Jetson Orin AGX Encryption nvme

Hello,

I have a question about disk encryption I need help with, I want to encrypt the rootfs on the emmc, but we also use the emmc to mount the ssd on a mount point using the emmc, is it possible to also encrypt that mount point let’s call it /etc/x.

Hi elhamriothman,

It seems not valid case for disk encryption, which should be enabled during the flash.
If you want NVMe SSD to be encrypted, please specify the ROOTFS_ENC=1 during flash for the external NVMe SSD.

Hello,

So in that case will just have to sacrifice the storage of the emmc, since the rootfs will be on the NVME SSD (boot will be on the nvme)?

I think NVMe has enough space for you respecting to the internal eMMC.

If you want to boot from eMMC but also need the mounted NVMe to be encrypted, maybe you can try using the tool like VeraCrypt or LUKS for your case. But we haven’t verified this use case locally so far.

I see, Disk Encryption — NVIDIA Jetson Linux Developer Guide 1 documentation I saw that here there is a way to add encrypted fs but im still not sure how to adapt it to my situation.

The instruction you shared is to unlock the encrypted rootfs in initrd, but it seems you were asking about how to encrypt the mounted external NVMe.

Ah you are right, I am trying to encrypt the fs that we mount on the nvme.

Might be out of the blue but while I was reading the disk_encryption_helper.func that is used by the flash.sh I noticed that when building the enc_rootfs_img, the script also use the gen_luks_passphrase.py to generate a passphrase with the dek, and that is passed to cryptsetup:

Add the LUKS header

	eval ${GEN_LUKS_PASS_CMD} | ${CRYPTSETUP_BIN} \
		--type luks2 \
		-c aes-xts-plain64 \
		-s 256 \
		--uuid "${__rootfsuuid}" \
		luksFormat \
		${loop_dev};
	chkerr "Add LUKS header on ${__localsysfile} failed.";

So in order words in order to encrypt the disk we only use the passphrase and not the DEK( dek is used to derive the passphrase).

Yes, we also use LUKS for disk-encryption.

Please refer to Enabling Disk Encryption for Dynamically Created Partitions for this use case.

Thank you for the use case, but my question is about the LUKS for disk encryption, during the encryption we only give the passphrase that protect the master key, DEK is generated randomly by the cryptsetup right?

Yes, DEK is generated by cryptsetupm, you can find more details in Details of Operation.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.