Data Encryption Impact on Boot Times
On the first boot, after flashing, setting up the encrypted partition takes about 30
seconds. These steps are executed by nv_cpu_encrypt_run_once.service
systemd service. The setup involves:
- Creating and encrypting VEK (Volume Encryption key) using PKCS#11 app. VEK is stored in /etc/nvidia/efs/
- Decrypting VEK using PKCS#11 app.
- Setup encrypted partition using dmsetup passing VEK and other information.
- Initializing the encrypted partition with random data
- Creating ext4 filesystem on encrypted partition
- Copying the contents from /home to encrypted partition
- Mounting the encrypted partition on /home directory
After the first boot, subsequent reboots do NOT have an impact on boot times.
These steps are executed by nv_cpu_encrypted_user_partition.service
systemd service Steps involved in subsequent boot for EFS are as follows:
- Decrypting VEK using PKCS#11 app.
- Mounting the encrypted partition on /home directory