Full disk encryption programming procedure

Hi all,
I am enable the full disk encryption on a nvme drive of tx2 NX .
I have some questions of the programming phase:

ROOTFS_AB=1 NO_ROOTFS=1 ./tools/kernel_flash/l4t_initrd_flash.sh --no-flash  --showlogs jetson-xavier-nx-devkit-tx2-nx internal
ROOTFS_ENC=1 ROOTFS_AB=1 ./tools/kernel_flash/l4t_initrd_flash.sh --no-flash --external-device nvme0n1p1 -S 40GiB --showlogs -c ./tools/kernel_flash/flash_l4t_nvme_rootfs_enc_ab.xml --external-only --append jetson-xavier-nx-devkit-tx2-nx external
 ./tools/kernel_flash/l4t_initrd_flash.sh --flash-only --showlogs

my questions are

  1. where is the encrypt key locate?
  2. is any case can support mass programming for encryption disk?
  3. it appears the work flow is to generate encrypted image first, then program the encrypted image. Or it uses initrd to unlock the encryption partition, then just copy over files?
    thanks a lot

Hi jiangpen,

It seems you have to specify -i ekb.key in your command for external device.

Please refer to Workflow 6: Initrd Massflash in <Linux_for_Tegra>/tools/kernel_flash/README_initrd_flash.txt

It prepares the image first and then flash into the device.