Nowadays, we are faced with concerns about integrity and security of our digital files. There exists at least one form or another that addresses this issue depending on the platform we use. On Android phone, since 2.3.0 Google has introduced full device encryption. All media, files and apps are encrypted. On WPC, Microsoft has Bitlocker that encrypts whole drive as well as external portable drives. This solution works pretty well except now the drive is encrypted to your authentication and you cannot give it to friends and still encrypted. Furthermore, you need your laptop to decrypt the drive.
This projects aims to give a potential solution to that problem. The encryption hub powered with fast iMXRT1010, a small form factor and easy to use operation.
Theoretically, the hub performs 2 functions, encrypt and decrypt files present on your USB stick drives or SD cards. AES 128 encryption is chosen for this prototype. Each hub is identified by the unique ID burned by NXP (the encryption key) so files encrypted by one hub has to be decrypted by the same hub.
To encrypt , user would insert the drive to the micro USB port and press encrypt button (SW4). To decrypt, user would press the decrypt button (J57-2). An LED will lit up when enc/dec operation is in progress and will turn off when it is finished.
In this project, software encryption is used without the use of hardware. In future edition, support for hardware encryption will be used.
1. iMX RT1010 SDK (www.nxp.com)
3. FatFS (elm-chan.org)
2. WolfSSL (www.wolfssl.com)Code development:
MCUxpressor SDK made the development of this project extremely fast thanks to its code generation so I could focus on developing and testing the application. The bulk of the code came from USB host mountable storage device example. From there, application is created and hooked to the corresponding user input events. This project uses 2 buttons, encryption button and decryption button. MCUxpresso Config tool is used to configure these buttons and generate board support package. The buttons are debounced using 1s timer (general purpose timer 2). Encryption and decryption algorithm is provided by Direct AES APIs which operates on buffers. On encryption, original files will encrypt to the original names + ".ENC" posfix. Then the original files are deleted. Likewise for decryption.
WolfSSL direct AES api are used to encrypt and decrypt binary data.
First, a list of files in root directory is obtained by fatfs f_open_dir and f_read_dir. Then it iterates through the list and in turn read a block of 1024 bytes (AES block size) and apply algorithm then write to the new file. For the last remaining of file chunk, it is padded with zero. That's why at the beginning of the file, the first block must specify the actual original file size so that the recovery process can work correctly. Lastly, the original file is deleted by f_unlink.Build Instructions:
git clone https://github.com/wolfSSL/wolfssl.git
Getting wolfssl to compile for IMXRT1010 can be challenging. We want it to compile for bare metal environment so several flags needs to be set to turn off features for RTOS for file based environment. I have experimented and provided the flags that worked here.
# select target here
mkdir -p "$OUTPUT_DIR"
echo "Build dir: $OUTPUT_DIR"
if [ "$TARGET" = "IMXRT1010" ]; then
-Os -mthumb -mcpu=cortex-m7 -mfpu=fpv5-sp-d16 -mfloat-abi=hard -lc -lrdimon -specs=rdimon.specs"
echo "Configuration $TARGET done!"
make src/libwolfssl.la # build library only
echo "Make $TARGET done!"
echo "Install $TARGET successful!"
The necessary flags are set to build wolfSSL for bare metal environment.
MCUxpressor compiler needs to be configured to include header files and library path as well as define flags. See project configurations dialog.Testing
Open terminal console to Imxrt1010 Debug UART port,
On my test thumb drive, 3 files are present, a pdf file, a text file and a png file. Press SW4 to encrypt all files on drive.
Press J57-2 to decrypt all files on drive.
mass storage device attached:pid=0x6387vid=0x58f address=1
fatfs mount as logical driver 1......success
Testing for file integrity can be performed by diff-ing with original and decrypted files.