1. Purpose of article[edit source]
This article describes how to encrypt a device block for storage as a Sdcard with the "dm-crypt" tool. The encrypting trusted key is protected by the secure OS OP-TEE. The encrypted key is wrapped with the SAES IP.
2. Pre-requesites[edit source]
You are already familiar with the Yocto build process and OpenSTLinux distribution.
3. Introduction[edit source]
This article describe a process to encrypt dynamically a bloc device with "dm-crypt", here a sdcard partition. We use the Linux in-kernel key managment Linux, to create a "trusted key" key type as the bloc device encrypting key. The "trusted key" so the encrypting key is a secure key created, seal & unseal by the secure OS OP-TEE, the wrapping key is a secret key and can be the HUK or derived from the HUK. The Linux user-space application "keyctl" manage secure key blobs, the wrapping is performed by the secure IP SAES in the OP-TEE environment. We use AES encrytion algorithm with CBC mode or (ESSIV or XTS).ESSIV and XTR provide more protection for disk encryption and The AES CBC encryption can be accelerated with the CRYP IP.
