diff --git a/include/image.mk b/include/image.mk
index 92d343c..f93fb01 100644
--- a/include/image.mk
+++ b/include/image.mk
@@ -440,6 +440,8 @@ else
   DEVICE_CHECK_PROFILE = $(CONFIG_TARGET_$(if $(CONFIG_TARGET_MULTI_PROFILE),DEVICE_)$(call target_conf,$(BOARD)$(if $(SUBTARGET),_$(SUBTARGET)))_$(1))
 endif
 
+ROOTFS_ENCRYPT = $(if $(ROE_KEY_DIR),$(wildcard $(ROE_KEY_DIR)/$(ROE_KEY_NAME).key),)
+
 DEVICE_CHECK_FIT_KEY = $(if $(wildcard $(FIT_KEY_DIR)/$(FIT_KEY_NAME).key),install-images,install-disabled)
 DEVICE_CHECK_FIT_DIR = $(if $(FIT_KEY_DIR),$(DEVICE_CHECK_FIT_KEY),install-images)
 
diff --git a/target/linux/mediatek/image/Makefile b/target/linux/mediatek/image/Makefile
index 20e5977..52c266e 100644
--- a/target/linux/mediatek/image/Makefile
+++ b/target/linux/mediatek/image/Makefile
@@ -16,6 +16,14 @@ define Build/sysupgrade-emmc
 		$(IMAGE_ROOTFS)
 endef
 
+define Build/fdt-patch-dm-crypt
+	BIN=$(STAGING_DIR_HOST)/bin \
+	LIBFDT_PATH=$(STAGING_DIR_HOST)/lib \
+	$(TOPDIR)/scripts/fdt-patch-dm-crypt.sh \
+		$(KDIR)/image-sb-$(firstword $(DEVICE_DTS)).dtb \
+		$(ROOTFS/$(FILESYSTEMS)/$(DEVICE_NAME))-hashed-summary-$(firstword $(DEVICE_DTS))
+endef
+
 # build squashfs-hashed
 define Build/squashfs-hashed
 	$(CP) $(ROOTFS/$(FILESYSTEMS)/$(DEVICE_NAME)) $(ROOTFS/$(FILESYSTEMS)/$(DEVICE_NAME))-hashed-$(firstword $(DEVICE_DTS))
@@ -27,6 +35,7 @@ define Build/squashfs-hashed
 	fdt-patch-dm-verify $(ROOTFS/$(FILESYSTEMS)/$(DEVICE_NAME))-hashed-summary-$(firstword $(DEVICE_DTS)) \
 		$(KDIR)/image-$(firstword $(DEVICE_DTS)).dtb $(KDIR)/image-sb-$(firstword $(DEVICE_DTS)).dtb \
 		$(HASHED_BOOT_DEVICE)
+	$(if $(ROOTFS_ENCRYPT),$(call Build/fdt-patch-dm-crypt))
 endef
 
 # build fw-ar-ver
@@ -40,6 +49,30 @@ define Build/fw-ar-ver
 	$(call get_fw_ar_ver,$(ANTI_ROLLBACK_TABLE),$(AUTO_AR_CONF))
 endef
 
+define Build/rfsk-encrypt
+	BIN=$(STAGING_DIR_HOST)/bin \
+	$(TOPDIR)/scripts/enc-rfsk.sh \
+		-d $(ROE_KEY_DIR) \
+		-f $@ \
+		-k $(ROE_KEY_DIR)/$(ROE_KEY_NAME) \
+		-s $(dir $@)
+endef
+
+define Build/fit-secret
+	BIN=$(STAGING_DIR_HOST)/bin \
+	LIBFDT_PATH=$(STAGING_DIR_HOST)/lib \
+	$(TOPDIR)/scripts/enc-rfsk.sh \
+		-c "config-1" \
+		-d $(ROE_KEY_DIR) \
+		-f $@ \
+		-k $(ROE_KEY_DIR)/$(ROE_KEY_NAME) \
+		-s $(dir $@)
+endef
+
+define Build/rootfs-encrypt
+	$(if $(ROOTFS_ENCRYPT),$(call Build/rfsk-encrypt))
+endef
+
 # build signed fit
 define Build/fit-sign
 	$(TOPDIR)/scripts/mkits.sh \
@@ -54,13 +87,18 @@ define Build/fit-sign
 		-v $(LINUX_VERSION) \
 		$(if $(FIT_KEY_NAME),-S $(FIT_KEY_NAME)) \
 		$(if $(FW_AR_VER),-r $(FW_AR_VER)) \
-		$(if $(CONFIG_TARGET_ROOTFS_SQUASHFS),-R $(ROOTFS/squashfs/$(DEVICE_NAME)))
+		$(if $(CONFIG_TARGET_ROOTFS_SQUASHFS), \
+			$(if $(ROOTFS_ENCRYPT), \
+				-R $(ROOTFS/$(FILESYSTEMS)/$(DEVICE_NAME))-hashed-$(firstword $(DEVICE_DTS)), \
+				-R $(ROOTFS/$(FILESYSTEMS)/$(DEVICE_NAME)))) \
+		$(if $(ROOTFS_ENCRYPT),-m $(addsuffix -rfsk.enc,$(basename $@)))
 	PATH=$(LINUX_DIR)/scripts/dtc:$(PATH) mkimage \
 		-f $@.its \
 		$(if $(FIT_KEY_DIR),-k $(FIT_KEY_DIR)) \
 		-r \
 		$@.new
 	@mv $@.new $@
+	$(if $(ROOTFS_ENCRYPT),$(call Build/fit-secret))
 endef
 
 # default all platform image(fit) build 
@@ -78,6 +116,8 @@ define Device/Default
 	pad-rootfs | append-metadata
   FIT_KEY_DIR :=
   FIT_KEY_NAME :=
+  ROE_KEY_DIR :=
+  ROE_KEY_NAME :=
 endef
 
 include $(SUBTARGET).mk