On Thu, Jul 22, 2021 at 8:55 AM Brian Hutchinson wrote: > > Hi Jan, > D > On Thu, Jul 22, 2021 at 8:16 AM Jan Lübbe wrote: > >> On Thu, 2021-07-22 at 08:11 -0400, Brian Hutchinson wrote: >> > Hello again, >> >> Hi! >> >> > I'm wanting to have a rootfs that is read-only SquashFS and a appfs >> that is >> > encrypted. >> >> I assume you want to have a A/B appfs. >> > > Yes, have A/B for Kernel, dtb, rootfs and appfs. > > >> How do you encrypt your appfs? dm-crypt or fscrypt? >> > > So process in factory will set everything up on eMMC the first time with: > > cryptsetup luksFormat /dev/mmcblk2p1 & /dev/mmcblk2p2 > cryptsetup luksOpen /dev/mmcblk2p1 crypt_appfs1 (same thing for > /dev/mmcblk2p2) > mkfs.ext4 /dev/mapper/crypt_appfs1 & crypt_appfs2 > > Then in normal use just have a script that figures out which slots we are > starting, A or B to determine with appfs partition to use and cryptsetup > luksOpen then mount /dev/mapper. > > > >> > And I'm kind of stumped. I've searched the Documentation and archives >> and it >> > doesn't look like RAUC has native support for encrypted partitions but >> in the >> > archives I saw where one gentleman needed to create encrypted bundles >> so this >> > might be similar to my problem. >> >> Bundle encryption is independent of encryption in the rest of the system. >> >> > I know a bundle can have pre and post triggers so maybe I can use those >> to >> > cryptsetup luksOpen the partition and then mount it and then RAUC can >> do it's >> > normal thing ... but I've not researched that enough to know if that's >> the way >> > to go so thought I'd ask for some guidance to point me in the right >> direction >> > first. >> >> If you use dm-crypt, you can just use the device-mapper path for the >> slot's >> device= propert in system.conf. That way, the encryption is transparent >> to rauc. >> > > Not following how that would work since the inactive appfs would be > "closed/encrypted". > > Thanks! > > Regards, > > Brian > > Sorry, forgot to reply-all to last message. So when I did my luksFormat etc., I used a key-file that I created with openssl rand -base64 32 > luks_appfs_key. Are you telling me that if I add a key and put it in the rauc key ring in /etc/rauc and in my system.conf refer to my appfs by /dev/mapper name rauc will know what to do to "open" the inactive appfs to do the update? I guess I'm hung up on how the "open" will take place and how to tell rauc about the key to use etc. Regards, Brian