Dynamic Partition Encryption#
Use this workflow to encrypt a partition at run time—after the device has been flashed and booted—rather than at image-generation time. The device-side helper /usr/sbin/gen_luks.sh converts an existing partition to a LUKS volume and records it in /opt/nvidia/cryptluks so that it is unlocked and mounted on subsequent boots.
Enabling Disk Encryption for Dynamically Created Partitions#
To encrypt a specific partition at run time, use the /usr/sbin/gen_luks.sh tool. This tool updates the /opt/nvidia/cryptluks file in rootfs and describes dynamically encrypted block devices that are set up when the system boots.
The following example shows how to use this tool to dynamically encrypt /dev/mmcblk0p16:
To find the device that needs to be encrypted, run the following command:
$ sudo blkid
This command displays and selects the device that you want to encrypt. For example:
/dev/mmcblk0p16: PARTLABEL="DATA" PARTUUID="1dd895ca-8815-4069-8966-9f796259c13c"
Note
Ensure that you back up all your data on this device, because the data will be wiped out after disk encryption is enabled.
To create an encrypted partition
crypt_DATAfrom/dev/mmcblk0p16, rungen_luks.sh:$ sudo gen_luks.sh /dev/mmcblk0p16 crypt_DATA
When
gen_luks.shprompts you about continuing this process and wiping out all data on/dev/mmcblk0p16, select one of the following options:YES: formats
/dev/mmcblk0p16.If you do not enter YES, the process stops.
When
gen_luks.shprompts you about usingext4as the file system type for the encrypted partitioncrypt_DATA, select one of the following options:YES: Formats the encrypted partition with
ext4.If you do not enter YES, you can format
/mnt/crypt_DATAwith any file system type after rebooting the device.
To complete the encryption process for
/dev/mmcblk0p16, when prompted to reboot the system, select one of the following options:YES: reboots the system and the encrypted device is created at
/dev/mapper/crypt_DATA.If you do not enter YES, the system must be rebooted later to enable disk encryption for this partition.
After device reboots,
/dev/mapper/crypt_DATAis created, unlocked, and mounted at/mnt/crypt_DATA.
Modifying /opt/nvidia/cryptluks to Unlock Previously Created and Encrypted File Systems#
Each line of /opt/nvidia/cryptluks has the following form:
<device-name> <volume-name> UUID=<uuid> <file-system-type>
<device-name>is the device name of the encrypted disk; for example,/dev/mmcblk0p16. This name must be unique across all lines in the file.<volume-name>is the name of a volume in which decrypted data is to be placed. Its block device is set up in/dev/mapper/. This name must be unique across all lines in the file.<uuid>is the UUID of the underlying block device that contains the encrypted data.<file-system-type>is the Linux file system type of the encrypted device. To automatically format and mount the encrypted device, onlyext4is supported ininitrd.
The following is an example of an entry in /opt/nvidia/cryptluks:
/dev/mmcblk0p16 crypt_DATA UUID=4fb81966-a146-4626-aa14-c221d7715349 ext4
If /opt/nvidia/cryptluks is lost, complete the following steps to recover it:
To find the UUID of the encrypted file system, run the following command:
$ sudo blkid | grep "crypto_LUKS"
For each encrypted disk, this command displays a line of output that includes the disk’s UUID, similar to the following example:
/dev/mmcblk0p16: UUID="4fb81966-a146-4626-aa14-c221d7715349" TYPE="crypto_LUKS" PARTLABEL="UDA" PARTUUID="1dd895ca-8815-4069-8966-9f796259c13c"
For each dynamically encrypted file system that you want to unlock during subsequent reboots, add a line to
/opt/nvidia/cryptluksthat specifies the UUID of the file system to be unlocked, similar to the following:/dev/mmcblk0p16 crypt_DATA UUID=4fb81966-a146-4626-aa14-c221d7715349 ext4
Note
You can always use
ext4for the last field. When the encrypted disk has been previously unlocked and mounted successfully,ext4is not used.Reboot the device. The encrypted disk is unlocked and mounted at
/mnt/crypt_DATA.