INTERLOCK - SecureBoot
42 views
Skip to first unread message
Evan Lausch
Jan 6, 2026, 9:45:19 AM (6 days ago) Jan 6
to USB armory
Hello All / Hello Andrej ,
I have already secure booted my MK2 and have been using the armory-drive application for some time. However, I recently ditched iphone, and would like to contunue using my MK2 armory.
I have been searching long and hard al over the github repos for any information on how to use interlock on a secure booted device.
Can you please provide instructions on how to accomplish this?
I do not mind installing any toolkits or buildroot environments, but I have no idea how to do this on my own.
I have already tried to image the uSD card with the image, and replace the bootloader with "armory-boot-secure.imx" that I have built locally, and also added "armory-boot-secure.conf" and armory-boot-secure.conf.sig to the boot folder, in attempt to get the device to boot, but nothing is happening.
Please let me know if there is any way to get INTERLOCK working on a secure booted deivce. ( or as an alternative, how hard / how many hours work would it take to get Armory-Drive ported to an android APK ? )
Thanks so much!
-Evan
nsk ksn
Jan 6, 2026, 1:36:16 PM (6 days ago) Jan 6
to USB armory
You definitely can! I use my usd with an ecrypted partition. I have interlock installed in debian to access it via linux, and also have installed on the usd (standalone) when I just want to access it directly without booting into linux. The process is the same as creating a secure boot for deb, you just need to add the proper sha256 to the config. The precompiled binaries are there just to load.
"I have already tried to image the uSD card with the image, and replace the bootloader with "armory-boot-secure.imx" that I have built locally, and also added "armory-boot-secure.conf" and armory-boot-secure.conf.sig to the boot folder, in attempt to get the device to boot, but nothing is happening."
Perhaps you fell into a trap i stumbled upon previously.
Read this.
The good thing is that you do have it in secure boot, so thats a plus.
Are you sure interlock is not loaded? What are the lights telling you? Are they both dim? Off?
Warm Regards,
nsk
Andrej Rosano
Jan 7, 2026, 9:49:10 AM (5 days ago) Jan 7
to Evan Lausch, USB armory
Hi Evan,
On 2026-01-06 Tue, Evan Lausch wrote:
> Hello All / Hello Andrej ,
>
> I have already secure booted my MK2 and have been using the armory-drive application for some time. However, I recently ditched iphone, and would like to contunue using my MK2 armory.
>
> I have been searching long and hard al over the github repos for any information on how to use interlock on a secure booted device.
>
> Can you please provide instructions on how to accomplish this?
> I do not mind installing any toolkits or buildroot environments, but I have no idea how to do this on my own.
In case you have used the pre-compiled armory-drive you cannot load other
firmware on that unit as you do not have the secure boot keys to sign the image.
Please check [1].
In case the you have used your custom signed armory-drive you should sign the
interlock firmware with the same keys you used to sign armory-drive.
Thanks
Andrej
[1] https://github.com/usbarmory/armory-drive?tab=readme-ov-file#installation-of-pre-compiled-releases
>
> I have already tried to image the uSD card with the image, and replace the bootloader with "armory-boot-secure.imx" that I have built locally, and also added "armory-boot-secure.conf" and armory-boot-secure.conf.sig to the boot folder, in attempt to get the device to boot, but nothing is happening.
>
> Please let me know if there is any way to get INTERLOCK working on a secure booted deivce. ( or as an alternative, how hard / how many hours work would it take to get Armory-Drive ported to an android APK ? )
>
> Thanks so much!
> -Evan
>
> --
> You received this message because you are subscribed to the Google Groups "USB armory" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to usbarmory+...@googlegroups.com<mailto:usbarmory+...@googlegroups.com>.
> To view this discussion visit https://groups.google.com/d/msgid/usbarmory/d104eecb-6be0-4b11-a0f6-aa81e51209b0n%40googlegroups.com<https://groups.google.com/d/msgid/usbarmory/d104eecb-6be0-4b11-a0f6-aa81e51209b0n%40googlegroups.com?utm_medium=email&utm_source=footer>.
--
Andrej Rosano | Reversec Foundry | foundry.reversec.com
BDE1 62F4 7020 1588 8046 AE02 EA17 8C32 AB56 54CE
On 2026-01-06 Tue, Evan Lausch wrote:
> Hello All / Hello Andrej ,
>
> I have already secure booted my MK2 and have been using the armory-drive application for some time. However, I recently ditched iphone, and would like to contunue using my MK2 armory.
>
> I have been searching long and hard al over the github repos for any information on how to use interlock on a secure booted device.
>
> Can you please provide instructions on how to accomplish this?
> I do not mind installing any toolkits or buildroot environments, but I have no idea how to do this on my own.
firmware on that unit as you do not have the secure boot keys to sign the image.
Please check [1].
In case the you have used your custom signed armory-drive you should sign the
interlock firmware with the same keys you used to sign armory-drive.
Thanks
Andrej
[1] https://github.com/usbarmory/armory-drive?tab=readme-ov-file#installation-of-pre-compiled-releases
>
> I have already tried to image the uSD card with the image, and replace the bootloader with "armory-boot-secure.imx" that I have built locally, and also added "armory-boot-secure.conf" and armory-boot-secure.conf.sig to the boot folder, in attempt to get the device to boot, but nothing is happening.
>
> Please let me know if there is any way to get INTERLOCK working on a secure booted deivce. ( or as an alternative, how hard / how many hours work would it take to get Armory-Drive ported to an android APK ? )
>
> Thanks so much!
> -Evan
>
> You received this message because you are subscribed to the Google Groups "USB armory" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to usbarmory+...@googlegroups.com<mailto:usbarmory+...@googlegroups.com>.
> To view this discussion visit https://groups.google.com/d/msgid/usbarmory/d104eecb-6be0-4b11-a0f6-aa81e51209b0n%40googlegroups.com<https://groups.google.com/d/msgid/usbarmory/d104eecb-6be0-4b11-a0f6-aa81e51209b0n%40googlegroups.com?utm_medium=email&utm_source=footer>.
--
Andrej Rosano | Reversec Foundry | foundry.reversec.com
BDE1 62F4 7020 1588 8046 AE02 EA17 8C32 AB56 54CE
Evan Lausch
Jan 7, 2026, 12:01:58 PM (5 days ago) Jan 7
to USB armory
Thanks guys for the quick replies.
I did fuse my own keys and have been successfully signing my own armory-boot-signed.imx ( locally built).
How do I sign the interlock firmware with "my keys" by using the provided already compiled images (without building interlock locally) ?
How can I sign interlocks "u-boot.imx" , and how can I properly create a "armory-boot.conf" ( if that's required to boot the provided "zImage , and .dtb files )
I would really appreciate it if you could please tell me how.
Thanks so much.
Evan
Evan Lausch
Jan 7, 2026, 12:29:38 PM (5 days ago) Jan 7
to USB armory
I am re reading the wiki/secureboot info .
I will try to use habtool to create a signature for u-boot.imx from the interlock release.
I will then concatenate the SIG to create "u-boot-signed.imx" , and will follow the rest of the steps again to write the partitions.
Will post back with results. Sorry I'm not trying to waste anyone's time here. I think I figured it out.
Will test and report back .
Thanks guys.
Evan Lausch
Jan 11, 2026, 12:14:03 PM (20 hours ago) Jan 11
to USB armory
So I got the device booting.
Just wondering if the device is supposed to take literally 6minutes to open the volume "encryptedfs".
I have tried several uSD cards, from 128gb high endurance to 32GB Samsung evo plus,
No matter what I do, the device boots in 15secomds, but the white LED remains solid.
At that time I can open URL 10.0.0.1 and input the volume and password..
No matter what card, even with a 8GB "encryptedfs" LVM volume, I can get it loaded in under 6min.
After testing several times, it always takes 6min to "get in"
Is this normal ? It seems really excessive. 1min OK, but 6min to get in, every boot?
Anyone have any tips?
Appreciate the assistance. Thanks
Evan
Andrea Barisani
Jan 11, 2026, 6:07:37 PM (14 hours ago) Jan 11
to Evan Lausch, USB armory
Did you create the encrypted file system on the USB armory itself or on an external computer?
Cryptsetup has an iteration parameters for the rounds of hashing which is calibrated based on the CPU creating the encrypted file system.
When creating a key from an external host we suggest using iter-time with value 100.
To unsubscribe from this group and stop receiving emails from it, send an email to usbarmory+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/usbarmory/c6b2846b-2355-4c98-a700-007b50fba10an%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages