What is the approach to encrypt a data partition instead of full disk encryption?

We are not ready yet to roll out secure boot and full disk encryption, and are more concerned at this time about implementing encryption at rest for our data partition (footage that has been captured from onboard cameras).

As I understand it so far (which is not much), we hope to use LUKS to encrypt our data partition (which lives on an NVMe disk on our product). The main question is what are the pieces that we need to manage in order to make sure the Security Engine accelerates the access to this partition?


Please check the content in developer guide

There are two partitions in the layout. One in unencrypted APP and the other is encrypted APP_ENC. So you can put the data in APP_ENC partition for protection.

Thanks, but this answer is in the context of the existing documentation, which if I understand it correctly (it is not explicitly stated) we can use only upon turning on secure boot.

I explicitly stated we want to just encrypt a data partition instead of rootfs while avoiding doing the work of updating our production process to enable secure boot.

However, it’s dawning on me that the requirement of secure boot will most likely be the same to encrypt a data partition in this “proper” way, so I totally get that this question comes across confusing.

Can we use LUKS on a production jetson to interface with an encrypted data partition without enabling secure boot?

Let’s start there.

We will send the key to this edge device over the network from a server.

You don’t need to enable secure boot along with disk encryption. There is a similar query in
Why the initrd_flash can encrypt the disk without SBKPKC mode - #5 by lhoang

May check if this can be applied to your use-case. Doing disk encryption without secureboot.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.