Good day everyone!
I’m trying to enable full disk encryption on a Jetson Orin NX with an NVMe SSD connected to the host via USB.
The host is running Ubuntu 22.04 with JetPack 36.4.4.
Without encryption, the image is created, flashed, and boots up normally.
With encryption, it hangs and never reaches the passphrase prompt.
The command used to create the image:
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh \
--no-flash \
--external-device nvme0n1p1 \
-c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml \
-S 715GiB \
--external-only \
--network usb0 \
jetson-orin-nano-devkit external
The corresponding flashing command:
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh \
--external-device nvme0n1p1 \
-c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml \
-S 715GiB \
--external-only \
--network usb0 \
--flash-only \
jetson-orin-nano-devkit external
Logs are attached.
Any help would be greatly appreciated.
load.log (35.0 KB)
*** Please note that this reply is generated by LLM automatically ***
Based on the provided context, I will attempt to provide a comprehensive answer to the question.
The issue you’re facing is that the Jetson Orin NX with an NVMe SSD connected via USB is not booting up with full disk encryption enabled. The command used to create the image and the flashing command are not provided, but I’ll provide general guidance on how to troubleshoot and potentially resolve the issue.
Disk Encryption on Jetson Devices
Jetson devices support disk encryption on internal or external devices, including NVMe SSDs. To enable disk encryption, you need to set ROOTFS_ENC=1 when running the l4t_generate_ota_package.sh script to generate an OTA payload package. You can also specify the key file for disk encryption using the -i option.
Layout of an Encrypted Disk
When disk encryption is enabled, the APP partition is divided into two:
- The unencrypted
APP partition contains the /boot branch of the file system, including the kernel, DTB, and initrd images.
- A new, encrypted
APP_ENC partition contains the rest of the file system.
Troubleshooting Steps
- Verify the
eks_t234.img file: Make sure that the ${TARGET_BSP}/bootloader/eks_t234.img file contains the same keys as the ones exist in the EKS partition on the device to be updated. To generate the eks_t234.img file, refer to the Tool for EKB Generation in OP-TEE.
- Check the board configuration file: Ensure that the board configuration file (e.g.,
Linux_for_Tegra/p3737-0000-p3701-0000.conf.common) has the correct settings for disk encryption. Specifically, verify that disk_enc_enable=1 and EMMC_CFG points to the correct partition layout file (e.g., flash_l4t_t234_qspi_sdmmc_enc_rfs.xml).
- Verify the partition layout: Check the partition layout file (e.g.,
flash_l4t_t234_qspi_sdmmc_enc_rfs.xml) to ensure that it correctly defines the APP and APP_ENC partitions.
- Check the flashing command: Verify that the flashing command is correct and includes the necessary options for disk encryption.
- Check the logs: Analyze the logs to identify any errors or issues that may be causing the boot process to hang.
Comparison with Other Jetson Devices
The process for enabling disk encryption on Jetson Orin NX is similar to other Jetson devices, such as Jetson AGX Orin. However, the specific configuration files and partition layouts may differ depending on the device and its configuration.
Additional Tips
- Ensure that the NVMe SSD is properly connected and configured on the host system.
- Verify that the Ubuntu 22.04 host system has the necessary packages and dependencies installed for disk encryption.
- If you’re using a custom kernel or device tree, ensure that they are correctly configured for disk encryption.
By following these troubleshooting steps and verifying the configuration files and partition layouts, you should be able to identify and resolve the issue preventing the Jetson Orin NX from booting up with full disk encryption enabled.
*** Please give the thumbs up if you get answers you like. Or provide feedback to help us improve the answer. ***
Subject: Issue with Jetson Orin NX Encrypted NVMe — No Passphrase Prompt During Boot
Hi everyone,
Sorry if I didn’t explain it clearly before — I’m trying to get the attention of the support specialists. Over the past month, I’ve read a lot on the topic of disk encryption for Jetson:
All the keys have already been generated, the password/key bindings are configured, and the firmware build and flashing process complete successfully. However, the boot process stops without asking for a passphrase.
The SSD partition itself is definitely encrypted — I verified it by connecting the drive directly to the host.
The flashing is performed using the following command:
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh \
–external-device nvme0n1p1 \
-c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml \
-S 715GiB \
–external-only \
–network usb0 \
–flash-only \
jetson-orin-nano-devkit external
I’m attaching the flashing logs.
I would really appreciate any help or suggestions.
Thanks in advance!
load.log (38.4 KB)
flash_1-7_0_20251030-162229.log (109.4 KB)
hello slobodenuksk,
FYI, we’re not supported disk encryption with a prompt for passphrase by default.
please customize it (a prompt for passphrase) by yourself, please see-also Topic 316813.
it’s failed to unlock NVMe according to your latest logs..
[ 10.319195] ERROR: fail to unlock the encrypted dev /dev/nvme0n1p2.
[ 10.321462] Kernel panic - not syncing:
[ 10.321465] Attempted to kill init! exitcode=0x00007f00
[ 10.321469] CPU: 4 PID: 1 Comm: bash Not tainted 5.15.148-tegra #1
[ 10.321472] Hardware name: NVIDIA NVIDIA Jetson Orin NX Engineering Reference Developer Kit/Jetson, BIOS 36.4.4-gcid-41062509 06/16/2025
this usually due to mismatch key within your EKB. please see-also Topic 270934 for the steps to enable disk encryption with a custom key.
Thank you so much! If I had known this a month ago, it would have saved my hair! :)
I’ll give it a try.
Dear JerryChang,
I’m not very experienced with Liuh, and the task of setting up full-disk encryption that suddenly fell on me is almost crushing me under the huge amount of documentation I’ve had to read. Still, I’m doing my best to get full-disk encryption running. I’ve carefully gone through everything you recommended, but I still have a few questions.
In your reply to this topic:
https://forums.developer.nvidia.com/t/failing-with-custom-keys-for-encrypting-nvme-on-jetson-orin-nano/270934/13
you mentioned the following command in step (2):
$ sudo ./flash.sh --no-flash -k A_eks jetson-orin-nano-devkit internal
As I understand it, this command generates an image for QSPI flash — could you please clarify what the A_eks key actually is and what role it plays in the process?
Also, will this same procedure work with JetPack 6.2.1, or are there any differences I should be aware of?
Thank you very much for your time and support!
hello slobodenuksk,
please see-also op-tee documentation, it’s EKB (i.e. Encrypted Key Blob) for saving keys.
it’s eks_t234.img for Orin series, and flashing onto the EKS partition. (i.e. A_eks/B_eks)
as you can see of the flashing messages, it’s writing signed/encrypted binary file.
let me re-cap as below..
Writing eks_t234_sigheader.img.encrypt (parittion: A_eks) into /dev/mtd0
this is the file coming from.. $OUT/Linux_for_Tegra/tools/kernel_flash/images/internal/
you’ll need to replace this binary file since you’re re-create EKS image with your customize key.
the flow remain the same, you may follow those steps from Topic-270934 based-on JP-5
1 Like