SD card encryption

Note:
  • Make sure that the Security Profile is activated before you start encrypting the SD card. 

Please also note the general information on handling encrypted SD cards in the main PLCnext Technology - Info Center.

You can only use the following SD cards for encryption:

  • SD FLASH 8GB PLCNEXT MEMORY LIC (item no. 1151112
  • SD FLASH 32GB PLCNEXT MEMORY LIC (item no. 1151111
  • SD FLASH PLCNEXT MEMORY LIC CFG (item no. 1308064)

These cards have two partitions: The first partition ("system") is reserved for license handling and a second partition for the controller data. This second partition ("overlay") is encrypted using the WBM. 

For the encryption of the SD card, dm-crypt with the encryption mode aes-xts-plain is used. For secure key derivation, argon2id is used.
dm-crypt is a cryptography module of the device mapper in the Linux kernel. dm-crypt can encrypt and decrypt data using various algorithms. The encryption can be applied to any device files, in most cases to partitions (as in this case to the "overlay" partition of the SD card).

Return to topicWould you like to see the process in a flow chart? Click here for more information... 

 

Activating SD card support

Note: Perform these steps in exactly this order as described below! The activation of the support for external SD card and encryption of the SD card must be activated at the same time. This deletes the existing overlay on the SD card and prevents unintentional changes to the currently configured users. You must adhere to this procedure. If you deviate from this procedure, configuration problems may occur. 

To use an encrypted sd card, you must first activate support for the external SD card. Proceed as follows: 

  • Log in to the WBM. 

Return to topicHow do I get to the WBM again? Click here for more information... 

Establishing a connection to the Web-based Management (WBM):

  • Open a web browser on your computer.
  • In the address field, enter the URL https://<IP-address-of-the-controller>/wbm,
    for example: https://192.168.1.10/wbm.

For further information, see WBM.

 

  • Open the SD card page (SecuritySD card). 
  • Click the Activate support button.

    ↪ You will then see the following status:

    ↪ Note the system message at the bottom!
  •  Enable the Reactivation after Factory Reset checkbox. 
  • Proceed with encrypting the SD card as described below.
Note: When using the external SD card under the Security Profile, encryption is mandatory! Proceed with the steps in the next section.

Encrypting the SD card

Note:
  • During the encryption or decryption process a reset to default settings type 1 needs to be performed; the data on the SD card is deleted but the IP address setting is retained.
  • The following steps need to be done in exactly this order. Do not skip a step, do not do anything else in between with your device! 
  • Make sure to have a proper LIC SD card in the slot.
  • In the Data protection section on the SD Card WBM page, click on Activate encryption to prepare the SD card encryption.
    ↪ The Set password for SD card encryption dialog opens.

  • Here you can assign a password or have one generated automatically:
        Option 1: Enter your own password
    • From the Password creation drop-down menu, select Enter.
    • Prepare a password that meets the requirements.
    • Enter the same password in the Encryption password and Confirm encryption password input fields.

      Option 2: Generate a password
    • Select Generate from the Password creation drop-down menu.
      ↪ A password that meets the requirements is generated automatically.
  • Store a note of the password used with this SD card (identifiable by the serial number on the back side) in a safe place.
  • Click on Save.
    ↪ The encryption password is saved on the controller and the SD card encryption is scheduled for execution.
    ↪ In the Status section of the SD Card WBM page you can read now: Encryption request present.
  • Reboot the controller (e.g., via the Cockpit WBM page).
    ↪ The SD card is encrypted and bound to the controller.
         Note: Due to the encryption, this step may take some time.
    ↪ The PLCnext Control is reset to default setting (type 1).
    ↪ The controller boots from the encrypted SD card.
  • Refresh the SD Card WBM page in your browser to see the changed status:
    WBM page as of firmware release >= 2024.0 LTS on controllers with an optional SD card
    SD card encryption status visible

Setting the recovery password

You need a recovery password if you want to use an encrypted LIC SD card with another controller to which the LIC SD card is not bound, for example if a controller needs to be replaced. The recovery password corresponds to the encryption password with which the LIC SD card was originally encrypted.

If a LIC SD card is encrypted and therefore bound to a specific controller, an encryption password has been set. The recovery password corresponds to that encryption password. To use the encrypted LIC SD card with another controller, you have to set its recovery password in the WBM of this controller. With the set recovery password, the LIC SD card is unlocked during the next reboot of the controller.

To unlock and use the protected LIC SD card with another controller (e.g., after replacing the controller due to a defect), you have to set its recovery password in the WBM of that controller, too. Only this way the LIC SD card can be unlocked during the next reboot of that controller.

Assigning the recovery password

You can assign the recovery password in the Recovery password to unlock the protected SD card area:

  • Click on Set recovery password.
    ↪ The Set recovery password to unlock protected SD card dialog opens.
  • Enter the password in the Recovery password and Confirm recovery password input fields and click on Save.
    ↪ The password is stored in the controller.
    ↪ During a reboot this LIC SD card will be proven eligible for this controller.
  • For further reference, store this password along with an identification (e.g., serial number) of the SD card and the controller in a safe place.
  • Refresh the SD Card WBM page in your browser to see the changed status:
    WBM page on controllers with an optional SD card

 

 


• Published/reviewed: 2024-12-16 • Revision 016 •