JetPack 6.2.1 / Orin NX: APP_ENC & encrypted NVMe rootfs image never created

Robotics & Edge Computing Jetson Systems Jetson Orin NX
1

Hi,

I’m trying to set up encrypted rootfs on NVMe on a Jetson Orin NX 16GB (carrier: p3767, module: p3768) using JetPack 6.2.1 (L4T R36.4), with keys stored in EKS / OP-TEE (LUKS key derived from hwkey-agent).

The goal is:

  • QSPI: normal boot chain + EKS, secure boot etc.

  • External NVMe: APP as a small boot partition, APP_ENC as encrypted rootfs (crypto_LUKS), root mounted via dm-crypt.

At the moment I can successfully flash QSPI + NVMe, but APP_ENC is never created, no encrypted rootfs image is generated, and the board boots from a plain ext4 APP on nvme0n1p1.

Environment

  • Board: Jetson Orin NX

    • Module: p3768-0000

    • Carrier: p3767-0000

  • JetPack: 6.2.1 (SDK Manager)

  • L4T: R36.4.0

  • Host: Ubuntu 22.04 (VM), running the BSP under:
    ~/nvidia/nvidia_sdk/JetPack_6.2.1_Linux_JETSON_ORIN_NX_TARGETS/Linux_for_Tegra

What I’m doing (high level)

Generate keys & EKS for T234 using gen_ekb.py under:

source/optee/samples/hwkey-agent/host/tool/gen_ekb

  1. oem_k1_key.hex (32-byte OEM K1 key, hex)
  2. sym32.hex (32-byte symmetric key)
  3. sym16.hex (16-byte symmetric key)
  4. auth16.hex (16-byte auth key)

Then:

python3 gen_ekb.py -chip t234
-oem_k1_key oem_k1_key.hex
-in_sym_key sym32.hex
-in_sym_key2 sym16.hex
-in_auth_key auth16.hex
-out eks_t234.img

cp eks_t234.img “$L4T/bootloader/eks.img”
cp sym_key2.bin “$L4T/disk_enc.key”

eks_t234_sigheader.img.encrypt (parittion: A_eks / B_eks)

Use NVIDIA’s encrypted NVMe rootfs XML:

tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml

The external device section contains:

... 419430400 16384 APPUUID system_boot.img ... `/dev/nvme0n1p1` ... sequential basic APP_ENC_SIZE 0 0x8 16384 0 APP_ENC_UUID system_root_encrypted.img_ext Contains the encrypted root partition("/") ...

Initrd flashing (QSPI + external) using l4t_initrd_flash.sh:

  • Internal/QSPI packages (no flash):
 sudo BOARDID=3768 FAB=0000 BOARDSKU=0000 BOARDREV=A.0 \
  ./tools/kernel_flash/l4t_initrd_flash.sh \
    --showlogs \
    --no-flash \
    --network usb0 \
    -p "-c ./bootloader/generic/cfg/flash_t234_qspi.xml" \
    p3768-0000-p3767-0000-a0 internal
  • External NVMe encrypted image packages (no flash): I tried Both
   # with ENC_ROOTFS
sudo ENC_ROOTFS=1 \
  ./tools/kernel_flash/l4t_initrd_flash.sh \
    --showlogs \
    --no-flash \
    --network usb0 \
    --external-device nvme0n1 \
    --external-only \
    -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml \
    -p "-c ./bootloader/generic/cfg/flash_t234_qspi.xml" \
    -i ./disk_enc.key \
    --append \
    p3768-0000-p3767-0000-a0 external

and also explicitly defining APP_ENC_SIZE:

sudo APP_ENC_SIZE=107374182400 ENC_ROOTFS=1 \
  ./tools/kernel_flash/l4t_initrd_flash.sh \
    --showlogs \
    --no-flash \
    --network usb0 \
    --external-device nvme0n1 \
    --external-only \
    -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml \
    -p "-c ./bootloader/generic/cfg/flash_t234_qspi.xml" \
    -i ./disk_enc.key \
    --append \
    p3768-0000-p3767-0000-a0 external

The saved initrd parameters confirm the XML used:

–external-device nvme0n1 -c “./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml” --network usb0 p3768-0000-p3767-0000-a0 external
Flash-only once packages are built:

sudo ./tools/kernel_flash/l4t_initrd_flash.sh \
  --showlogs \
  --network usb0 \
  --flash-only \
  p3768-0000-p3767-0000-a0 external

Logs show:

  • QSPI written successfully

  • External device (NVMe) GPT created and partitions flashed

  • Flash is successful / Reboot device

Symptoms on the host (image packaging)

After building the external images (no flash), I inspect:

grep -n “APP_ENC” tools/kernel_flash/images/external/flash.idx || echo “APP_ENC not in flash.idx”

Result:

APP_ENC not in flash.idx

And the supposed encrypted rootfs image does not exist:

cd tools/kernel_flash/images/external
ls system_root_encrypted.img_ext
# ls: cannot access 'system_root_encrypted.img_ext': No such file or directory

So, even before touching the Jetson, the image package created by l4t_initrd_flash.sh:

  • Has no APP_ENC entry in flash.idx.

  • Does not generate system_root_encrypted.img_ext.

This is the core of the problem: the APP_ENC partition and encrypted rootfs image are never created by the BSP tools.

Symptoms on the Jetson

After a “successful” flash-only and reboot:

jetson@ubuntu:~$ lsblk
NAME         MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS
nvme0n1      259:0    0 119.2G  0 disk
├─nvme0n1p1  259:1    0 117.8G  0 part /
...
├─nvme0n1p14 259:14   0   400M  0 part
└─nvme0n1p15 259:15   0 479.5M  0 part

jetson@ubuntu:~$ findmnt /
TARGET SOURCE         FSTYPE OPTIONS
/      /dev/nvme0n1p1 ext4   rw,relatime

jetson@ubuntu:~$ sudo blkid | egrep 'nvme0n1p|crypto_LUKS' || echo "no LUKS found"
/dev/nvme0n1p1: TYPE="ext4" PARTLABEL="APP" ...
/dev/nvme0n1p14: PARTLABEL="UDA" ...
no `crypto_LUKS` entries

So on the device:

  • APP (nvme0n1p1) is huge (~117.8 GiB) and is mounted as / (plain ext4).

  • UDA is present as a ~400M partition, but not LUKS.

  • There is no APP_ENC partition and no dm-crypt mapper.

  • sudo cryptsetup isLuks /dev/nvme0n1p1 → NOT LUKS.

This does not match the XML (where APP was 400 MiB and APP_ENC was intended to be the encrypted rootfs).

What I’ve already tried / verified

  • EKS is generated and flashed; logs show eks_t234_sigheader.img.encrypt written to QSPI (A_eks/B_eks).

  • disk_enc.key is a 32-byte binary key (checked with hexdump / xxd).

  • All required host tools installed (cryptsetup, sshpass, nfs-kernel-server, abootimg, libxml2-utils, parted).

  • Internal (QSPI) flash using flash_t234_qspi.xml is fine.

  • External initrd flash is using flash_l4t_t234_nvme_rootfs_enc.xml (confirmed from initrdflashparam.txt).

  • Tried defining APP_ENC_SIZE both in the environment and in the board conf.

  • Always the same result: APP_ENC never appears in tools/kernel_flash/images/external/flash.idx and system_root_encrypted.img_ext is never produced.

So from what I can tell, the encrypted NVMe rootfs path is never actually engaged by the current JetPack 6.2.1 tooling for this board + XML.

Questions

  1. Is encrypted rootfs on external NVMe (using APP_ENC with LUKS) officially supported for Jetson Orin NX with JetPack 6.2.1 / L4T R36.4?

    • If yes, is flash_l4t_t234_nvme_rootfs_enc.xml the correct starting point, or is there a newer/different XML / method for R36.4?

  2. What additional steps or variables are required so that:

    • l4t_initrd_flash.sh actually:

      • creates APP_ENC in tools/kernel_flash/images/external/flash.idx, and

      • generates system_root_encrypted.img_ext as a crypto_LUKS image,
        rather than leaving only a large plain ext4 APP?

  3. Is there any documentation or reference example for:

    • LUKS rootfs on external NVMe,

    • using EKS / hwkey-agent-derived keys (no passphrase at boot),

    • with JetPack 6.x and Orin NX?

I can attach:

  • flash_l4t_t234_nvme_rootfs_enc.xml,

  • tools/kernel_flash/images/external/flash.idx,

  • initrdlog/flash_3-2_0_20251117-170149.log (or latest),

  • p3768-0000-p3767-0000-a0.conf,

if that helps.

Right now it looks like the BSP tools simply ignore the APP_ENC definition for external NVMe and never build the encrypted rootfs image, but I’d like to confirm whether I’m missing a step or this is a limitation/bug in R36.4.

Thanks in advance for any guidance.

4

Update:
I also tried the disk_enc_enable=1 approach described in another thread:

  • Added disk_enc_enable=1; at the end of p3768-0000-p3767-0000-a0.conf.

  • Rebuilt packages from scratch:

    • Internal/QSPI with l4t_initrd_flash.sh --no-flash ... internal

    • External NVMe with:
      sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --network usb0 --external-device nvme0n1 --external-only -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml -p "-c ./bootloader/generic/cfg/flash_t234_qspi.xml" -i ./disk_enc.key --append p3768-0000-p3767-0000-a0 external

But even then:

grep -n "APP_ENC" tools/kernel_flash/images/external/flash.idx || echo "APP_ENC not in flash.idx"
# APP_ENC not in flash.idx

ls tools/kernel_flash/images/external/system_root_encrypted.img_ext
# No such file or directory

So, on R36.4 + Orin NX + l4t_initrd_flash external NVMe:

  • The external image package never contains APP_ENC, and

  • The encrypted rootfs image (system_root_encrypted.img_ext) is never generated,
    even with disk_enc_enable=1 and ROOTFS_ENC=1.

Internal/QSPI flashing is fine, EKS is present in QSPI, NVMe boots with a large APP ext4 on /dev/nvme0n1p1 as /, no crypto_LUKS.

Could you please confirm:

  • Is encrypted rootfs on external NVMe actually supported for Orin NX on JetPack 6.2.1 / R36.4 with l4t_initrd_flash.sh?

  • If yes, which exact config/flags/xml should be used so that APP_ENC and system_root_encrypted.img_ext are actually produced for the external device?

6

hello imran.khalid,

that’s incorrect, you should use ROOTFS_ENC=1.

we’ve test again locally to confirm disk encryption is working. here’re our test steps for your reference,
– Generate images for QSPI:
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/generic/cfg/flash_t234_qspi.xml" --no-flash --network usb0 jetson-orin-nano-devkit internal
– Generate the key:
$ echo "f0e0d0c0b0a001020304050607080900" > ekb.key
– Generate images for external storage device:
$ sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./ekb.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external
– Flash images into the both storage devices:
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only
– Verification after flash and booting up:

$ df -h
/dev/mapper/crypt_root 54G 5.6G 46G 12% /
/dev/mapper/crypt_UDA 374M 14K 350M 1% /mnt/crypt_UDA
/dev/nvme0n1p1 371M 97M 247M 29% /boot
7

@JerryChang will this work for Jetson Orin NX 16 GB, i don’t have jetson-orin-nano

8

hello imran.khalid,

yes, Orin NX/Nano they’re sharing the same board configuration file.

9

@JerryChang I have run the commands - it flashed successfully but when i rebooted the jetson i am getting following errors

No key available with this passphrase
/bin/bash: line 1 crypt_UDA command not found
error: failed to unlock the ecrypted dev /dev/nvm0n1p2
10

hello imran.khalid,

it usually due to mismatch key. since you’ve enable disk encryption. you’ll need to follow Tool for EKB Generation to re-generate EKS image (eks_t234.img ) with your own keys before flashing your target.

11

@JerryChang I tried this - following are the steps i followed but still i am getting key mismatch issue. Can you please have a look.

L4T=~/nvidia/nvidia_sdk/JetPack_6.2.1_Linux_JETSON_ORIN_NX_TARGETS/Linux_for_Tegra
cd "$L4T/source/optee/samples/hwkey-agent/host/tool/gen_ekb"

# 1) Generate hex keys with correct sizes
openssl rand -hex 32 | tr -d '\r\n' > oem_k1_key.hex   # 64 chars
openssl rand -hex 32 | tr -d '\r\n' > sym32.hex        # 64 chars (32-byte sym1)
openssl rand -hex 16 | tr -d '\r\n' > sym16.hex        # 32 chars (16-byte DISK 
key
openssl rand -hex 16 | tr -d '\r\n' > auth16.hex       # 32 chars

python3 gen_ekb.py -chip t234 \
  -oem_k1_key  oem_k1_key.hex \
  -in_sym_key  sym32.hex \
  -in_sym_key2 sym16.hex \
  -in_auth_key auth16.hex \
  -out eks_t234.img

cp eks_t234.img "$L4T/bootloader/eks.img"
# ***CRITICAL***:
# disk_enc.key MUST be exactly the same 32 hex chars as sym16.hex
cp sym16.hex "$L4T/disk_enc.key"

sudo rm -rf tools/kernel_flash/images initrdlog

# QSPI/internal (writes eks.img to QSPI)
sudo ./tools/kernel_flash/l4t_initrd_flash.sh \
  --showlogs -p "-c ./bootloader/generic/cfg/flash_t234_qspi.xml" \
  --no-flash --network usb0 \
  jetson-orin-nano-devkit internal

# External encrypted NVMe (nvme0n1p1), non-interactive unlock via OP-TEE
sudo ROOTFS_ENC=1 \
  ./tools/kernel_flash/l4t_initrd_flash.sh \
    --showlogs --no-flash \
    --external-device nvme0n1p1 \
    -i ./disk_enc.key \
    -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml \
    --external-only --append --network usb0 \
    jetson-orin-nano-devkit external

# Flash both
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only
12

hello imran.khalid,

did you fuse a target to burn OEM_K1?

13

@JerryChang No i did not - as of now i just want the NVMe root filesystem encrypted so that if someone pulls the SSD and plugs it into another machine, they can’t read it. I don’t want UEFI/secure-boot keys as of now.

14

hello imran.khalid,

assume you’re working with JP-6.2.1/r36.4.4,
you’ll need to visit L4 page, jetson-linux-r3644 to download [Driver Package (BSP) Sources] for the op-tee sources,
please extract nvidia-jetson-optee-source.tbz2 for the sample script to re-generate EKS image with your keys, (sym_key2), and keep others as default.
$public_sources/r36.4.4/Linux_for_Tegra/source/public/atf_and_optee/optee/samples/hwkey-agent/host/tool/gen_ekb/example.sh
after you re-generate EKS image, please update the binary file under.. $OUT/Linux_for_Tegra/bootloader/eks_t234.img
you may perform partition update as below to update EKS image for verification.
$ sudo ./flash.sh -c bootloader/generic/cfg/flash_t234_qspi.xml -k A_eks --no-systemimg jetson-orin-nano-devkit-nvme nvme0n1p1

15

@JerryChang i guess this solution just adds symmetric key and does not encrypt in case if i have to encrypt my SSD and have permission key will the solution below will work.

tr -d '\r\n' < sym16.hex | xxd -r -p > "$L4T/disk_enc.key"

cd "$L4T"
sudo rm -rf tools/kernel_flash/images initrdlog

@JerryChang i guess $ sudo ./flash.sh -c bootloader/generic/cfg/flash_t234_qspi.xml -k A_eks --no-systemimg jetson-orin-nano-devkit-nvme nvme0n1p1
this does not encrypt the disk, it will just add the symmetric key. In case i need to encrypt should i be using the flow as discussed above.

16

hello imran.khalid,

it’s your flash script ROOTFS_ENC=1 to enable disk encryption.
however, you’ll need to apply EKS image update (to contain the same key) which is flash onto its partition.

17

@JerryChang
I am getting errors; this is what i have done

openssl rand -hex 32 | tr -d '\r\n' > oem_k1_key.hex    # 64 hex
openssl rand -hex 32 | tr -d '\r\n' > sym32.hex         # 64 hex (UEFI payload key)
openssl rand -hex 16 | tr -d '\r\n' > sym16.hex         # 32 hex (**sym2** for disk)
openssl rand -hex 16 | tr -d '\r\n' > auth16.hex        # 32 hex


I am in cd "$L4T/source/optee/samples/hwkey-agent/host/tool/gen_ekb"
when i run ./example.sh i get following error

WARNING: You must provided your own UEFI variable authentication key
when OEM key1 fuse is burned. Missing the UEFI variable authenticaton
key will cause the system to fail to boot up.
NOTE: If the board you are using is not fuse burned, you can ignore ths message.
Enter 'Ctrl + C' to break, otherwise continue to generate EKB: 
Traceback (most recent call last):
  File "/home/ubuntu22/nvidia/nvidia_sdk/JetPack_6.2.1_Linux_JETSON_ORIN_NX_TARGETS/Linux_for_Tegra/source/optee/samples/hwkey-agent/host/tool/gen_ekb/gen_ekb.py", line 270, in <module>
    main()
  File "/home/ubuntu22/nvidia/nvidia_sdk/JetPack_6.2.1_Linux_JETSON_ORIN_NX_TARGETS/Linux_for_Tegra/source/optee/samples/hwkey-agent/host/tool/gen_ekb/gen_ekb.py", line 217, in main
    raise Exception("oem_k1_key or oem_k2_key file cannot be openned")
Exception: oem_k1_key or oem_k2_key file cannot be openned

so instead i ran

python3 gen_ekb.py -chip t234 \
  -oem_k1_key  oem_k1_key.hex \
  -in_sym_key  sym32.hex \
  -in_sym_key2 sym16.hex \
  -in_auth_key auth16.hex \
  -out eks_t234.img

After running the command you mentioned it says

sudo ./flash.sh -c bootloader/generic/cfg/flash_t234_qspi.xml -k A_eks --no-systemimg jetson-orin-nano-devkit-nvme nvme0n1p1
[sudo] password for ubuntu22: 
###############################################################################
# L4T BSP Information:
# R36 , REVISION: 4.4
# User release: 0.0
###############################################################################
Error: When disk encryption is enabled, root device cannot be nvme0n1p1
18

@JerryChang still getting the error below i have re flashed it

 No key available with this passphrase
/bin/bash: line 1 crypt_UDA command not found
error: failed to unlock the ecrypted dev /dev/nvm0n1p2

this is how i created the keys

# 32-byte (64 hex) OEM K1 key (used as EKB fuse key input for testing)
openssl rand -hex 32 | tr -d '\r\n' > oem_k1_key.hex

# 32-byte (64 hex) sym key (UEFI payload key; fine to be unused)
openssl rand -hex 32 | tr -d '\r\n' > sym32.hex

# 16-byte (32 hex) DISK key (this is the one LUKS ultimately derives from)
openssl rand -hex 16 | tr -d '\r\n' > sym16.hex

# 16-byte (32 hex) auth key (UEFI var auth)
openssl rand -hex 16 | tr -d '\r\n' > auth16.hex

Build the EKB image directly

python3 gen_ekb.py -chip t234 \
  -oem_k1_key oem_k1_key.hex \
  -in_sym_key  sym32.hex \
  -in_sym_key2 sym16.hex \
  -in_auth_key auth16.hex \
  -out eks_t234.img

Install EKB + set the host’s LUKS key

cp eks_t234.img "$L4T/bootloader/eks_t234.img"
tr -d '\r\n' < source/optee/samples/hwkey-agent/host/tool/gen_ekb/sym16.hex > disk_enc.key

Then i flashed it again - it encrypted but it is failing to boot

Please go though the steps, correct add update so that i can resolve this issue

I have also compared keys

ubuntu22@ubuntu22m1:~/nvidia/nvidia_sdk/JetPack_6.2.1_Linux_JETSON_ORIN_NX_TARGETS/Linux_for_Tegra$ hexdump -C "$L4T/disk_enc.key"
00000000  63 63 37 31 32 65 32 36  37 66 30 33 33 61 62 34  |cc712e267f033ab4|
00000010  66 63 62 33 35 35 33 36  38 64 64 61 63 36 66 32  |fcb355368ddac6f2|
00000020
ubuntu22@ubuntu22m1:~/nvidia/nvidia_sdk/JetPack_6.2.1_Linux_JETSON_ORIN_NX_TARGETS/Linux_for_Tegra$ cd "$L4T/source/optee/samples/hwkey-agent/host/tool/gen_ekb"

ubuntu22@ubuntu22m1:~/nvidia/nvidia_sdk/JetPack_6.2.1_Linux_JETSON_ORIN_NX_TARGETS/Linux_for_Tegra/source/optee/samples/hwkey-agent/host/tool/gen_ekb$ hexdump -C sym16.hex
00000000  63 63 37 31 32 65 32 36  37 66 30 33 33 61 62 34  |cc712e267f033ab4|
00000010  66 63 62 33 35 35 33 36  38 64 64 61 63 36 66 32  |fcb355368ddac6f2|
00000020
ubuntu22@ubuntu22m1:~/nvidia/nvidia_sdk/JetPack_6.2.1_Linux_JETSON_ORIN_NX_TARGETS/Linux_for_Tegra/source/optee/samples/hwkey-agent/host/tool/gen_ekb$
19

hello imran.khalid,

you should keep all 0s for OEM_K1 since you’re not fuse a target.
let’s omit UEFI keys (sym_t234.key, auth_t234.key) for issue narrow down.

please see-also sample script,
$public_sources/r36.4.4/Linux_for_Tegra/source/atf_and_optee/optee/samples/hwkey-agent/host/tool/gen_ekb/example.sh
you should replace only sym2_t234.key to execute the sample script for re-generating eks_t234.img.

20

@JerryChang success image created successfully

this is what i have done

  1. Create oem_key.key
echo “0000000000000000000000000000000000000000000000000000000000000000” > oem_k1.key
  1. Create sym2_t234.key
echo "00000000000000000000000000000000" > sym2_t234.key
  1. create image
./example.sh
  1. Copy Image
install -m 600 -T eks_t234.img "$L4T/bootloader/eks_t234.img"

please guide next

21

hello imran.khalid,

you should replace the original EKS image as below..
$ cp new_r364_EKS.img ~/r36.4.4/Linux_for_Tegra/bootloader/eks_t234.img

after that, please re-flash your target for confirmation.
[Internal storage]
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/generic/cfg/flash_t234_qspi.xml" --no-flash --network usb0 jetson-orin-nano-devkit internal
[External storage]
$ sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external
[Image flashing]
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

22

@JerryChang Just an FYI OS and data is on SSD.

23

@JerryChang

I am facing same issue

No key available with this passphrase
/bin/bash: line 1 crypt_UDA command not found
error: failed to unlock the ecrypted dev /dev/nvm0n1p2

I have followed following steps:

  1. Create oem_key.key
echo “0000000000000000000000000000000000000000000000000000000000000000” > oem_k1.key
  1. Create sym2_t234.key
echo "f0e0d0c0b0a001020304050607080900" > sym2_t234.key
  1. Create Image
./example.sh
  1. Copy Image
cp eks_t234.img "$L4T/bootloader/eks_t234.img"

Internal Flashing

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -p "-c bootloader/generic/cfg/flash_t234_qspi.xml" --no-flash --network usb0 jetson-orin-nano-devkit internal

External Flashing

sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external

Image Flashing

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --showlogs --network usb0 --flash-only

Result:

  • rootfs is successfully encrypted.
No key available with this passphrase
/bin/bash: line 1 crypt_UDA command not found
error: failed to unlock the ecrypted dev /dev/nvm0n1p2