I have hardware encryption using black keys (CAAM), but the customer would also like hardware encryption without the black keys so an ssd partition can be hardware encrypted but be removed in case of a board failure and decrypted on another machine with the key used.
I cannot seem to get the cipher/key working with dmsetup, and am kind of confused as how to tell the system how to tell the difference between using CAAM generated keys and regular keys.
Is it the "capi" part of the cipher, or something else that determines?
(from the imx8m hardware encryption document)
For HW encryption with a caam-keygen key added to kernel keychain:
dmsetup -v create encrypted --table "0 $(blockdev --getsz /dev/loop0) crypt capi:tk(cbc(aes))-plain :36:logon:logkey: 0 /dev/loop0 0 1 sector_size:512"
How to use regular key?
