hello cleng,
it’s /usr/sbin/nvluks-srv-app on the target to obtain the keys,
the disk encryption key must be identical, otherwise you’ll see fail to unlock error message.
for instance, ERROR: fail to unlock the encrypted dev /dev/nvme0n1p2.
yap, you may set disk encryption (ROOTFS_ENC=1) without secureboot enabled.
besides, here’s command-line of gen_ekb.py tool to generate an EKS image file,
as you can see…
$ python3 gen_ekb.py -chip t234 -oem_k1_key oem_k1.key \
-in_sym_key sym_t234.key \
-in_sym_key2 sym2_t234.key \
-in_auth_key auth_t234.key \
-out eks_t234.img
it also uses OEM_K1, which is one of fuse variable.
please see-also Jetson Orin Fuse Specification for details.
since this is topic for massflash, please refer to Topic 319101, comment #8 for the steps of disk encryption + massflash.
according to above,
let’s have a new thread for following up your specific issue.