How to Backup & Restore Encrypted SSD on Jetson Orin NX 16 GB

Robotics & Edge Computing Jetson & Embedded Systems Jetson Orin NX
,
1

After enabling disk encryption on the drive and installing all the necessary programs, can I back up that setup to another SSD, or do I have to reinstall everything from scratch on each SSD? If backing up is possible, what is the exact procedure?

Current commands I’m using to enable disk encryption:

sudo BOARDID=3701 BOARDSKU=0000 \
  ./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 \
    --showlogs \
    -p "-c bootloader/generic/cfg/flash_t234_qspi.xml" \
    --no-flash \
    jetson-orin-nano-devkit-super-maxn-nvme external

sudo BOARDID=3701 BOARDSKU=0000 ROOTFS_ENC=1 \
  ./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 \
    --showlogs \
    --external-device nvme0n1p1 \
    -S 50GiB \
    -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml \
    --erase-all \
    --external-only \
    --append \
    -i /home/minhvo/DATA2/15.Secure_boot_Jetson/JetsonOrin/6.2/PKC/sym2_t234.key \
    jetson-orin-nano-devkit-super-maxn-nvme external

Hardware/Software Setup:

  • Board: Jetson Orin NX 16 GB
  • JetPack version: 6.2
  • SSD: 512 GB NVMe
3

hello user34150,

since you’re enabling disk encryption, it has an unique ECID, which means it generates per-device encrypted disk images for disk encryption.
although it’s now able to create encrypted images with a generic key, it’s backup/restore script limitation with ROOTFS_ENC devices.

it must to run flash script (from host machine) to deploy devices with disk encryption for using a generic key.
please see-also.. Topic 333135, Topic 291335.

4

I am working on a deployment process for multiple Jetson Orin devices (Orin NX, JetPack 6.2) and have a question regarding the use of a non-encrypted backup image with disk encryption. My goal is to:

  1. Flash a base JetPack 6 image (non-encrypted) onto a Jetson Orin with an NVMe SSD.
  2. Install necessary software (e.g., TensorRT, OpenCV, CUDA) on this system.
  3. Create a backup image of this non-encrypted system using l4t_backup_restore.sh.
  4. Flash this backup image onto multiple other Jetson Orin devices and enable disk encryption (ROOTFS_ENC=1) during the flashing process.

Based on my discussions and research, I understand that disk encryption generates device-specific images tied to the ECID, which makes restoring encrypted backups to different devices challenging. However, since my backup image is created from a non-encrypted system, I would like to confirm if the following workflow is feasible:

  • Backup Process:
    • Flash a non-encrypted base image: sudo ./tools/kernel_flash/l4t_initrd_flash.sh --external-device nvme0n1p1 \ -c tools/kernel_flash/flash_l4t_t234_nvme.xml -p "-c bootloader/generic/cfg/flash_t234_qspi.xml" \ --showlogs --network usb0 jetson-orin-nano-devkit-super-maxn internal.
    • Install required software (e.g., sudo apt-get install nvidia-jetpack python3-opencv).
    • Create a backup: sudo ./tools/backup_restore/l4t_backup_restore.sh -e nvme0n1 -b -c jetson-orin-nano-devkit-super-maxn
  • Flash Process:
    • Use a generic key for disk encryption by configuring disk_enc.key and eks_t234.img (as per Topic 291335).
    • Update partition config (flash_t234_qspi_sdmmc_enc_rfs.xml) and board config (p3701.conf.common) to enable encryption.
    • Flash the backup image to other devices with encryption enabled, using either:
      • sudo ROOTFS_ENC=1 ./flash.sh -i “./disk_enc.key” --user_key “./disk_enc.key” jetson-orin-nano-devkit-super-maxn nvme0n1p1, or
      • Massflash: sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --use-backup-image --massflash 5 jetson-orin-nano-devkit-super-maxn internal.

Questions:

  1. Is it feasible to flash a non-encrypted backup image onto multiple Jetson Orin devices and enable disk encryption during the flashing process using a generic key, as described?
  2. Will the installed software (e.g., TensorRT, OpenCV) in the non-encrypted backup image function correctly after enabling disk encryption on the target devices?
  3. Are there any specific configurations or pitfalls (e.g., ECID issues, EKS setup, or partition alignment) I should be aware of to ensure success?
  4. Does flash.sh with ROOTFS_ENC=1 fully support this use case, or should I rely on l4t_initrd_flash.sh for better compatibility with massflash and generic key encryption?
  5. If this approach is not recommended, what is the best practice for deploying a customized image (with pre-installed software) across multiple Jetson Orin devices with disk encryption enabled?

I’ve reviewed Topic 333135 and Topic 291335, which mention limitations with l4t_backup_restore.sh for encrypted images and the possibility of using a generic key with flash scripts. However, I’d appreciate clarification on applying this to a non-encrypted backup image.

5

hello user34150,

you’ll need to re-flash a target for adding a new, encrypted APP_ENC partition which contains the rest of the file system.
the flashing images must contain the APP partition, which contains the /boot branch of the rootfs (unencrypted), and the APP_ENC partition, which contains the rest of the rootfs (encrypted).

7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.