Disk Encryption#

Applies to Jetson AGX Orin, the Jetson Orin NX series, the Jetson Orin Nano series, and the Jetson Thor series.

Disk encryption encrypts a whole disk or partition to protect the data it contains. NVIDIA^® Jetson™ Linux offers disk encryption that is based on Linux Unified Key Setup (LUKS) Data-at-rest encryption, It provides a standard disk format that stores all necessary setup information on the disk in the partition header. The passphrase in the Jetson OP-TEE luks-srv Trusted Application (TA) supports disk encryption functionality with one-time passphrase generation during boot time to unlock the encrypted disk.

The topics following cover the full feature: concepts and threat model, the partition layout that enables an encrypted rootfs, the developer workflow for creating and flashing encrypted rootfs (including UDA-only and initrd customization), runtime encryption of additional partitions, and the manufacturing workflow for mass flashing with a generic key.

Quick Guide#

This section provides information about how to enable disk encryption.

Set up the host machine.

We recommend using Ubuntu 22.04.

Ensure that you have the following packages:

$ sudo apt-get install python3-cryptography python3-cffi-backend libxml2-utils
$ sudo apt-get install cryptsetup python3-pycryptodome python3-crypto

Enable disk encryption.
1. For an example of a layout configuration, refer to Layout of an Encrypted Disk.
  
  Note
  
  To enable disk encryption for a specific partition, encrypted="true" must be set.
2. Prepare the disk encryption key and eks_<platform>.img.
  
  Note
  
  To replace the sample key, refer to Tool for EKB Generation.
3. Set environment variable ROOTFS_ENC=1 in the l4t_initrd_flash.sh command line to generate and flash rootfs/UDA partition images that have disk encryption enabled:
  - To enable rootfs disk encryption on Jetson AGX Orin, refer to Creating an Encrypted Rootfs on the Host.
  - To enable rootfs disk encryption on Jetson Orin NX and Jetson Orin Nano series, refer to Flashing an Encrypted Rootfs to an External Storage Device.
  - To enable rootfs disk encryption on Jetson AGX Thor, refer to Creating an Encrypted Rootfs on the Host.
  - To enable UDA disk encryption, refer to Enabling Disk Encryption Only for UDA.
  Note
  - To enable disk encryption, ROOTFS_ENC=1 must be specified.
  - The device must be connected to the host machine.
(Optional) To enable disk encryption for dynamically created partitions, you can refer to Enabling Disk Encryption for Dynamically Created Partitions.
(Optional) To enable disk encryption for manufacturing, you can refer to Manufacturing Process.

The following example enables disk encryption for rootfs on the Jetson AGX Orin developer kit:

Check the Linux_for_Tegra/bootloader/generic/cfg/flash_t234_qspi_sdmmc_enc_rfs.xml file and ensure the attribute encrypted is set to true in APP_ENC.
Generate disk_enc.key, which is aligned with the key sym_key2 in eks_<platform>.img.
To enable disk encryption, use the command sudo ROOTFS_ENC=1 ./flash.sh -i "./disk_enc.key" jetson-agx-orin-devkit internal.

The following example enables disk encryption for rootfs on the Jetson AGX Thor developer kit:

Check the Linux_for_Tegra/tools/kernel_flash/flash_l4t_t264_nvme_rootfs_enc.xml file and ensure the attribute encrypted is set to true in APP_ENC.
Generate disk_enc.key, which is aligned with the key sym_key2 in eks_<platform>.img.
To enable disk encryption, use the command sudo ROOTFS_ENC=1 ./l4t_initrd_flash.sh -i "./disk_enc.key" jetson-agx-thor-devkit internal.