cryptpilot: Confidentiality for OS Booting and Data at Rest in TEEOS

cryptpilot provides comprehensive encryption solutions for confidential computing environments, protecting both system boot integrity and data at rest.

Project Structure

cryptpilot is split into specialized packages:

cryptpilot-fde

Full Disk Encryption - Encrypts entire system disks with boot integrity protection.

The FDE module is split into two packages:

• cryptpilot-fde-host — Host-side tools for disk image conversion and configuration. Used only during the cryptpilot-convert / cryptpilot-enhance workflow. Includes heavy dependencies (qemu-img, libguestfs) that should not be shipped in guest images.
• cryptpilot-fde-guest — Guest-side boot components. Runs inside the target VM during boot (initrd) to set up dm-crypt, dm-verity, LVM, and overlayfs. This is the package installed on the final guest disk image.

Quick Start:

# Encrypt a disk image (requires cryptpilot-fde-host)
cryptpilot-convert --in ./original.qcow2 --out ./encrypted.qcow2 \
    -c ./config_dir/ --rootfs-passphrase MyPassword

📖 Full Documentation | Quick Start Guide

cryptpilot-crypt

Runtime Volume Encryption - Manages encrypted data volumes during system runtime.

• LUKS2 volume encryption
• Auto-open at boot
• Multiple key providers (KBS, KMS, TPM2, etc.)
• Integrity protection with dm-integrity

Quick Start:

# Initialize and open a volume
cryptpilot-crypt init data0
cryptpilot-crypt open data0
mount /dev/mapper/data0 /mnt/data0

📖 Full Documentation | Quick Start Guide

cryptpilot-verity

Static Data Measurement - Tools for computing and verifying hash values of static data.

Features

• Full Disk Encryption: Protect entire system disks including rootfs
• Volume Encryption: Encrypt individual data partitions
• Remote Attestation: Measure and verify boot integrity
• Flexible Key Management: Support for KBS (remote attestation), KMS (Alibaba Cloud), OIDC (federated identity), and custom providers
• Integrity Protection: dm-verity and dm-integrity support
• Auto-Mount: Automatic decryption and mounting at boot

Installation

From Releases

Download from latest release:

# For full disk encryption
# The host package provides tools (cryptpilot-convert, cryptpilot-enhance) for building encrypted images
rpm --install cryptpilot-fde-host-*.rpm

# The guest package contains components running inside the target VM at boot time
# It is installed into the guest rootfs by cryptpilot-convert automatically
rpm --install cryptpilot-fde-guest-*.rpm

# For runtime volume encryption
rpm --install cryptpilot-crypt-*.rpm

# (Optional) Main package for config directory
rpm --install cryptpilot-*.rpm

From Source

Build RPM packages:

make create-tarball rpm-build
rpm --install /root/rpmbuild/RPMS/x86_64/cryptpilot-*.rpm

Or build DEB packages:

make create-tarball deb-build
dpkg -i /tmp/cryptpilot_*.deb

Quick Examples

Encrypt a VM Disk Image (FDE)

cryptpilot-convert --in ./source.qcow2 --out ./encrypted.qcow2 \
    -c ./config_dir/ --rootfs-passphrase MyPassword

📖 Detailed FDE Examples

Encrypt Data Volumes (Crypt)

cryptpilot-crypt init data0
cryptpilot-crypt open data0
mount /dev/mapper/data0 /mnt/data0

📖 Detailed Crypt Examples

Supported Distributions

• Anolis OS 23
• Alibaba Cloud Linux 3

Documentation

Package Documentation

• cryptpilot-fde Documentation

  • FDE Configuration Guide
  • Boot Process
  • cryptpilot-enhance

• cryptpilot-crypt Documentation

  • Volume Configuration Guide

Development

• Development Guide - Build, test, and package

License

Apache-2.0

Contributing

Contributions welcome! Please see Development Guide.

See Also

• Trustee Project - KBS and attestation services
• Confidential Containers - Cloud-native confidential computing