Hi there! I’m trying to create an encrypted partition on a uSD flash card with the Xavier NX Developer Kit. I would like to ensure that the partition I’m formatting is using the HW accelerated crypto provided by the platform to ensure minimal overhead.
After diving into the platform’s encryption docs, I was able to extract that AES-CBC with ESSIV is the algorithm of choice. The docs also showed the exact cipher flag (aes-cbc-essiv:sha256
) and key size (128) to pass into cryptsetup
. I attempted formatting an already created partition a couple of ways using cryptsetup
(which uses DMCrypt
):
- Specifying
luks2
type
cryptsetup --type=luks2 -c aes-cbc-essiv:sha256 -s 128 -v --debug luksFormat /dev/mmcblk0p12
This method returned an error, indicating that it was unsupported/invalid:
# Allocating context for crypt device /dev/mmcblk0p12.
# Trying to open and read device /dev/mmcblk0p12 with direct-io.
# Initialising device-mapper backend library.
# File descriptor passphrase entry requested.
Failed to open key file.
# Releasing crypt device /dev/mmcblk0p12 context.
# Releasing device-mapper backend.
# Unlocking memory.
Command failed with code -1 (wrong or missing parameters).
Interestingly, I do not see aes-cbc-essiv
in /proc/crypto
.
- Specifying
plain
type
cryptsetup --type=plain -c aes-cbc-essiv:sha256 -s 128 -v --debug luksFormat /dev/mmcblk0p12
This one succeeded, however I noticed poor read/write speeds compared to another unencrypted partition. A side question: perhaps this is due to alignment of the partition itself?
I also noticed that the docs referenced above are super new, so I have tried this on the latest developer kit image (as of today - nx-jp45
).
What is the recommended method to create an encrypted partition using cryptsetup
such that HW accelerated crypto is taken full advantage of?
Thanks a bunch in advance!