Hi, I need to create an encrypted partition on my system, say the /dev/nvme0n1p1. Based on the developer guide, I should use the LUKS/cryptsetup utility. But I am still not clear about the process of setup/mount/umount the partition. I also read many posts from forum, most of them were for secure boot. There’s one thread with exactly the question:
But I don’t see a clear solution. This partition is for storing data only. No need for secure boot. Anyone can provide a command line example for the process? Is disk UUID is the only choice for the passcode? If multiple passcode can be used for a single encrypted partition, how can I set them?
I use JP4.6/L4T R32.6.1 for the NX.
Thanks for the explanation. Let me clarify little more about my target:
First, I don’t need using my own EKB key for now.
Secondly, I only need an encrypted data partition on /dev/nvme0n1p1, size 128GB. The rootfs is on /dev/mmcblk0p1 and no need to be encrypted. And no secure boot is needed either.
After reading the “tools/kernel_flash/README_initrd_flash.txt” and “flash_l4t_nvme_rootfs_enc.xml”, I have two questions:
the l4t_initrd_flash tool requires “Secureboot package to be present”, how can I check my system if the package is installed?
Since I only need one partition on external device, can I use the following options in the l4t_intrd_flash command to create the encrypted partition on the target? (it is based on Workflow 8 and 9 of the README file):
Since the key is for encrypting the disk and I thought you would change to use your own key.
For your use-case, it looks close to Workflow 10, Example 1. Please take a look and give it a try. Disk encryption is independent of secure boot, so it is not required to enable secure boot altogether. Please check README_initrd_flash.txt and try the commands.
The Workflow 10, Example 1 generate both internal and filesystem image. In my case I don’t need to re-flash the internal device. How to skip that? In addition, I don’t need the whole FS on the external device, only one partition is needed.