Which passphrase when use disk encryption

I used disk encryption on jetson orin nx by guide. All works, but i want to create custom keys to unlock device by usb drive. How can i get master passphrase to create new keys or another method to do my task ?

hello bolobolbfmv,

just would like to double confirm you’re going to enable Disk Encryption to an external storage device.

I want to use a passphrase or key file from a USB device when Jetson boot, currently it decrypts the partition and opens the login screen using own decryption method. I tried to create a luks partition but when I add it to fstab or crypttab I see a black screen after the boot logo without any output logs.

hello bolobolbfmv,

let me have double confirmation,
is the passphrase (or, key file) for disk encryption? and you’ve store it as plain text in a USB device?

Okey i explain it step by step.
I create Partition near root file system

  1. Create luks partition
sudo cryptsetup luksFormat /dev/sda3
  1. Generate keyfile
dd if=/dev/urandom bs=1 count=256 > 85125e5e-7bc4-11ec-afea-67650910c179.lek
  1. Add keyfile to luks partition
sudo cryptsetup luksAddKey /dev/sda3 85125e5e-7bc4-11ec-afea-67650910c179.lek
  1. Add to /etc/crypttab
sda3_crypt UUID=b9570e0f-3bd3-40b0-801f-ee20ac460207 85125e5e-7bc4-11ec-afea-67650910c179 luks,discard,keyscript=/bin/luksunlockusb
  1. Create script that check usb device for keyfile
    and move to /bin/luksunlockusb
cat << "END" > luksunlockusb
#!/bin/sh
set -e
if [ ! -e /mnt ]; then
    mkdir -p /mnt
    sleep 3
fi
for usbpartition in /dev/disk/by-id/usb-*-part1; do
    usbdevice=$(readlink -f $usbpartition)
    if mount -t vfat $usbdevice /mnt 2>/dev/null; then
        if [ -e /mnt/$CRYPTTAB_KEY.lek ]; then
            cat /mnt/$CRYPTTAB_KEY.lek
            umount $usbdevice
            exit
        fi
        umount $usbdevice
    fi
done
/lib/cryptsetup/askpass "Insert USB key and press ENTER: "
END
  1. Update initramfs to confirm changes
    sudo update-initramfs -u
    and reboot device
    After that reboot ubuntu and when start boot cryptsetup ask passphrase that i can type by keyboard or i insert usb flash device and it unlocks partition
    This steps works on basic ubuntu 20.0, ubuntu 22.0
1 Like

hello bolobolbfmv,

did you enable Jetson security? it’s a key file for specific partition only? (i.e. sda3 for your use-case)
see-also Trusted Application and Client Application Development.