How to Enable Manual Passphrase Prompt for LUKS Encrypted Rootfs on Jetson Orin Nano

protonpingouin · June 5, 2025, 8:59am

Hi everyone,

I’m working on securing my Jetson Orin Nano by encrypting the root filesystem using LUKS. However, my requirements differ from the standard OP-TEE-based setup, and I would greatly appreciate clarification and official guidance.

🔒 My goal:

I want to encrypt the rootfs with LUKS and require a user to enter a passphrase manually at boot, similar to standard LUKS full-disk encryption on a typical Linux system.
This is important to retain developer flexibility, avoid locking the device with fuses, and allow the Jetson to be reused for other projects or testing purposes.

🚫 I explicitly do not want to use:

Any key burned into fuses

✅ I want:

A manual passphrase prompt at boot time

What I’ve done so far:

I generated the base image using:

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 --no-flash --showlogs \
  -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" \
  jetson-orin-nano-devkit internal

Then, I tried preparing a flash with encrypted rootfs using:

sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash \
  --external-device nvme0n1 \
  -i ./sym2_t234.key \
  -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml \
  -S 800GiB \
  --external-only --append \
  jetson-orin-nano-devkit external

I attempted flashing using:

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --flash-only

Afterward, I tried adding my own passphrase to the LUKS partition with the idea of modifying the initrd to support manual decryption — but it seems the system does not recognize my sym2_t234.key when I try to reuse or override it.

❓My questions:

If modifying the initrd is required, are there any detailed NVIDIA-provided guidelines on how to do this properly?
Is it officially supported to prepare a rootfs encrypted via cryptsetup luksFormat manually and integrate it with l4t_initrd_flash.sh?
The current documentation at Jetson Disk Encryption Guide lacks clarity on the exact procedure for this use case — is there a reference configuration or best practice you can point me to?

Thanks in advance for your help!

JerryChang · June 6, 2025, 2:43am

hello protonpingouin,

unfortunately, we’re not supported with a prompt for passphrase by default.
you may customize it (a prompt for passphrase) by yourself, please see-also Topic 316813 for reference.

system · July 2, 2025, 3:11am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Require password on boot LUKS FDE on nvme ssd Jetson Orin Nano security	4	415	November 24, 2023
Jetson data encryption Jetson Nano security	2	25	January 16, 2025
Root file system encryption on jetson nano board Jetson Nano security	4	728	May 4, 2022
Disk Encryption for AGX Orin with prompt asking for passphrase Jetson AGX Orin security	4	390	February 16, 2024
Encrypted File-system support on Jeston Orin-Nano JP 6.0 Jetson Orin Nano tpm	8	134	December 12, 2024
AGX Orin Boot Drive LUKS Encryption Jetson AGX Orin security	16	341	August 22, 2024
Disk Encryption pass phrase Jetson AGX Orin security	4	84	December 16, 2024
Only creating partition tables without flashing Jetson Orin Nano flash	2	19	July 17, 2025
Disk Encryption on Jetson Orin Nano Without Secure Boot or UEFI Secure Boot Jetson Orin Nano security	6	261	July 31, 2024
Flashing Disk Encryption on Jetson Orin Nano Dev-Kit Not Working Jetson Orin Nano reflash , security	8	517	April 25, 2024