Disk Encryption

From RidgeRun Developer Wiki


NVIDIA partner logo NXP partner logo






Disk Encryption

Disk Encryption is a security feature that allows the protection of a whole disk or partition. It protects the data stored in the selected disk by using cryptographic keys to ensure that the data can only be decrypted and accessed if the correct key is used. If the correct key is not present, the system will not be able to unlock the data. In cases where the whole root file system is encrypted, this may prevent the system from booting.

There are several Disk Encryption implementations, an example is the Linux Unified Key Setup (LUKS), which is used by several embedded platforms such as NVIDA Jetson. LUKS encrypts a block device regardless of its content to be used for any file system type.

The concept of Disk Encryption can be divided between Full Disk Encryption (FDE) and Filesystem level encryption. In the case of full disk encryption, the whole disk is encrypted with a single key. This means that once the disk is decrypted, a user can access all of the disk contents. On the other hand, filesystem-level encryption allows encrypting specific parts of the disk or individual files. It is possible to have multiple parts of a disk encrypted with filesystem-level encryption, using different keys. For this reason, it is recommended to combine FDE and filesystem-level encryption to achieve a more secure system, and use different keys for the full encryption and each individual part to be encrypted.

In some systems that include a TPM, this secure crypto processor can be used to authenticate the device. This means that if the TPM is used to decrypt a disk when the system is booted, the disk is essentially linked to the device. If the disk is removed from the system, the decryption process will not be possible.

Example: NVIDIA Jetson

In the case of Jetson platforms, two types of keys are used for the Disk Encryption Implementation:

  • Master Key: also known as the Disk Encryption Key (DEK). This key is used for data encryption or decryption when data is transferred between the file system and the disk. The key resides in the LUKS header and is encrypted by the key derived from the passphrase.
  • Passphrase: or password is an input string or pattern supplied by the user to set up disk encryption and lock the disk. The same input is used to decrypt and unlock data stored on the disk.

The implementation in Jetson platforms uses AES-XTS as the cryptographic algorithm for disk encryption, with a key length of 256 bits. This algorithm makes the encrypted data look completely random, minimizing the potential for attack. The entire key derivation process is performed in the secure world.

The way disk encryption works with this implementation is illustrated in the following figure:

Fig 1. Disk Encryption Process in Jetson Platforms. Extracted from link

This implementation uses a Trusted Application and a Client Application pair to derive the passphrase used to unlock the encrypted disk. The passphrase derived by the TA is later retrieved and used by the CA. For this reason, using OP-TEE is required in Jetson platforms to use TEE. Specifically, the TA used is luks-srv, and the CA is nvluks-srv-app, both of which are included in the OP-TEE implementation provided by NVIDIA.

The Disk Encryption process is as follows:

  1. The nvluks-srv-app CA queries the per-device unique passphrase.
  2. When the luks-srv TA receives the command, it sends a request to jetson_user_key_pta to generate a unique LUKS key per device. The new key is derived from the EKB disk encryption key.
  3. The TA uses the LUKS key to generate a passphrase.
  4. The TA returns the output passphrase to the CA.
  5. The service is shut down, ensuring passphrase generation is done only once.

Disk Encryption limitations

The purpose of disk encryption is to prevent an attack from stealing or tampering with data on the disk. Even if the disk is physically unmounted (or, in the case of an internal device, such as an eMMC, is removed from the device), the data cannot be exposed or retrieved.

Due to the way it works, disk encryption cannot protect against the following types of threats:

  • A background process or daemon that has a security hole. An attacker may use the hole to gain control of the process and access the disk.
  • Theft or leakage of the login ID and password. An attacker can use these credentials to log in to the device and access the disk.