Beginning in LabVIEW Real-Time 2017, the NI Linux Real-Time kernel includes LUKS encryption capabilities. It is possible to create encrypted containers and to encrypt USB drives. It is not currently possible to encrypt a real-time target’s native onboard flash partitions (which store the OS).
Using LUKS encryption can maintain confidentiality of sensitive data, and may satisfy certain regulatory requirements. Users can configure the specific cypher that is used, but LUKS uses AES in XTS mode with a 256-bit key size by default.
Accessing this encryption capability will require some familiarity with the Linux shell. From the shell, users can encrypt USB drives or create encrypted file containers. Encrypted file containers can reside either on the onboard flash drive or external media. Partitions can be encrypted using either passwords or key files.[1] LUKS also supports registering multiple passwords or key files for the same encrypted disk (up to a limit of 10). A specific use case for this might be to register a backup recovery password.
The commands below can be used as a reference for basic usage of LUKS encryption on NI Linux Real-Time. All commands should be run as admin. For more advanced usage, please refer to the additional resources section at the bottom of this page.
Key Creation:
dd if=/dev/urandom of=disk.key bs=1024 count=4
Encrypting USB Drive:
Creating an Encrypted Container:
Additional Resources:
[1] The user is responsible for protecting the secrecy of the key file used. National Instruments strongly recommends storing the key file in a separate location from the encrypted disk.
[2] To create an encrypted volume that uses a password for authentication, omit disk.key from the luksFormat command, noting further that it will no longer be necessary to reference a key file when calling luksOpen.