With pleasure.
We are developing a kind of measuring device with Torizon as the basis, in which the user can create several projects. These are stored in the torizon user’s home directory.
Since we have to comply with the CRA, this user data must be protected against unauthorized access. As it is easy to read or manipulate this data with the Easy Installer via the COM interface, and access via the COM interface is to be maintained for service purposes, the data must be encrypted.
As far as I understand it, there are two basic methods of encryption: block-device and file system based.
I have read the Toradex documentation on block-device encryption. The problem of this variant is that we do not have a TPM on our carrier board and the implementation, test and transfer to production of CAAM + Secure Boot is currently not possible for us in sufficient time. Our personnel resources are quite limited…
Or is it possible to provide this type of encryption via a device update?
Implementing encryption on the basis of an existing file system therefore seemed to be a better solution for us. I have found three possible tools, all of which have one major drawback:
- ecryptfs: deprecated since 2019 and will probably be removed from the kernel in 2025
- gocryptfs: no recipe available for yocto (see my other request)
- fscrypt: not compatible with update by ostree as I have learned today…
So I’m kind of stuck right now.
Best regards,
Markus