RidgeRun Developer Wiki

Disk Encryption

< RidgeRun Platform Security Manual‎ | Platform Security
Revision as of 20:03, 14 March 2025 by Cjimenez (talk | contribs) (→‎Disk Encryption)




NVIDIA partner logo NXP partner logo






Disk Encryption

Disk Encryption is a security features which allows the protection of a whole disk or partition. It protects the data stored in the selected disk by using cryptographic keys to ensure that the data can only be decrypted and accessed if the correct key is used. If the correct key is not present the system will not be able to unlock the data, in cases where the whole root file system is encrypted, this may prevent the system from booting.

There are several Disk Encryption implementations, an example is the Linux Unified Key Setup (LUKS), which is used by several embedded platforms such as NVIDA Jetson. LUKS works by encrypting a block device regardless of its content, so it can be used for any file system type. In the case of Jetson platforms, there are two type of keys that are used:

  • Master Key: also known as the Disk Encryption Key (DEK). This key is used for data encryption or decryption when data is transferred between the file system and the disk. The key resides in the LUKS header, and is encrypted by the key derived from the passphrase.
  • Passphrase: or password is an input string or pattern supplied by the user to set up disk encryption and lock the disk. The same input is used to decrypt and unlock data stored on the disk.

The implementation in Jetson platforms uses AES-XTS as the cryptographic algorithm for disk encryption, with a key length of 256 bits. This algorithm makes the encrypted data look completely random, minimizing the potential for attack. The entire key derivation process is performed in the secure world.

The way disk encryption works with this implementation is illustrated in the following figure:

 
Fig 1. Disk Encryption prcess in Jetson Platforms. Extracted from link

This implementation makes use of a Trusted Application and a Client Application pair in order to derive the passphrase used to unlock de encrypted disk. The passphrase derived by the TA is later retrieved and used by the CA. For this reason, using OP-TEE is required in Jetson platforms in order to use TEE. Specifically, the TA used is luks-srv and the CA is nvluks-srv-app, both of which are included in the OP-TEE implementation provided by NVIDIA.

The Disk Encryption process is the following:

  1. The nvluks-srv-app CA queries the per-device unique passphrase.
  2. When the luks-srv TA receives the command, it sends a request to jetson_user_key_pta to generate a per-device unique LUKS key. A new key is derived from the EKB disk encryption key.
  3. The TA uses the LUKS key to generate a passphrase.
  4. The TA returns the output passphrase to the CA.
  5. The service is shut down, which ensures that passphrase generation is done only once.





Retrieved from "https://developer.ridgerun.com/wiki/index.php?title=RidgeRun_Platform_Security_Manual/Platform_Security/Disk_Encryption&oldid=64701"