Decryption of VEK and Use by dm-crypt#
The diagram below shows decryption of VEK and its use by dm-crypt via dmsetup. It includes following steps:
App reads Encrypted VEK from the filesystem (/etc/nvidia/efs/)
App passes Encrypted VEK and Key derivation Strings to PKCS#11 library via their APIs.
PKCS#11 Library talks to TOS to derive VEK Encryption key based on key derivation Strings input.
PKCS#11 Library talks to SE Server to decrypt the Encrypted VEK and stores the decrypted VEK in the file passed as input (/tmp/*).
EFS Systemd service reads the decrypted VEK from file in /tmp
EFS Systemd service will pass decrypted VEK as input to dmsetup which in turn is passed to kernel dm-crypt module for disk encryption and decryption operations.