https://community.nxp.com/t5/i-MX-Processors/Using-Keyring-for-key-to-be-used-for-CAAM-partition-encryption/m-p/2053130#M234559 <P>Hello,&nbsp;</P><P>&nbsp; &nbsp; I am following this method to encrypt my emmc partition-</P><P>1. generate key:<BR />KEYNAME=dm_trust<BR />KEY="$(keyctl add trusted $KEYNAME 'new 32' @s)"<BR />keyctl pipe $KEY &gt;~/$KEYNAME.blob</P><P>&nbsp;</P><P>2. Set variables:</P><P>DEV=/dev/mmcblk0p4<BR />ALGO=capi:cbc\(aes\)-plain<BR />TARGET=crypt<BR />BLOCKS=$(blockdev --getsz $DEV)<BR />KEYNAME=dm_trust<BR />TABLE="0 $BLOCKS $TARGET $ALGO :32:trusted:$KEYNAME 0 $DEV 0 1 allow_discards"</P><P>3. Create new device mapper<BR /><BR />echo $TABLE | dmsetup create encrypted</P><P>4. LOAD device mapper "encrypted"<BR />echo $TABLE | dmsetup load encrypted</P><P>5. Format and mount partition:</P><P>mkfs.ext4 /dev/mapper/encrypted<BR />mount -t ext4 /dev/mapper/encrypted /crypt</P><P>Now, I would like not to have the&nbsp;$KEYNAME.blob in my system but use the keyring. Since the session keyring expires after reboot, I tried to save the key on a persistent keyring:</P><LI-CODE lang="markup">keyctl newring my-keyring @u &gt; /etc/keyrings/my-persistent-keyring_id keyctl add trusted my-key "load $(cat ~/dm_trust.blob)" $(cat /etc/keyrings/my-persistent-keyring_id) keyctl link $(cat /etc/keyrings/my-persistent-keyring_id) @u</LI-CODE><P>Unfortunately the 2nd (and 3rd ) keyctl call return "permission denied" even if I am root.&nbsp;</P><P>What is the correct procedure to store the key in the keyring ?&nbsp;</P><P>&nbsp;</P> Thu, 27 Feb 2025 16:40:18 GMT P3r3gr1nus 2025-02-27T16:40:18Z https://community.nxp.com/t5/i-MX-Processors/Using-Keyring-for-key-to-be-used-for-CAAM-partition-encryption/m-p/2053130#M234559 <P>Hello,&nbsp;</P><P>&nbsp; &nbsp; I am following this method to encrypt my emmc partition-</P><P>1. generate key:<BR />KEYNAME=dm_trust<BR />KEY="$(keyctl add trusted $KEYNAME 'new 32' @s)"<BR />keyctl pipe $KEY &gt;~/$KEYNAME.blob</P><P>&nbsp;</P><P>2. Set variables:</P><P>DEV=/dev/mmcblk0p4<BR />ALGO=capi:cbc\(aes\)-plain<BR />TARGET=crypt<BR />BLOCKS=$(blockdev --getsz $DEV)<BR />KEYNAME=dm_trust<BR />TABLE="0 $BLOCKS $TARGET $ALGO :32:trusted:$KEYNAME 0 $DEV 0 1 allow_discards"</P><P>3. Create new device mapper<BR /><BR />echo $TABLE | dmsetup create encrypted</P><P>4. LOAD device mapper "encrypted"<BR />echo $TABLE | dmsetup load encrypted</P><P>5. Format and mount partition:</P><P>mkfs.ext4 /dev/mapper/encrypted<BR />mount -t ext4 /dev/mapper/encrypted /crypt</P><P>Now, I would like not to have the&nbsp;$KEYNAME.blob in my system but use the keyring. Since the session keyring expires after reboot, I tried to save the key on a persistent keyring:</P><LI-CODE lang="markup">keyctl newring my-keyring @u &gt; /etc/keyrings/my-persistent-keyring_id keyctl add trusted my-key "load $(cat ~/dm_trust.blob)" $(cat /etc/keyrings/my-persistent-keyring_id) keyctl link $(cat /etc/keyrings/my-persistent-keyring_id) @u</LI-CODE><P>Unfortunately the 2nd (and 3rd ) keyctl call return "permission denied" even if I am root.&nbsp;</P><P>What is the correct procedure to store the key in the keyring ?&nbsp;</P><P>&nbsp;</P> Thu, 27 Feb 2025 16:40:18 GMT https://community.nxp.com/t5/i-MX-Processors/Using-Keyring-for-key-to-be-used-for-CAAM-partition-encryption/m-p/2053130#M234559 P3r3gr1nus 2025-02-27T16:40:18Z https://community.nxp.com/t5/i-MX-Processors/Using-Keyring-for-key-to-be-used-for-CAAM-partition-encryption/m-p/2054588#M234652 <P>Hello,</P> <P>I send you email with a reference, hope that can be helpful.</P> <P>&nbsp;</P> <P>Regards</P> <P>Harvey</P> Mon, 03 Mar 2025 09:21:14 GMT https://community.nxp.com/t5/i-MX-Processors/Using-Keyring-for-key-to-be-used-for-CAAM-partition-encryption/m-p/2054588#M234652 Harvey021 2025-03-03T09:21:14Z