- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- Hardware encryption without black keys
Hardware encryption without black keys
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have hardware encryption using black keys (CAAM), but the customer would also like hardware encryption without the black keys so an ssd partition can be hardware encrypted but be removed in case of a board failure and decrypted on another machine with the key used.
I cannot seem to get the cipher/key working with dmsetup, and am kind of confused as how to tell the system how to tell the difference between using CAAM generated keys and regular keys.
Is it the "capi" part of the cipher, or something else that determines?
(from the imx8m hardware encryption document)
For HW encryption with a caam-keygen key added to kernel keychain:
dmsetup -v create encrypted --table "0 $(blockdev --getsz /dev/loop0) crypt capi:tk(cbc(aes))-plain :36:logon:logkey: 0 /dev/loop0 0 1 sector_size:512"
How to use regular key?
Solved! Go to Solution.
Bio_TICFSL
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
When using CAAM for hardware encryption, there are two approaches:
1. Using CAAM-generated black keys (device-specific):
- The black keys are encrypted with the device's OPTMK (One-Time Programmable Master Key)
- These keys cannot be transferred between devices
- This is what your current implementation uses
2. Using regular keys with hardware acceleration:
- For your requirement to decrypt data on another machine, you need to use regular keys
- The difference is in the cipher specification with dmsetup
For regular key hardware encryption, modify your dmsetup command by removing the "capi:tk" prefix:
```
dmsetup -v create encrypted --table "0 $(blockdev --getsz /dev/loop0) crypt cbc(aes)-plain :36:logon:logkey: 0 /dev/loop0 0 1 sector_size:512"
```
The key difference is:
- With CAAM black keys: `capi:tk(cbc(aes))-plain`
- With regular keys: `cbc(aes)-plain`
The "tk" in "capi:tk" stands for "tagged key" which indicates CAAM black key usage. By removing this prefix, you're instructing the system to use standard keys while still leveraging hardware acceleration where available.
This approach will allow you to create an encrypted partition that can be moved to another machine and decrypted using the same key.
Regards
Bio_TICFSL
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
When using CAAM for hardware encryption, there are two approaches:
1. Using CAAM-generated black keys (device-specific):
- The black keys are encrypted with the device's OPTMK (One-Time Programmable Master Key)
- These keys cannot be transferred between devices
- This is what your current implementation uses
2. Using regular keys with hardware acceleration:
- For your requirement to decrypt data on another machine, you need to use regular keys
- The difference is in the cipher specification with dmsetup
For regular key hardware encryption, modify your dmsetup command by removing the "capi:tk" prefix:
```
dmsetup -v create encrypted --table "0 $(blockdev --getsz /dev/loop0) crypt cbc(aes)-plain :36:logon:logkey: 0 /dev/loop0 0 1 sector_size:512"
```
The key difference is:
- With CAAM black keys: `capi:tk(cbc(aes))-plain`
- With regular keys: `cbc(aes)-plain`
The "tk" in "capi:tk" stands for "tagged key" which indicates CAAM black key usage. By removing this prefix, you're instructing the system to use standard keys while still leveraging hardware acceleration where available.
This approach will allow you to create an encrypted partition that can be moved to another machine and decrypted using the same key.
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not real impressive for acceleration
