Disk Encryption

From RidgeRun Developer Wiki
< RidgeRun Platform Security Manual‎ | Platform Security
Revision as of 20:07, 14 March 2025 by Cjimenez (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)




NVIDIA partner logo NXP partner logo






Disk Encryption

Disk Encryption is a security features which allows the protection of a whole disk or partition. It protects the data stored in the selected disk by using cryptographic keys to ensure that the data can only be decrypted and accessed if the correct key is used. If the correct key is not present the system will not be able to unlock the data, in cases where the whole root file system is encrypted, this may prevent the system from booting.

There are several Disk Encryption implementations, an example is the Linux Unified Key Setup (LUKS), which is used by several embedded platforms such as NVIDA Jetson. LUKS works by encrypting a block device regardless of its content, so it can be used for any file system type. In the case of Jetson platforms, there are two type of keys that are used:

  • Master Key: also known as the Disk Encryption Key (DEK). This key is used for data encryption or decryption when data is transferred between the file system and the disk. The key resides in the LUKS header, and is encrypted by the key derived from the passphrase.
  • Passphrase: or password is an input string or pattern supplied by the user to set up disk encryption and lock the disk. The same input is used to decrypt and unlock data stored on the disk.

The implementation in Jetson platforms uses AES-XTS as the cryptographic algorithm for disk encryption, with a key length of 256 bits. This algorithm makes the encrypted data look completely random, minimizing the potential for attack. The entire key derivation process is performed in the secure world.

The way disk encryption works with this implementation is illustrated in the following figure:

Fig 1. Disk Encryption prcess in Jetson Platforms. Extracted from link

This implementation makes use of a Trusted Application and a Client Application pair in order to derive the passphrase used to unlock de encrypted disk. The passphrase derived by the TA is later retrieved and used by the CA. For this reason, using OP-TEE is required in Jetson platforms in order to use TEE. Specifically, the TA used is luks-srv and the CA is nvluks-srv-app, both of which are included in the OP-TEE implementation provided by NVIDIA.

The Disk Encryption process is the following:

  1. The nvluks-srv-app CA queries the per-device unique passphrase.
  2. When the luks-srv TA receives the command, it sends a request to jetson_user_key_pta to generate a per-device unique LUKS key. A new key is derived from the EKB disk encryption key.
  3. The TA uses the LUKS key to generate a passphrase.
  4. The TA returns the output passphrase to the CA.
  5. The service is shut down, which ensures that passphrase generation is done only once.

Disk Encryption limitations

The purpose of disk encryption is to prevent an attack from stealing or tampering with data on the disk. Even if the disk is physically unmounted (or, in the case of an internal device such as an eMMC, is removed from the device), the data cannot be exposed or retrieved.

Due to the way it works, disk encryption cannot protect against the following types of threat:

  • A background process or daemon that has a security hole. An attacker may be able to use the hole to gain control of the process and access the disk.
  • Theft or leakage of the login ID and password. An attacker can use these credentials to log in to the device and access the disk.




Retrieved from "https://developer.ridgerun.com/wiki/index.php?title=RidgeRun_Platform_Security_Manual/Platform_Security/Disk_Encryption&oldid=64702"