# Install boot key

Source: [https://docs.qualcomm.com/doc/80-88500-2/topic/boot_key_installation.html](https://docs.qualcomm.com/doc/80-88500-2/topic/boot_key_installation.html)

To install the default (boot time) key during the boot up, perform the following steps:
1. To create a directory /overlay/unencrypted
                        (/overlay is a mount point on the Linux Embedded
                    target) with the context
                    `system_u:object_r:fbe_secure_data_t:s0`, run the following
                    command:

        mkdir -p --context=system_u:object_r:fbe_secure_data_t:s0 /overlay/unencryptedCopy to clipboard

    The
                            /overlay/unencrypted directory contains the files,
                        which store the key and the reference (identifier).
2. To enable the `encrypt` and `stable_inodes` mount
                    options to the file system, run the following command:

        tune2fs -O encrypt,stable_inodes /dev/block/bootdevice/by-name/userdataCopy to clipboard

    This
                        utility is needed in the targets where the `ext4` file system
                        is supported.
3. To generate the boot time (default) key, encrypt it, store it in a file at
                        /overlay/unencrypted directory, install it in a kernel
                    keyring, and give an identifier, run the following
                        command:

        /usr/bin/lefbe_service -bCopy to clipboard

    For successive
                        reboots the command fetches the existing key installed in the kernel keyring
                        and gives the identifier.
4. To set the policy to /overlay/encrypted\_dir directory using
                    the identifier given by `lefbe_service`, run the following
                    command:

        /sbin/lefbe_mkdir  -e /overlay/encrypted_dirCopy to clipboard

    Once
                        the policy is set, all the filenames and the contents created in
                            /overlay/encrypted\_dir directory are
                    encrypted.

Note: After the successful execution of all the commands, the content created in the
            directory /overlay/encrypted\_dir is encrypted (that is, both
            filename and file content) with the master key installed in the keyring.

**Parent Topic:** [File-based encryption (Linux Embedded)](https://docs.qualcomm.com/doc/80-88500-2/topic/file_based_encryption_linux_enabled.html)

Last Published: Aug 18, 2023

[Previous Topic
File-based encryption (Linux Embedded)](https://docs.qualcomm.com/bundle/publicresource/80-88500-2/topics/file_based_encryption_linux_enabled.md) [Next Topic
Install user key](https://docs.qualcomm.com/bundle/publicresource/80-88500-2/topics/install_user_key.md)