Hi,
I am curious if it’s possible to encrypt the content of eMMC and have OS boot without user intervention to provide encryption password or something.
Thanks!
Thy
Hi,
I am curious if it’s possible to encrypt the content of eMMC and have OS boot without user intervention to provide encryption password or something.
Thanks!
Thy
You probably need to install the system in EFI with grub, then adapt this guide. I had some experiment with EFI system but I was using systemd-boot
since that was giving me less trouble than U-Boot (in short grub’s \EFI\boot\bootaa64.efi
was not usable which requires either changes to U-Boot environment or create package hooks to fix the issue).
Still this job is usually done by TPM so an attacker won’t be able to extract the key easily. This method leaves key file in unencrypted form, so the only benefit I can see is when you want to retire the device, you can just nuke the key file instead of the whole eMMC.
I am looking forward to experimenting with it once i get the system to flash! Will provide feedback as soon as I can.