How to encrypt a disk with dm-crypt

Revision as of 17:37, 21 March 2023 by Registered User
Applicable for STM32MP13x lines

1. Purpose of article[edit source]

This article describes how to encrypt a device block for storage as a Sdcard with the "dm-crypt" tool. The encrypting trusted key is protected by the secure OS OP-TEE. The encrypted key is wrapped with the SAES IP.

2. Pre-requesites[edit source]

You are already familiar with the Yocto build process and OpenSTLinux distribution.

3. Introduction[edit source]

This article describe a process to encrypt dynamically a bloc device with "dm-crypt", here a sdcard partition. We use the Linux in-kernel key managment Linux, to create a "trusted key" key type as the bloc device encrypting key. The "trusted key" so the encrypting key is a secure key created, seal & unseal by the secure OS OP-TEE, the wrapping key is a secret key and can be the HUK or derived from the HUK. The Linux user-space application "keyctl" manage secure key blobs, the wrapping is performed by the secure IP SAES in the OP-TEE environment. We use AES encryption algorithm with CBC mode or (ESSIV or XTS). ESSIV and XTS provide more protection for disk encryption and the AES CBC encryption can be accelerated with the CRYP IP.

4. architecture overview[edit source]

Alternate text
dm_crypt

5. process[edit source]

  • New MMC partition creation

fdisk /dev/mmcblk0

enter "n" following by "+1G" for 1go size then "w".

  • check the new partition created

lsblk 

NAME         MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS
mmcblk0      179:0    0  14.8G  0 disk
|-mmcblk0p1  179:1    0   256K  0 part
|-mmcblk0p2  179:2    0   256K  0 part
|-mmcblk0p3  179:3    0   256K  0 part
|-mmcblk0p4  179:4    0   256K  0 part
|-mmcblk0p5  179:5    0     4M  0 part
|-mmcblk0p6  179:6    0     4M  0 part
|-mmcblk0p7  179:7    0   512K  0 part
|-mmcblk0p8  179:8    0    64M  0 part /boot
|-mmcblk0p9  179:9    0    16M  0 part /vendor
|-mmcblk0p10 179:10   0   736M  0 part /
|-mmcblk0p11 179:11   0 710.5M  0 part /usr/local
`-mmcblk0p12 179:12   0     1G  0 part
  • Trusted Key creation in keyring session

keyctl add trusted my_key "new 64" @s 

result :
53139771
  • check the created key, show the keyring session and print the sealed key.

keyctl show @s 

result:
Keyring
989387511 --alswrv      0     0  keyring: _ses
809952222 ----s-rv      0     0   \_ user: invocation_id
 53139771 --alswrv      0     0   \_ trusted: my_key

keyctl print 53139771 

result:
00334c376ecf6d8e80d7737506eec2456dea0baa119d86cb0aec5643edfe5bbdcdb736e94075fc6f

832731067e3452a16eb40891ee7cdf2133aa6fbce6b1bd8428f2ca9afece90153e84e0c3c1107f66 1ccc53b88f2e2d9dbb21223e9aeacafff2

  • save Key blob

keyctl pipe 53139771 > my_key.blob

  • create the device-mapper named crypt_dev with transparent encryption of block device using the kernel crypto API "crypt")

specifically the AES XTS encryption with the trusted ky "my_key" {Board$}}dmsetup create crypt_dev --table "0 $(blockdev --getsz /dev/mmcblk0p12) crypt aes-xts-plain64 :64:trusted:my_key 0 /dev/mmcblk0p12 0" 

result:
[ 3666.109846] cryptd: max_cpu_qlen set to 1000
  • check the device mapper

dmsetup table --showkeys

Operating system

Open portable trusted execution environment

Linux® is a registered trademark of Linus Torvalds.

Hardware unique key

Advanced encryption standard

Cryptographic processor

Multimedia card

Application programming interface

Retrieved from "https://wiki.st.com/stm32mpu/index.php?title=How_to_encrypt_a_disk_with_dm-crypt&oldid=91306"