How to enable and verify if disk encryption is working with Jetson Xavier NX?


I am using Jetpack 5.0.2 and trying to use disk encryption by following documentation stated in the nvidia docs:Disk Encryption — Jetson Linux<br/>Developer Guide 34.1 documentation

  1. echo “00000000000000000000000000000000” > ekb.key
    sudo ROOTFS_ENC=1 ./ -i “./ekb.key” jetson-xavier-nx-devkit-emmc mmcblk0p1
    This step leads to kernel panic while bootup on jetson with below error:
    ERROR : “encrypted dev /dev/mmcblk0p2” is not a LUKS device
    crypt_UDA : command not found

If I use another random key other than “00000000000000000000000000000000” , there is no error, but the jetson could not boot up with a blank screen and curser.

Could anyone please guide me through the steps how the disk encryption can be tested on Jetson Xavier NX ? Am I missing some cruicial steps ?

Best Regards


I am moving this topic from the Networking section to the Jetson forums for proper visibility.

hello adit_bhrgv,

may I know the storage types of your Xavier NX,
are you going to encrypted the content on internal eMMC or external storage?

once the feature had been applied, the APP partition would be separated into two partitions, (1) boot (“/boot”) and (2) root (“/”) partitions.
the boot partition (“APP”) remains in an unencrypted format, so the bootloader can sill load kernel and device tree blob; the root partition (“APP_ENC”) would be encrypted.
you may see-also Tool for EKB Generation session, it’s Encrypted Binary Blob (EKB) file to include the disk encryption key, and you should flash it onto the EKS partition of the device.

hello JerryChang,

I have 2 cases:

  1. Encrypt the contents on internal eMMC (above command: sudo ROOTFS_ENC=1 ./ -i “./ekb.key” jetson-xavier-nx-devkit-emmc mmcblk0p1)
  2. Encrypt the contents of “sda1” external SSD storage where the eMMC contents remains unencrypted.

Best Regards

hello adit_bhrgv,

how you create your Encrypted Binary Blob (EKB) file ?
EKB stores two keys, one is the kernel encryption key, and another one is the LUKS key for disk encryption support.
LUKS disk encryption support with a specific key. you should execute the script file, to generate an image.
also, in the developer guide, [Tool for EKB Generation] that sym2.key is equivalent to ekb.key
for example,

# This is default KEK2 root key for unfused board
echo "00000000000000000000000000000000" > kek2_key

# This is the default initial vector for EKB.
echo "bad66eb4484983684b992fe54a648bb8" > fv_ekb

# Generate user-defined symmetric key files
# openssl rand -rand /dev/urandom -hex 16 > sym.key
# openssl rand -rand /dev/urandom -hex 16 > sym2.key
echo "00000000000000000000000000000000" > sym.key
echo "00000000000000000000000000000000" > sym2.key

python3 -kek2_key kek2_key \
        -fv fv_ekb \
        -in_sym_key sym.key \
        -in_sym_key2 sym2.key \
        -out eks.img

LUKS support modules will use the key to generate the per-device unique passphrase.

please refer to Workflow 10 in $OUT/Linux_for_Tegra/tools/kernel_flash/README_initrd_flash.txt for the initrd approach for image flashing and disk encryption together.

you might also check discussion threads for reference,
for example,

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.