I am currently working on an embedded IOT product and using mender for over the air software update. I am using the mender for the past 2 years for another product and it’s working perfectly fine. The roll outs to devices are smooth after every software update.
As part of security concept for the new product, my security engineer advises to have encrypted filesystem(most likely with LUKS and dm-crypt). May I know whether mender supports such encrypted file systems. The root filesystem is ext4. I looked into the mender documentation and the mailing list. I am not finding any in formations related to the topic. Any suggestions on the topic would be helpful.
Thanks & Regards,
Hello @evk1206, and welcome to Mender Hub.
May I know whether mender supports such encrypted file systems
Hard to answer this question in binary (yes/no). But there is probably nothing in Mender to prevent you from doing this.
Is the filesystem encrypted at build time?
Hi @mirzak: Yes. That’s the plan atleast now to create the filesystem encrypted by including a post build script in the Yocto build.
But there is probably nothing in Mender to prevent you from doing this.
Not in Mender, but the boot loader probably won’t support the encrypted partition. You can still boot such a system, but you will have to put the kernel outside the encrypted partition, which means you can’t update it via a rootfs update.
You could update it separately though, via a state script or using the upcoming Update Modules feature.
@kacf: Sorry, I didn’t get what do you mean by the boot loader probably won’t support the encrypted partition.
Thanks for the information about the Kernel.
Hmm, perhaps I was wrong, it does look like GRUB supports LUKS using the
cryptomount command. For U-Boot I could not find any references though.
The boot loader needs to load the kernel from the rootfs (in ordinary Mender setup), so it needs access to the encrypted partition, unless you put the kernel outside.
We are building an instrument on a Zynq 7000 based device and need to encrypt the SD card for protecting our algorithms. Was considering mender for the OTA, had assumed encrypted file system wouldn’t be an issue. Not so sure after reading this. Would it be possible to give a definite answer if encrypted file system is possible?
Unfortunately we also don’t have a yocto build system and would have to invest significant effort before trying it out ourselves.
I think there is not a definite answer, since I’m not aware of encrypted
filesystems being attempted before. My best answer would be: It’s
probably possible, but it will take some tweaking of the GRUB bootloader
integration, and probably the image build scripts, to get it to work. It
definitely won’t be an out-of-the-box solution. I still would expect it
to be easier than building your own solution though, at least if you
want full rootfs updates with rollback.