Partition encryption uses the kernel’s cryptographic support to encrypt all the data you store in a partition. Attempting to access this data without the correct encryption key returns random, meaningless bytes.

This section explains how to use encryption for partitions other than the root filesystem. For information on encrypting the root filesystem see Set up secure boot.

Encrypt a NAND partition

NAND partition encryption uses the kernel’s cryptographic support to encrypt all the data you store in a partition. Attempting to access this data without the correct encryption key returns random, meaningless bytes.

Follow these steps to encrypt a NAND partition:

1. Program an encryption key

If you did not program an encryption key into the system, you must do it before enabling encryption for a NAND partition. To do so, you must update the system using update-firmware tool. See Program firmware from Linux.

2. Flag a partition as encrypted

To enable the encryption for a specific partition, you must flag the partition to be encrypted on the MTD partition table by adding an encryption flag to the selected partition. All data access to an encrypted flagged partition will be encrypted.

On the ConnectCore 6UL, the partition table is passed via the kernel command line by the bootloader in the mtdparts argument. Its format is specified at drivers/mtd/cmdlinepart.c. You must add the enc flag after the partition name:

  1. Reset the device and stop at the U-Boot bootloader prompt.

  2. Add the enc flag to the NAND partition. For example, to mark the update partition as encrypted from the default partition table, edit the variable mtdparts, move the cursor to the update partition and add the enc flag after the partition name:

    => env edit mtdparts
    edit: mtdparts=gpmi-nand:3m(bootloader),1m(environment),1m(safe),12m(linux),14m(recovery),122m(rootfs)enc,-(update)enc
    => saveenv

    Note the enc flag in the update entry. You can also use the mtdparts U-Boot command to modify the partition table.

3. Format the partition

You can manually format the partition from Linux as follows:

~$ ubiformat /dev/mtdN
~$ ubiattach -p /dev/mtdN
~$ ubimkvol /dev/ubiX -N "<partition name>" -m

Where N is the MTD partition index in the partition table, and X is the UBI device index assigned when you attach the UBI device.

For example, to format the update partition in the default partition table, type the following:

~$ ubiformat /dev/mtd6
~$ ubiattach -p /dev/mtd6
~$ ubimkvol /dev/ubi2 -N "update" -m

You can then update a UBIFS image inside the encrypted partition:

~$ ubiupdatevol /dev/ubi2_0 <image_file.ubifs>

4. Auto mount

If you want the system to automatically attach the partition on boot, add the following argument to the Linux kernel command line:

ubi.mtd=N

Where N is the MTD partition index in the partition table.

You must also add an entry to the /etc/fstab file to mount it automatically:

 /dev/ubiX_0           /path/to/mount/point              ubifs      defaults              0  0

X is the UBI device index that is assigned when the partition is attached.