Jump to content

Security Features-Disk Encryption

From RidgeRun Developer Wiki


Follow us on: YouTube Twitter LinkedIn Email Share this page

Share This Page



Disk Encryption

Storage Encryption

Qualcomm Linux includes hardware cryptographic acceleration through the Crypto Engine and the Inline Crypto Engine (ICE). For storage encryption use cases, Inline Crypto Engine (ICE) provides hardware support for AES-128 and AES-256 algorithms in ECB and XTS modes, enabling high-throughput encryption of storage data. This hardware acceleration is done by storage encryption solutions such as fscrypt and can be used to improve the performance and security of encrypted storage implementation. The Linux kernel crypto driver (qcrypto) provides access to the hardware cryptography independent of trusted applications.

Qualcomm Linux provides storage encryption through the combination of the Inline Crypto Engine (ICE) and hardware-wrapped keys, enabling transparent encryption of files and directories. The implementation supports content encryption keys ranging from 32 to 64 bytes, uses separate keys for file contents and filenames, and can generate 32-byte key identifiers. This functionality is integrated with the Linux fscrypt API through the new Qualcomm universal flash storage (UFS) driver.

fscrypt

This tool is used to invoke the storage encryption functionality. The fscrypt is a library which serves as a hook for filesystems to support transparent encryption of files and directories. The fscrypt operates at the filesystem level rather than at the block device level. This allows different directory trees to be protected with different encryption keys and unencrypted files to exist in the same filesystem. This allows for multi-user systems to cryptographically isolate data from other users. fscrypt does not encrypt filesystem metadata, other than filenames. It is also integrated directly into supported filesystems, such as ext4 and F2FS, filesystems supported for the Dragonwing IQ-9075.

fscrypt does not encrypt existing files or directories. Instead, encryption is enabled by applying to an empty directory. Once the corresponding key is provided via userspace, all files, subdirectories, and symbolic links subsequently created within that directory tree are automatically and transparently encrypted. fscrypt is designed to protect data by encrypting file contents and filenames while preserving normal filesystem operation. It supports modern encryption schemes, per-file key derivation, multiple encryption policies, and hardware acceleration through Linux's inline encryption framework. It can leverage the Inline Crypto Engine (ICE) through the UFS storage to perform inline encryption of file contents. By offloading cryptographic operations to dedicated hardware, the platform can reach higher storage encryption performance while reducing CPU utilization.

To simplify the management of encrypted directories and encryption keys, Linux provides userspace tools such as fscryptctl. These tools allow users to configure encryption policies, provision encryption keys, unlock encrypted directory trees, and query encryption status without directly interacting with kernel APIs. On Qualcomm Linux, fscrypt integrates with the UFS driver and the Inline Crypto Engine (ICE), enabling hardware-accelerated storage encryption and support for hardware-wrapped keys that provide additional protection against key exposure.

You can read more on the fscrypt in the Linux Kernel's Official Documentation.

Inline Encryption

Storage encryption in Qualcomm Linux is implemented using Linux's inline encryption framework (blk-crypto), which allows encryption and decryption operations to be performed directly in the storage path. Instead of relying exclusively on software cryptography, inline encryption hardware operates between system memory and the storage device, processing data transparently as it is written to or read from storage.

On the Dragonwing IQ-9075, the Inline Crypto Engine (ICE) provides hardware acceleration for storage encryption. Through integration with the UFS storage and the Linux block layer, encryption parameters such as keys, algorithms, and data unit sizes can be applied for each read and write request. When hardware acceleration is unavailable, Linux can optionally fall back to software-based encryption through the kernel cryptographic framework while maintaining the same on-disk data format.

The inline encryption framework also supports hardware-wrapped keys, which improves key protection by ensuring that encryption keys are never exposed in plain text to software. Instead, keys remain encrypted and can only be unwrapped and used by dedicated hardware. This helps mitigate attacks that attempt to extract encryption keys from system memory, such as cold boot attacks or memory vulnerabilities.

On Qualcomm Linux, fscrypt integrates with UFS storage and the Inline Crypto Engine (ICE) to provide transparent filesystem encryption with hardware acceleration. Combined with hardware-wrapped keys, this implementation improves storage security while maintaining system performance.

You can read more on Inline Encryption in the Linux Kernel's Official Documentation.

Verify Encryption Status

Info
The disk encryption comes by default when compiling the Qualcomm Linux 1.8 and no action is needed in order to enable it


The qcrypto driver, fscryptctl, and the Inline Crypto Engine (ICE) are already included in the kernel sources built in the Qualcomm Linux 1.8 image. You can verify the qcrypto driver status by running the following command:

dmesg | grep -i qcrypto

Expected output:

[    3.741056][  T466] qcrypto 1dfa000.crypto: Adding to iommu group 0

Verify that cryptographic algorithms are registered through the Linux Crypto API:

cat /proc/crypto | grep -i -A5 qcrypto

Expected output:

module       : qcrypto
priority     : 275
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
...

Verify that the storage device has the Inline Crypto Engine (ICE):

ls /sys/block/sda/queue/crypto

Expected output:

hw_wrapped_keys  max_dun_bits  modes  num_keyslots

Verify that the filesystem is mounted with inline encryption support:

mount | grep inlinecrypt

Expected output:

/dev/sda3 on /sysroot type ext4 (rw,relatime,inlinecrypt)
/dev/sda3 on / type ext4 (rw,relatime,inlinecrypt)
/dev/sda3 on /usr type ext4 (ro,relatime,inlinecrypt)
/dev/sda3 on /var type ext4 (rw,relatime,inlinecrypt)

Cookies help us deliver our services. By using our services, you agree to our use of cookies.