Hi,
I am using external USB storage for Database purpose and I want to encrypt it on system level of Linux.
What is best solution for encryption considering limited Linux on Torizon board (something like Windows BitLocker).
Regards
Hello @fvodopive ,
Thanks for your question, that is a very interesting use case 
Right now we are not sure if and how TorizonCore deals with encrypted data, but we will ask internally and get back to you as soon as we have the information.
Of course if you want to add some encryption capabilities on your own to the base OS, you can rebuild it and at your own custom layers.
Just two more questions:
- which TorizonCore version are you using?
- which Verdin SoM model and version are you using?
Best regards,
Josep
There are a few options for encrypting external USB storage on a Linux system, such as the Colibri iMX6 running Torizon.
- dm-crypt: This is a kernel-level encryption module that can be used to encrypt block devices such as USB storage. dm-crypt is a built-in feature of the Linux kernel, so it does not require any additional software to be installed. However, it does require some command line configuration.
- LUKS: Linux Unified Key Setup (LUKS) is a disk encryption specification that uses dm-crypt as the backend. LUKS provides a user-friendly interface for configuring dm-crypt and allows for multiple encryption keys to be used on a single storage device.
- eCryptfs: This is a file-level encryption system that allows specific files and directories to be encrypted. eCryptfs is a userspace application and is therefore easier to use than dm-crypt.
Both dm-crypt and LUKS are good options for encrypting the external USB storage on your Colibri iMX6 running Torizon, but LUKS provides a more user-friendly experience. eCryptfs is good for file level encryption but might not be the best solution for whole storage encryption.
Please note that all mentioned solutions are not included in Torizon core by default.
Hello Josep,
I am using TorizonCore -5.7.0 and Verdin iMX8M Mini SoM
Best regards,
Filip
Hi @fvodopive !
Due to your question, Torizon R&D enabled the following kernel configurations:
- CONFIG_DM_CRYPT
- CONFIG_FS_ENCRYPTION
- CONFIG_ECRYPT_FS
This blog post might be helpful to you in this topic as well: https://sergioprado.blog/introduction-embedded-linux-security-part-1/
Best regards,
Hi @henrique.tx
currently I tried using cryptsetup to create an encrypted partition or encrypt whole disk but in this process I always get error: device-mapper: reload ioctl on failed: Invalid argument. I did not find other way to encrypt due to missing kernel configurations you listed : CONFIG_DM_CRYPT, CONFIG_FS_ENCRYPTION, CONFIG_ECRYPT_FS
Can you tell me in which release of TorizonCore you are planning to enable previously mentioned configuration?
Best regards,
Just to clarify we added the configs after our 6.1.0 quarterly release. To see the newly added configs you either need a recent 6.X.Y nightly image, though these configs will be apart of our kernel going forward. At the moment these configs were not backported to any version of TorizonCore 5.X.Y so keep that in mind.
Best Regards,
Jeremias
1 Like
Thanks for clarifying, @jeremias.tx !
@fvodopive , do you have news regarding this topic?
Best regards,
Hi @jeremias.tx
I installed torizon-core-docker-verdin-imx8mm-Tezi_6.2.0-devel-20230213+build.177 on Verdin imx8 mini module. Creating lux container, mapping and mounting device work ok but I have problem with luksClose function. Even after unmounting device, luksClose reports that device is still in use.
Research on Internet suggests that possible problem is that device is mounted in multiple namespaces but I could not find simple solution for mounting/dismounting device through all namespaces ( -l lazy option does not work).
Best regards,
Hi @fvodopive
I actually have no experience with encryption usage.
But if you could share all the steps needed to reproduce your issue as well as all the outputs/logs you get, it would be great.
Best regards,
Hi @henrique.tx
Sorry, after further analysis of the procedure I figured out I missed doing one step. Everything works now.
Thank you for the help.
Just one question will this configs be part of the next quarterly release?
Best regards,
Just one question will this configs be part of the next quarterly release?
Yes any configuration you see in the recent nightlies should be a part of the next quarterly release. We typically only remove kernel configs if they are problematic for any reason.
Best Regards,
Jeremias
1 Like