Crypt Block Device Example
Source path: example/rt_device/crypt_block_dev
Overview
This example demonstrates how to use the crypt_block_dev middleware to create a transparent AES encryption layer on top of an SD/eMMC block device.
All data written to the underlying device is encrypted with AES-CTR-128, and automatically decrypted on read. The upper file system is completely unaware of the encryption layer.
Application Layer (DFS / FatFs)
↓
crypt_root / crypt_misc (crypt_block_dev, AES-CTR-128 transparent encryption/decryption)
↓
root / misc (mmcsd partition devices, stores ciphertext)
↓
sd0 (underlying SD/eMMC block device, stores ciphertext and plaintext MBR)
Supported Platforms
sf32lb56-lcd_a128r12n1
sf32lb58-lcd_n16r64n4
sf32lb58-lcd_a128r32n1_dsi
sf32lb58-lcd_n16r32n1_qspi
Usage Guide
Build
cd example/rt_device/crypt_block_dev/project
scons --board=<board_name> -j8
Runtime
After flashing, the system automatically initializes via INIT_ENV_EXPORT:
Waits for the SD/eMMC device to be ready (timeout ~8 seconds)
Creates
rootandmiscpartitions on the raw SD cardWraps each partition with an AES-CTR-128 encryption layer (
crypt_root,crypt_misc)Mounts
/tocrypt_rootand/misctocrypt_misc(automatically runsmkfson first use)
Partition Layout
Partition |
Start Offset |
Size |
|---|---|---|
root |
0x00081000 |
48 MB |
misc |
0x00F81000 |
500 MB |
Finsh Commands
File Read/Write Speed Test (through filesystem)
Command |
Description |
|---|---|
|
Encrypted write speed test, N sectors per call (default 1) |
|
Encrypted read speed test, N sectors per call (default 1) |
Examples:
crypt_write /test.bin 10 # Encrypted write 10MB, 1 sector per call
crypt_write /test.bin 10 64 # Encrypted write 10MB, 64 sectors per call (32KB)
crypt_read /test.bin 10 # Encrypted read 10MB
Raw Block Device Speed Test (bypasses filesystem)
Command |
Description |
|---|---|
|
Raw encrypted block device read speed test |
|
Raw encrypted block device write speed test |
Examples:
crypt_raw_read 1024 # Read 1024 encrypted sectors
crypt_raw_write 2048 128 # Write 2048 encrypted sectors, 128 sectors per call (64KB)
Data Integrity Verification
Command |
Description |
|---|---|
|
Writes 1MB of random data, then reads back 512KB at offset 512KB and compares byte-by-byte |
Example:
crypt_verify /verify.bin # Write 1MB, verify the last 512KB
Filesystem commands (ls, df, mkdir, etc.) work exactly as with a normal filesystem.
Notes
The
aes_key(16 bytes) andaes_ivin this example use hardcoded test values. Replace them with secure keys in production environments.An encrypted SD card cannot be read directly on other devices (data is ciphertext), though the MBR partition table remains in plaintext.
In AES-CTR-128 mode, each partition is encrypted independently using the same key and IV.
Partition sector offsets and sizes are defined in
main.cvia macrosFS_ROOT_OFFSET/FS_ROOT_LEN/FS_MISC_OFFSET/FS_MISC_LEN. Adjust these according to your storage medium.The
blocks_per_callparameter can be used to test the impact of buffer size on read/write performance — larger values transfer more data per call and may improve throughput.