External Disk Encryption

ganga.jaiswal · March 13, 2026, 1:20pm

I am trying NVME disk encryption with Jetpack 5.0.2, it works fine with Jetpack 6.4.4.
I am following steps mentioned in :

In the process, when I tried to run this command (after all prerequisite steps):

sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --external-device nvme0n1p1 \
-c ./tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml --external-only -S 16GiB \
cti/orin-agx/forge/base external

After all successful steps, I see it timeouts while waiting for system reboot.
The step mentioned in this version 5.0.2 is completely different than 6.4.4.
Tried emmc encryption, it works fine with 5.0.2.

What step am I missing?

carolyuu · March 13, 2026, 1:33pm

*** Please note that this reply is generated by LLM automatically ***

Based on the provided context, it appears that you are trying to enable disk encryption on a Jetson AGX Orin module using Jetpack 5.0.2, but you are experiencing issues with the process. Specifically, you are trying to run the command to flash the encrypted root file system to an NVMe device, but it times out while waiting for the system to reboot.

Comparing the steps you are following from the documentation for Jetpack 5.0.2 and Jetpack 6.4.4, it seems that the process for enabling disk encryption has changed between the two versions.

To troubleshoot the issue, let’s break down the steps you are following and compare them with the documentation for both Jetpack 5.0.2 and Jetpack 6.4.4:

Board configuration file: Make sure you are using the correct board configuration file for your device. For Jetpack 5.0.2, the file is Linux_for_Tegra/p3737-0000-p3701-0000.conf.common, while for Jetpack 6.4.4, the file is not specified in the provided context.
Disk encryption settings: Verify that you have enabled disk encryption in the board configuration file by setting disk_enc_enable=1 and specifying the partition layout file using EMMC_CFG=flash_l4t_t234_qspi_sdmmc_enc_rfs.xml.
Flash tool command: The command you are running to flash the encrypted root file system to the NVMe device is different between Jetpack 5.0.2 and Jetpack 6.4.4. For Jetpack 5.0.2, the command is:

sudo ./tools/kernel_flash/l4t_initrd_flash.sh external -d /dev/nvme0n1p1 -c tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml -S 16GiB -C t194agx-forge-base external

While for Jetpack 6.4.4, the command is not specified in the provided context.

Based on the provided information, it seems that the issue might be related to the differences in the flash tool command between Jetpack 5.0.2 and Jetpack 6.4.4. To resolve the issue, you can try the following:

Verify that you are using the correct flash tool command for Jetpack 5.0.2.
Check the documentation for Jetpack 5.0.2 to ensure that you are following the correct steps for enabling disk encryption on an NVMe device.
If you are still experiencing issues, try using the emmc encryption method, which you mentioned works fine with Jetpack 5.0.2.

If none of these steps resolve the issue, please provide more information about the error message you are seeing, and I’ll do my best to assist you further.

*** Please give the thumbs up if you get answers you like. Or provide feedback to help us improve the answer. ***

ganga.jaiswal · March 13, 2026, 2:29pm

Is this board config "cti/orin-agx/forge/base”wrong?
It works fine with 6.4.4, it doesn't throw any error.
I am using AGX Forge platform from connect tech.

JerryChang · March 16, 2026, 1:58am

hello ganga.jaiswal,

may I have more detail.. why you’re trying NVME disk encryption with JetPack 5.0.2/L4T 35.1? it’s such old release version,
please try with the latest JP-5 (i.e. JetPack 5.1.6/L4T 35.6.4) for confirmation.

ganga.jaiswal · March 17, 2026, 1:24pm

Hello Jerry
It’s our old software stack, and now we are trying to encrypt the disk.

JerryChang · March 18, 2026, 2:29am

hello ganga.jaiswal,

did you fuse a board (PKC/SBK/OEM_K1..etc) to enable bootloader secure boot?
if yes, you should re-create EKS image with your key files.

you may refer to below for some brief steps.

Please visit jetson-linux-r3550 page to access the [Driver Package (BSP) Sources] package.
Please extract op-tee tarball, and entering optee/samples/hwkey-agent/host/tool/gen_ekb
IF you’ve OEM_K1 burned, please modify the script example.sh and replace the test OEM_K1 with your customize key.
The example.sh contains a default UEFI variables authentication key (i.e. auth_t234.key). BTW, It is recommended that users use randomly generated auth_t234.key.
Execute the script example.sh, and you’ll have a new EKS image, eks_t234.img.
Please update EKS image accordingly, and re-flash the target. you may see-also Topic 270934 for steps to update EKS image.

Topic		Replies	Views
Data encryption on AGX Jetson Orin Jetson AGX Orin security , flash	14	530	September 16, 2024
Encrypted ssd nvme on Jetson Orin NX Jetson Orin NX security	14	415	November 28, 2025
Orin NX disk encryption Jetson Orin NX board-design , security , nvbugs	12	1976	August 25, 2023
Flash Disk encryption on external(NVME) not booting Jetson AGX Orin boot , security	2	470	March 26, 2024
Disk Encryption Jetson AGX Orin security	4	168	May 6, 2025
Disk encryption on nvme and mash flashing Jetson agx orin devolpment kit Jetson AGX Orin security	9	95	April 7, 2026
JetPack 6.2.1 / Orin NX: APP_ENC & encrypted NVMe rootfs image never created Jetson Orin NX security	22	339	November 24, 2025
Orin Nano disk encryption on nvme with PKCSBK enabled Jetson Orin Nano security	3	175	September 19, 2025
Full disk encryption Jetson Orin NX security , nvbugs	6	1200	May 11, 2023
Jetson Orin AGX / nvme emmc encryption Jetson AGX Orin security	9	479	April 16, 2024

External Disk Encryption

Related topics