Is this page helpful?

Enable Disk Encryption for IGX Thor#

When booting the ISO, select the Install IGX OS r38vX.Y.Z with Real-time Kernel and Encrypted RootFS for RT Kernel or Install IGX OS r38vX.Y.Z with Encrypted RootFS for Non-RT Kernel option to enable root file system disk encryption feature by default.

OEM Config Prompt#

To input user password in the OEM config page. This password will be used to replace the initial passphrase - l4t_disk_enc.

Caution

GUI mode is NOT supported on IGX 2.0. Do NOT connect the display to the testing device or the OEM-config page will not show under headless (text) mode.

Manual Unlocking#

After the initial setup is complete, you will be able to manually unlock the encrypted file system any time after the system boots up. You will simply need to type in the passphrase set at install-time when prompted.

USB Key Auto-Unlock#

This section shows how to use the nv_create_usbkey.sh script to create a USB key to unlock the encrypted file system automatically.

Creating a USB Key#

  1. Format a USB drive as ext4 partition type by using the mkfs.ext4 command.

    sudo mkfs.ext4 -F /dev/sda

  2. Insert a USB drive to the device. Get the device name, for example /dev/sda1.

  3. Use the blkid command to get the encrypted file partition which will contain the string TYPE="crypto_LUKS", for example, /dev/nvme0n1p3.

  4. Run the following command to create a USB key for unlocking the device automatically:

    sudo nv_create_usbkey.sh /dev/sda1 /dev/nvme0n1p3

    During the USB key creation process, you will be required to input the passphrase, which is used to unlock the encrypted file partition to add a new key into this encrypted volume.

Using the USB Key#

Reboot the device, you can choose either way to unlock the device:

  • Without USB key: Remove the USB key, and it will require you to input the passphrase to unlock the encrypted file system.

  • With USB key: Insert the USB key, press Enter and the device will unlock the encrypted file system automatically.

Note

  1. If the USB key is always inserted, the device will unlock the encrypted file system automatically without prompting you for a passphrase.

  2. The screen will show “Nothing to read on input.” and some error messages from the cryptsetup tool. Ignore these messages and the unlock process will continue after inserting the USB key and pressing Enter.

Limitations and Troubleshooting#

The following are the limitations and troubleshooting steps for the USB key auto-unlock feature:

  • A device can only create one USB key. After that, the USB key creation process will be blocked with the message “USB key already created before.”

  • If the USB key content is not correct, the service will continue trying to unlock the encrypted disk and will finally enter emergency mode. To recover, use a backup USB key instead or input passphrase after rebooting the system to unlock the encrypted file system.