Data Encryption Impact on Boot Times

On the first boot, after flashing, setting up the encrypted partition takes about 30 seconds. These steps are executed by nv_cpu_encrypt_run_once.service systemd service. The setup involves:

• Creating and encrypting VEK (Volume Encryption key) using PKCS#11 app. VEK is stored in /etc/nvidia/efs/

• Decrypting VEK using PKCS#11 app.

• Setup encrypted partition using dmsetup passing VEK and other information.

• Initializing the encrypted partition with random data

• Creating ext4 filesystem on encrypted partition

• Copying the contents from /home to encrypted partition

• Mounting the encrypted partition on /home directory

After the first boot, subsequent reboots do NOT have an impact on boot times.

These steps are executed by nv_cpu_encrypted_user_partition.service systemd service Steps involved in subsequent boot for EFS are as follows:

• Decrypting VEK using PKCS#11 app.

• Mounting the encrypted partition on /home directory

• Encryption Algorithm