Decryption of VEK and Use by dm-crypt#

The diagram below shows decryption of VEK and its use by dm-crypt via dmsetup. It includes following steps:

  1. App reads Encrypted VEK from the filesystem (/etc/nvidia/efs/)

  2. App passes Encrypted VEK and Key derivation Strings to PKCS#11 library via their APIs.

  3. PKCS#11 Library talks to TOS to derive VEK Encryption key based on key derivation Strings input.

  4. PKCS#11 Library talks to SE Server to decrypt the Encrypted VEK and stores the decrypted VEK in the file passed as input (/tmp/*).

  5. EFS Systemd service reads the decrypted VEK from file in /tmp

  6. EFS Systemd service will pass decrypted VEK as input to dmsetup which in turn is passed to kernel dm-crypt module for disk encryption and decryption operations.

image1