How to created an encrypted disk partition for data storage on Xavier NX

Hi, I need to create an encrypted partition on my system, say the /dev/nvme0n1p1. Based on the developer guide, I should use the LUKS/cryptsetup utility. But I am still not clear about the process of setup/mount/umount the partition. I also read many posts from forum, most of them were for secure boot. There’s one thread with exactly the question:

But I don’t see a clear solution. This partition is for storing data only. No need for secure boot. Anyone can provide a command line example for the process? Is disk UUID is the only choice for the passcode? If multiple passcode can be used for a single encrypted partition, how can I set them?
I use JP4.6/L4T R32.6.1 for the NX.

Thanks.

Hi,
The detail is in developer guide

For examples, please check

 nvidia/nvidia_sdk/JetPack_4.6.1_Linux_JETSON_XAVIER_NX_TARGETS/Linux_for_Tegra/tols/kernel_flash/README_initrd_flash.txt

You can refer to Workflow 10, Example 4 and give it a try. For Xavier NX emmc, the board name is jetson-xavier-nx-devkit-emmc

If you use your own EKB key, please download source code package and use the script in trusty_src.tbz2:

trusty/app/nvidia-sample/hwkey-agent/CA_sample/tool/gen_ekb/example.sh

and change this to your EKB key:

echo “00000000000000000000000000000000” > sym2.key

And put the key in commands of generating images(Workflow 10, Example 4 as example):

$ sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh -p “-i sym2.key” --no-flash jetson-xavier internal

$ sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh -p “-i sym2.key” --no-flash --external-device nvme0n1p1 -S 8GiB -c ./tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml --external-only --append jetson-xavier external

More information is in EKB Generation

@DaneLLL
Thanks for the explanation. Let me clarify little more about my target:
First, I don’t need using my own EKB key for now.
Secondly, I only need an encrypted data partition on /dev/nvme0n1p1, size 128GB. The rootfs is on /dev/mmcblk0p1 and no need to be encrypted. And no secure boot is needed either.
After reading the “tools/kernel_flash/README_initrd_flash.txt” and “flash_l4t_nvme_rootfs_enc.xml”, I have two questions:

  1. the l4t_initrd_flash tool requires “Secureboot package to be present”, how can I check my system if the package is installed?
  2. Since I only need one partition on external device, can I use the following options in the l4t_intrd_flash command to create the encrypted partition on the target? (it is based on Workflow 8 and 9 of the README file):

sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --external-device /dev/nvme0n1p1 \
-c ./tools/kernel_flash/flash_l4t_nvme_rootfs_enc.xml \
-k APP_ENC \
–external-only \
jetson-xavier-nx-devkit-emmc mmcblk0p1

In the xml file, I hard code the size in APP_ENC partition:

</partition>
        <partition name="APP_ENC" type="data" encrypted="true">
            <allocation_policy> sequential </allocation_policy>
            <filesystem_type> basic </filesystem_type>
            <size> 137438953472  </size>                                 ## 128GB
            <file_system_attribute> 0 </file_system_attribute>
            <allocation_attribute> 0x8 </allocation_attribute>
            <percent_reserved> 0 </percent_reserved>
            <align_boundary> 4096 </align_boundary>
            <unique_guid> APP_ENC_UUID </unique_guid>
            <filename> system_root_encrypted.img_ext </filename>
            <description> **Required.** Contains the encrypted root partition("/"). </description>
        </partition>

Thanks a lot. Sorry for the many re-edit, which may generate many useless emails.

Hi,
Since the key is for encrypting the disk and I thought you would change to use your own key.

For your use-case, it looks close to Workflow 10, Example 1. Please take a look and give it a try. Disk encryption is independent of secure boot, so it is not required to enable secure boot altogether. Please check README_initrd_flash.txt and try the commands.

The Workflow 10, Example 1 generate both internal and filesystem image. In my case I don’t need to re-flash the internal device. How to skip that? In addition, I don’t need the whole FS on the external device, only one partition is needed.

Hi,
Do you mean APP partition is flashed to internal storage and APP_ENC partition is flashed to external storage?

Yes, that is what I intend to do. how can I do it?

Hi,
For this use-case, there are discussion in this topic thread:
Xavier NX External Disk Encryption

Please take a look.

@DaneLLL
The link you provide is in a different situation. They need to boot from external SD, I don’t. I decided to take a generic approach as stated in the following link:

https://www.cyberciti.biz/security/howto-linux-hard-disk-encryption-with-luks-cryptsetup-command/

But I do have two questions about the flash and the encryption.

  1. what the difference between flash.sh and tools/kernel_flash/l4t_initrd_flash.sh ?
  2. what is the advantage to create encrypted partition using tools/kernel_flash/l4t_initrd_flash.sh over using cryptsetup directly?
    Thanks.

Hi,
flash.sh is used from beginning of L4T releases. Now more cases are involved and we have a new script to support new cases. For basic use-cases flash.sh is used.

There are requests from our customers and forum users, so we have developed a solution for this. If 3rdpaty solution is better for your use-case, it should be good to use the 3rdparty solution.

@DaneLLL
Thanks for the explanation. I mark this thread as closed / resolved.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.