cryptpilot: Confidentiality for OS Booting and Data at Rest in TEEOS

cryptpilot provides comprehensive encryption solutions for confidential computing environments, protecting both system boot integrity and data at rest.

Project Structure

cryptpilot is split into specialized packages:

cryptpilot-fde

Full Disk Encryption - Encrypts entire system disks with boot integrity protection.

• Encrypts rootfs and data partitions
• dm-verity integrity protection
• Remote attestation and measurement for secure key retrieval
• Initrd integration for early boot decryption

Quick Start:

# Encrypt a disk image
cryptpilot-convert --in ./original.qcow2 --out ./encrypted.qcow2 \
    -c ./config_dir/ --rootfs-passphrase MyPassword

📖 Full Documentation | Quick Start Guide

cryptpilot-crypt

Runtime Volume Encryption - Manages encrypted data volumes during system runtime.

• LUKS2 volume encryption
• Auto-open at boot
• Multiple key providers (KBS, KMS, TPM2, etc.)
• Integrity protection with dm-integrity

Quick Start:

# Initialize and open a volume
cryptpilot-crypt init data0
cryptpilot-crypt open data0
mount /dev/mapper/data0 /mnt/data0

📖 Full Documentation | Quick Start Guide

cryptpilot-verity

Static Data Measurement - Tools for computing and verifying hash values of static data.

Features

• Full Disk Encryption: Protect entire system disks including rootfs
• Volume Encryption: Encrypt individual data partitions
• Remote Attestation: Measure and verify boot integrity
• Flexible Key Management: Support for KBS (remote attestation), KMS (Alibaba Cloud), OIDC (federated identity), and custom providers
• Integrity Protection: dm-verity and dm-integrity support
• Auto-Mount: Automatic decryption and mounting at boot

Installation

From Releases

Download from latest release:

# For full disk encryption
rpm --install cryptpilot-fde-*.rpm

# For runtime volume encryption
rpm --install cryptpilot-crypt-*.rpm

# (Optional) Main package for config directory
rpm --install cryptpilot-*.rpm

From Source

Build RPM packages:

make create-tarball rpm-build
rpm --install /root/rpmbuild/RPMS/x86_64/cryptpilot-*.rpm

Or build DEB packages:

make create-tarball deb-build
dpkg -i /tmp/cryptpilot_*.deb

Quick Examples

Encrypt a VM Disk Image (FDE)

cryptpilot-convert --in ./source.qcow2 --out ./encrypted.qcow2 \
    -c ./config_dir/ --rootfs-passphrase MyPassword

📖 Detailed FDE Examples

Encrypt Data Volumes (Crypt)

cryptpilot-crypt init data0
cryptpilot-crypt open data0
mount /dev/mapper/data0 /mnt/data0

📖 Detailed Crypt Examples

Supported Distributions

• Anolis OS 23
• Alibaba Cloud Linux 3

Documentation

Package Documentation

• cryptpilot-fde Documentation

  • FDE Configuration Guide
  • Boot Process
  • cryptpilot-enhance

• cryptpilot-crypt Documentation

  • Volume Configuration Guide

Development

• Development Guide - Build, test, and package

License

Apache-2.0

Contributing

Contributions welcome! Please see Development Guide.

See Also

• Trustee Project - KBS and attestation services
• Confidential Containers - Cloud-native confidential computing