OTA upgrade on devices that have secure boot and disk encryption

We are currently using Jetson Xavier NX devices with JetPack 4.6 (L4T 32.7.1) for our projects. We are interested in performing an Over the Air (OTA) upgrade to JetPack 5.1.2 to take advantage of the latest features and improvements.

Our devices are configured with secure boot and disk encryption for both eMMC and NVMe storage. Therefore, we need to consider these security features during the upgrade.

Could you please provide us with detailed documentation and steps specifically for performing an OTA upgrade from JetPack 4.6 to JetPack 5.1.2 on devices that have secure boot and disk encryption enabled?

Additionally, if there are any specific precautions or considerations we should be aware of when performing this OTA upgrade on secured devices, please advise us accordingly.

We greatly appreciate your assistance in this matter.

hello karl.sponholz,

please check developer guide, Preparing for an Image-Based OTA Update.
you should also provide the same key file that was used to flash images to the target board for creating the OTA payload package.

Hello @JerryChang
thanks for your prompt response,
Does this process enable the disk encryption by default, I can’t see any steps regarding enabling the disk encryption
please note that we are using
jetson xavier nx emmc 16GB + 250 GB SSD

hello HusamAlqaza,

no, disk encryption is default disabled.
please go through Disk Encryption section for the steps to enable that.

EKB (Encrypted Binary Blob) stores two keys, one is the kernel encryption key (sym_key_file), and another one is the LUKS key (sym2_key_file) for disk encryption support.
LUKS disk encryption support with a specific key. you should execute the script file, gen_ekb.py to generate an image. also, in the developer guide, Tool for EKB Generation that sym2.key is equivalent to ekb.key

Hello @JerryChang
thanks for the details
We’ll conduct an internal evaluation and provide you with our feedback shortly.

hello HusamAlqaza,

let me share more details.

it’s possible to OTA from JP-4.6 to JP-5.1.2, or later release version
however, it doesn’t support OTA once disk encryption has enabled.
that’s due to there’s no options in OTA command to perform image-based OTA with your disk-encryption enabled devices.

only the devices with PKC+SBK supported with OTA upgrade.

Hello @JerryChang,

Thank you for the details.

To clarify, our current setup complies with Nvidia’s security measures, and it includes secure boot and disk encryption. As we need to upgrade to the latest version (5.1.2), I understand that OTA isn’t an option when disk encryption is enabled.

In light of this, could you please advise on the alternative methods for upgrading our devices? The urgency of this matter is heightened by JetPack 4 reaching end of life, as highlighted here: JetPack 4 Reaches End of Life.

could you please add more details about the intention of this, I understand the OTA is only working on the unsecured environment

Your guidance on how to proceed would be greatly appreciated.

hello HusamAlqaza,

do you need to perform Jetpack version upgrade remotely?
or, is it possible to setup USB connections to re-flash targets via a host machine?

Hello @JerryChang

Yes, we do need to perform the Jetpack version upgrade remotely for devices in the wild. While we can reflash the devices in stock via USB connections, the devices already deployed in the field make remote upgrades necessary because we don’t have physical access to them


hello HusamAlqaza,

we had some internal discussion…

there’s no OTA with disk encryption. for example, JP5.1.2 → JP5.1.3 with disk encryption is not supported.
hence, only the devices with PKC+SBK are supported with OTA upgrade at the moment.

Hello @JerryChang

Thank you for your continued assistance.

To clarify, we are looking to upgrade from version 4.6.1 to version 5.1.2, not from 5.1.2 to 5.1.3.

Could you kindly inform me of the constraints or restrictions?

is the problem that the OTA process can’t run on an encrypted disk , or it can but we can’t enable the disk encryption after the OTA process?


I understand you would like to upgrade from version 4.6.1 to version 5.1.2.
however, it’s the problem that the OTA process can’t run on an encrypted disk.

If I understand correctly, does OTA (Over-The-Air) updating only work in insecure environments? I would assume other customers face the same challenge. In cases where you want to utilize OTA updates along with hardware encryption, what is the recommended best practice?

hi all,

only devices with PKC+SBK supported with OTA upgrade so far.

FYI, we have a plan to support disk encryption for OTA, but, there’s no roughly ETA about function complete.
assume it’ll be support in the next Jetpack-5 release, JP-5.1.2 → JP-5.1.x with disk encryption is still not supported.

I would assume that other customers also have this issue. What is your recommended best practice in this case?

OTA updates are required for devices in the field. For all the devices you have access to, you can update them directly. However, especially for these devices, disk encryption is necessary because there is a threat of unauthorized access.

as mentioned above, please setup USB connections to re-flash targets via a host machine at the moment.

As our devices are in the field this won’t work for us. What is your recommended best practice in this case?