Page 1 of 1

Generating luks encrypted rootfs in .wic

Posted: Thu Jun 13, 2019 10:48 pm
by donws

We would like to use a luks encrypted rootfs on the SAMA5D2. We've included meta-encrypted-storage ( ... ed-storage) in our Yocto build. This feature employs cryptsetup together with an initramfs and an init script to unlock the luks encrypted root partition as part of kernel boot.

To create a luks encrypted partition the following steps are generally needed:

Code: Select all

cryptsetup luksFormat /dev/mmcblkxxx keyfile cryptroot
cryptsetup luksOpen -d keyfile /dev/mmcblkxxx cryptroot
mkfs.ext4 /dev/mapper/cryptroot 
mount  /dev/mapper/cryptroot /mnt/cryptroot
cp -ax /mnt/path-to-rootfs/* /mnt/cryptroot  # populate luks encrypted partition
unmount /mnt/crtyproot
cryptsetup luksClose cryptroot

Does anyone know how to best handle this or something similar within the Yocto built process? The desire is to to have the build process automatically create and package a luks encrypted rootfs in the .wic file instead of the plain rootfs.