Operate and maintain
Documents under this category provide background concepts and procedures for configuring, operating, and maintaining SR Linux software.
- ACL and Policy-based Routing Guide
  This document describes ACL and policy-based routing configuration for the Nokia Service Router Linux (SR Linux).
- Advanced Solutions Guide
  This document describes how to configure advanced solutions for the Nokia Service Router Linux (SR Linux). Advanced solutions are defined as more complex network-level configurations where additional guidance and more detailed procedures may be required.
- CLI Plug-in Guide
  This document describes how to create custom CLI plug-ins, and defines the classes and utility functions used to create them. It also defines how to install, modify, and remove a CLI plug-in.
- Configuration Basics
  This document describes basic configuration for the Nokia Service Router Linux (SR Linux). Examples of commonly used commands are provided.
- gRIBI Guide
  This guide describes configuration details for the gRPC Routing Information Base Interface (gRIBI) feature set used with the Nokia Service Router Linux (SR Linux).
- Interfaces Guide
  This document describes interface configuration for the Nokia Service Router Linux (SR Linux), including subinterfaces, IRB interfaces, LAGs, DHCP relay, and IPv6 router advertisements.
- MPLS Guide
  This guide describes the services and provides configuration examples for the Multiprotocol Label Switching (MPLS) protocol used with the Nokia Service Router Linux (SR Linux).
- Multicast Routing Protocols Guide
  This guide provides an overview of multicast routing concepts and provides configuration examples for Internet Group Management Protocol (IGMP), Multicast Listener Discovery (MLD), and Protocol Independent Multicast (PIM).
- Network Synchronization Guide
  This guide describes the network synchronization features for the Nokia Service Router Linux (SR Linux).
- P4Runtime Guide
  This document describes SR Linux support for P4Runtime and includes procedures for configuring SR Linux to operate with P4Runtime clients.
- Quality of Service Guide for 7220 IXR and 7250 IXR
  This document describes configuration details for the Quality of Service (QoS) feature set used with the Nokia Service Router Linux (SR Linux) on IXR-series platforms.
- Quality of Service Guide for 7730 SXR
  This document describes configuration details for the Quality of Service (QoS) feature set used with the Nokia Service Router Linux (SR Linux) on SXR-series platforms.
- Routing Protocols Guide
  This document describes routing protocol configuration for the Nokia Service Router Linux (SR Linux), including OSPF, IS-IS, and BGP.
- Segment Routing Guide
  This document describes configuration details for the Segment Routing feature set used with the Nokia Service Router Linux (SR Linux).
- System Management Guide
  This document describes the interfaces used with the Nokia Service Router Linux (SR Linux).
- VPN Services Guide
  This document describes basic configuration for Layer 2 and Layer 3 Virtual Private Network service functionality on the Nokia Service Router Linux (SR Linux). It presents examples to configure and implement various protocols and services.

Disk encryption

Note: This feature is supported on 7250 IXR-6e and 7250 IXR-10e CPM4 with Root of Trust, 7250 IXR-X1b/X3b, and 7730 SXR systems.

Disk encryption protects sensitive information in configuration files, logs, and more generally, files located on disk partitions from unauthorized access at rest.

SR Linux uses dm-crypt kernel module block device encryption and LUKS to encrypt the system partitions using AES-XTS-plain64 with a 512-bit key size. The partitions encrypted are NOKIA-ETC, NOKIA-DATA, and NOKIA-OPT, located in the SSD or SD card of the control card.

The disk encryption key is stored in the Trusted Platform Module (TPM) of the control card and is unique per TPM. The key is read from the TPM to decrypt the disk partitions on boot. As each TPM uses a unique encryption key, the encrypted disk cannot be decrypted using a different control card.

Activating disk encryption

SR Linux supports activating disk encryption per control card. The activation requires a reboot of the control card. During the reboot, the partitions on the targeted control card are automatically encrypted without data loss.

To activate disk encryption, use the following command:

# tools platform trust disk-encryption control <A|B> activate

The following example activates disk encryption on slot A:

# tools platform trust disk-encryption control A activate

The following example shows the warning messages and prompt returned when activating disk encryption:


WARNING: Please proceed to manually reboot the control card for the request to take effect. Disk encryption is applied during the control card initialization after reboot. This request clears after 5 minutes in the absence of a reboot.

Note:

Disk encryption is not activated by default.
To deactivate disk encryption, perform a factory reset of the control card.

Checking disk encryption status

Disk encryption status is available per control card and per partition within the control card.

This example displays the disk encryption status for a control card.

A:Dut-A# info from state platform control A disk-encrypted
    platform {
        control A {
            disk-encrypted true
        }
    }

November 7, 2024