Hello, I want to use LUKS for disk encryption on my Jetson. But I don’t want the data on my disk to be deleted when I do the Luks Format. Is there a solution/way for this?
You will have to perform a backup and restore, but it can be limited to just that partition. There are different ways to do this, but I recommend you clone just that partition (there are clone tools which clone more than the rootfs partition). A clone can be used to restore from, a “raw” clone can also be loopback mounted and examined and edited before using it to restore. There is also the use of rsync.
The part where a raw clone is most useful is that it can be loopback mounted read-only (or read-write) on a host PC. That loopback mounted clone can be used as a source of rsync output to the LUKS partition over ssh.
I am doubtful that you will find an “in-place” encryption which does not lose the data, but someone else may know how to do that. Regardless, if you value this data, you would always want a backup (such as via clone of rootfs) prior to starting.
@linuxdev Actually I don’t quite understand. If I want to encrypt a partition, I can clone it beforehand, but if I want to encrypt the whole disk, do I need to erase the disk for encyription? I can’t clone the whole disk, right? Could you please explain in more detail?
hello feyzaorak2002,
you’ll need layout changes, please refer to Disk Encryption Implementation in Jetson Linux of [Layout of an Encrypted Disk].
it’s a new, encrypted partition, APP_ENC has created for saving sensitive data.
Hello JerryChang @JerryChang ,
Yes, I read that part. However, I could not understand whether the data was deleted when we performed the operations (APP_ENC identification and encryption). Is there any data loss when performing these operations? Or can I perform this encryption while protecting the disk and the data in it? Thank you.
hello feyzaorak2002,
it’s due to tegraflash to erase eMMC (i.e. erase entire storage) when you running flash script to re-flash the target.
please backing up all your data before re-flash a target.
Hello @JerryChang ,
Sorry I didn’t understand clearly. If I want to encrypt the whole disk I have no choice but to back it up, right? Is the data definitely deleted by the encryption process? Is there any solution except backup?
hello feyzaorak2002,
may I confirm what’s your current status? or… you’re going to backup the encrypted partition?
Hello @JerryChang ,
I have a disk that contains files that I do not want to be deleted. (jetson tx2) I want to encrypt this whole disk, but I do not want my data to be deleted while encrypting. It is very difficult for me to back up because I do not have flash drives, USBs, etc. with me right now. I want to know if there is a way to encrypt without needing to back up and without deleting the data.
hello feyzaorak2002,
this is target not enable disk encryption yet, right?
please refer to To back up and restore a Jetson device for creating a backup image.
Hello @JerryChang ,
Yes, I haven’t done the encryption process yet. I understand that backup is required for encryption, there is no other solution for saving data right?
hello feyzaorak2002,
you must re-flash to apply layout changes, which add encrypted partition, APP_ENC for your request.
as mentioned above, it’ll erase eMMC (i.e. erase entire storage) for flashing process. please do backup your data manually.
For any non-rootfs partition ordinary Linux documentation applies regarding the possibility of in-place addition of encryption (I don’t know if there is a way to encrypt in place). For a rootfs partition boot layout and content must be customized, so not only would you have to back up the data and restore manually, you would also have to do as @JerryChang mentions and flash with custom flash commands. I don’t know of any convenient way around this for partition encryption. Possibly individual files could be encrypted without backing up first, but only those files not involved with mounting the rootfs or running the o/s would apply for that case (the others would require flashing even if you encrypted individual files one at a time versus a partition).
@linuxdev How can I do in-place encryption without making backups for individual files?
That is something I can’t answer. However, any mechanism for encrypting individual files (not a boot partition) would have valid documentation from any Linux/Ubuntu document. It is possible you can do that one file at a time if they are not related to boot and are not a partition. I think you will be out of luck trying to do an in-place partition encryption. I can’t guarantee that you can do this one file at a time either, but I suspect it can be done.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.