confirmation,
are you going to have a prompt for passphrase to decrypt your ROOTFS_ENC?
please customize it (a prompt for passphrase) by yourself since we’re not supported with a prompt for passphrase by default.

nkx1 · November 28, 2025, 8:13am

Hello Jerry,

Thank you for the reply.

No my intention was not to set up any kind of passphrase prompt, I wanted the partition to be decrypted automatically on boot by the internal key generation on the Jetson which is what I assumed get_luks.sh would allow me to do.

I only demonstrated that I could encrypt the drive as LUKS outside the script to demonstrate that the gen_luks.sh script did not appear to perform this step.

When you say encrypted root_fs are you talking about encrypting the drive where the OS is stored? If so this is not really my intention, I really want to make it so that the SSD in the jetson which will be used to store data is encrypted with the intention that no one can remove it and plug it into another pc to obtain this data.

JerryChang · November 28, 2025, 8:43am

hello nkx1,

may I also confirm which Jetpack public release version you’re working with?
you may refer to release tag, $ cat /etc/nv_tegra_release for confirmation.

it’s disk encryption to create a new, encrypted APP_ENC partition contains the rest of the file system.
you’ll need to full flash the target with ROOTFS_ENC=1 flag to enable that.
please see-also Topic 270934 for the steps to enable disk encryption with a custom key.

nkx1 · November 28, 2025, 9:26am

Hello Jerry,

Here is the Jetpack release version I am working with,

orin-nano:~$ cat /etc/nv_tegra_release
# R36 (release), REVISION: 4.7, GCID: 42132812, BOARD: generic, EABI: aarch64, DATE: Thu Sep 18 22:54:44 UTC 2025

So to understand correctly, in order for me to be able to flash an external drive (NVMe) using gen_luks.sh (with no custom key) I will first have to re-flash the jetson with ROOTFS_ENC=1 enabled?

Would this the likely reason why gen_luks.sh does not appear to encrypt the partition as luks after the reboot?

JerryChang · December 1, 2025, 1:54am

hello nkx1,

it’s gen_luks.sh tool to have disk encryption for dynamically created partition.
see-also developer guide, Enabling Disk Encryption for Dynamically Created Partitions.
it’s full flash the target with ROOTFS_ENC=1 flag to have partition layout update, it adds APP_ENC partition which contains the encrypted data.

nkx1 · December 17, 2025, 5:17pm

Hi Jerry,

This problem is not solved.

I am well aware that gen_luks.sh is the tool for encrypting dynamically allocated parititions, my question is asking why this tool is not working for me.

I have now tried on a completely seperate device (Orin-NX), re-flashed to scratch and am still having no luck.

again heere is my process:


create new partition (100gb)

lsblk
matoha@orin-nx-2:~$ lsblk
NAME         MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS
zram0        252:0    0 978.5M  0 disk [SWAP]
zram1        252:1    0 978.5M  0 disk [SWAP]
zram2        252:2    0 978.5M  0 disk [SWAP]
zram3        252:3    0 978.5M  0 disk [SWAP]
zram4        252:4    0 978.5M  0 disk [SWAP]
zram5        252:5    0 978.5M  0 disk [SWAP]
zram6        252:6    0 978.5M  0 disk [SWAP]
zram7        252:7    0 978.5M  0 disk [SWAP]
nvme0n1      259:0    0   1.8T  0 disk 
├─nvme0n1p1  259:1    0    80G  0 part /
├─nvme0n1p2  259:2    0   128M  0 part 
├─nvme0n1p3  259:3    0   768K  0 part 
├─nvme0n1p4  259:4    0  31.6M  0 part 
├─nvme0n1p5  259:5    0   128M  0 part 
├─nvme0n1p6  259:6    0   768K  0 part 
├─nvme0n1p7  259:7    0  31.6M  0 part 
├─nvme0n1p8  259:8    0    80M  0 part 
├─nvme0n1p9  259:9    0   512K  0 part 
├─nvme0n1p10 259:10   0    64M  0 part /boot/efi
├─nvme0n1p11 259:11   0    80M  0 part 
├─nvme0n1p12 259:12   0   512K  0 part 
├─nvme0n1p13 259:13   0    64M  0 part 
├─nvme0n1p14 259:14   0   400M  0 part 
└─nvme0n1p15 259:15   0 479.5M  0 part

make new paritition on nvme0n1

matoha@orin-nx-2:~$ sudo gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.8

Partition table scan:
  MBR: protective
  BSD: not present
  APM: not present
  GPT: present

Found valid GPT with protective MBR; using GPT.

Command (? for help): n
Partition number (16-128, default 16): 
First sector (1248808-3907029134, default = 170822208) or {+-}size{KMGTP}: 
Last sector (170822208-3907029134, default = 3907029134) or {+-}size{KMGTP}: +100G
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 
Changed type of partition to 'Linux filesystem'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
Warning: The kernel is still using the old partition table.
The new table will be used at the next reboot or after you
run partprobe(8) or kpartx(8)
The operation has completed successfully.

force re-read of drive:
sudo partprobe /dev/nvme0n1

new partition (16) now shows on lsblk

Encrypt the disk using gen_luks
---
sudo /usr/sbin/gen_luks.sh /dev/nvme0n1p16 crypt_ssd
matoha@orin-nx-2:/usr/sbin$ sudo /usr/sbin/gen_luks.sh /dev/nvme0n1p16 crypt_ssd
All data on /dev/nvme0n1p16 will be wiped out after luks disk is created. Reply YES to continue:
YES


Do you want to format encrypted partition crypt_ssd into ext4? Reply YES or No:
YES


Do you want to reboot the device to create encrypted partition? Reply YES or No:
YES

The device tries to re-boot, but this time I am now facing a different issue than originally (on the orin nano)

Basically the jetson says during to boot process:

Locking aborted. The locking path /run/cryptsetup is unusable (not a directory or missing)
Cannot format device /dev/nvme0np16`

see image: https://images2.imgbox.com/2e/7d/OfjFE6k6_o.jpg

once logged-in i checked and /run/cryptsetup/ does seem to exist, although i can’t cd into it i get permission denied.

Thank you for the help.

JerryChang · December 18, 2025, 2:40am

please check $ sudo blkid for your new created, nvme0np16 partition.

nkx1 · December 18, 2025, 9:40am

matoha@orin-nx-2:~$ sudo blkid
[sudo] password for matoha: 
/dev/nvme0n1p9: PARTLABEL="recovery-dtb" PARTUUID="43b06224-7f0e-4d40-85fc-d800a8d05e3c"
/dev/nvme0n1p11: PARTLABEL="recovery_alt" PARTUUID="2bc08046-3a7d-44ee-9d59-f32d1e715c64"
/dev/nvme0n1p7: PARTLABEL="B_reserved_on_user" PARTUUID="22bf8d39-afc8-4f7c-bb60-946d4f91f20c"
/dev/nvme0n1p5: PARTLABEL="B_kernel" PARTUUID="5e691417-98d2-493e-9444-2c6562a24e36"
/dev/nvme0n1p3: PARTLABEL="A_kernel-dtb" PARTUUID="151041f2-d39f-4456-85ef-2c72c58c4b78"
/dev/nvme0n1p16: PARTLABEL="Linux filesystem" PARTUUID="13af79d0-041b-4699-9089-587062036966"
/dev/nvme0n1p1: UUID="18dc7559-7628-469c-965f-eab51cfeca39" BLOCK_SIZE="4096" TYPE="ext4" PARTLABEL="APP" PARTUUID="ea8f3a7c-84c0-4388-97b6-696db007c5eb"
/dev/nvme0n1p14: PARTLABEL="UDA" PARTUUID="15d31879-b659-47a0-8b58-d87db2a59238"
/dev/nvme0n1p12: PARTLABEL="recovery-dtb_alt" PARTUUID="7a2bd15a-1c56-4531-9e33-525971e59458"
/dev/nvme0n1p8: PARTLABEL="recovery" PARTUUID="67d5ebf0-ee9a-49d1-b9d1-c61d2761d800"
/dev/nvme0n1p10: UUID="957E-F8C7" BLOCK_SIZE="512" TYPE="vfat" PARTLABEL="esp" PARTUUID="20978a65-aca6-4769-b84b-c10257cca735"
/dev/nvme0n1p6: PARTLABEL="B_kernel-dtb" PARTUUID="000cf494-9fc6-4754-862e-bd680eaf5b5f"
/dev/nvme0n1p4: PARTLABEL="A_reserved_on_user" PARTUUID="389bf0d8-96dd-453d-b9c3-3d57c0c2f574"
/dev/nvme0n1p2: PARTLABEL="A_kernel" PARTUUID="78ae6e84-0b57-4357-a1b0-9076cf7a6246"
/dev/nvme0n1p15: PARTLABEL="reserved" PARTUUID="771d6621-b946-4b6c-8137-85451252f35e"
/dev/nvme0n1p13: PARTLABEL="esp_alt" PARTUUID="1e6fb529-78b3-4e7e-9387-e30ebda97c1e"
/dev/zram5: UUID="2ff0ff15-caf7-4a93-9489-95adb013acb5" TYPE="swap"
/dev/zram3: UUID="9d032407-1b4e-49c8-99c3-8c8eb10d0b7b" TYPE="swap"
/dev/zram1: UUID="1318222d-d011-4b22-a002-5603d28c0be6" TYPE="swap"
/dev/zram6: UUID="4f1f8a48-ae61-423a-be35-c60c570e3a7a" TYPE="swap"
/dev/zram4: UUID="241c2bb4-b056-4379-ae94-010d187324bd" TYPE="swap"
/dev/zram2: UUID="2a0c63d1-5e18-44f0-a413-38f84d70e414" TYPE="swap"
/dev/zram0: UUID="33b3c64e-b569-432a-bb9c-1416fae68bbf" TYPE="swap"
/dev/zram7: UUID="5593df13-8542-44ca-9703-84c235a0d137" TYPE="swap"

Like last time, the partition has not been encrypted using luks.

Do you know How I can remove the existing boot loop / check?#

EDIT: okay I managed to break out of the loop i simply just had to reset the file

opt/nvidia/cryptluks

I am getting close to reaching breaking point with this method of encryption, I am constantly coming up against walls when trying, am I something missing obvious? Is it not possible to encrypt this drive or something??

JerryChang · December 22, 2025, 2:56am

hello nkx1,

nkx1:

EDIT: okay I managed to break out of the loop i simply just had to reset the file
opt/nvidia/cryptluks
I am getting close to reaching breaking point with this method of encryption, I am constantly coming up against walls when trying, am I something missing obvious? Is it not possible to encrypt this drive or something??

am not sure what’s your latest status,
may I have more details, could you please share the logs for reference?

Topic		Replies	Views
Encrypted ssd nvme on Jetson Orin NX Jetson Orin NX security	15	379	December 12, 2025
NVME encrypted volume - Orix NX + JP6.2.1 + Secureboot / UEFI secure boot enabled Jetson Orin NX boot , security	9	181	November 4, 2025
AGX Orin Boot Drive LUKS Encryption Jetson AGX Orin security	16	637	August 22, 2024
Data encryption on AGX Jetson Orin Jetson AGX Orin security , flash	15	448	October 8, 2024
Jetson Orin AGX Encryption nvme Jetson AGX Orin security	11	513	May 21, 2024
Encrypted nvme on Orin NX 16GB Jetson Orin NX security	6	340	October 28, 2025
Orin Nano disk encryption on nvme with PKCSBK enabled Jetson Orin Nano security	4	160	September 19, 2025
Orin NX disk encryption Jetson Orin NX board-design , security , nvbugs	13	1924	September 8, 2023
Decrypting the Encrypted NVME with Passphrase Jetson Orin Jetson Orin NX security	2	93	March 31, 2025
JetPack 6.2.1 / Orin NX: APP_ENC & encrypted NVMe rootfs image never created Jetson Orin NX security	23	303	December 15, 2025

Dynamic Nvme Disk encryption

Related topics