diff --git a/README.md b/README.md
index 2fe767267..ac8efaf71 100644
--- a/README.md
+++ b/README.md
@@ -1,11 +1,14 @@
 # Digi Embedded Yocto (DEY) 2.0
-## Release 2.0-master
+## Release 2.0-r3
 
 This document provides information about Digi Embedded Yocto,
 Digi International's professional embedded Yocto development environment.
 
 Digi Embedded Yocto 2.0 is based on the 2.0 (Jethro) Yocto release.
 
+For a full list of supported features and interfaces please refer to the
+online documentation.
+
 # Supported Platforms
 
 The current release supports the following hardware platforms:
@@ -28,7 +31,6 @@ Software for the following hardware platforms is in beta support:
 
 * Digi ConnectCore 6UL
   * [Digi P/N CC-WMX-JN58-NE](http://www.digi.com/products/models/cc-wmx-jn58-ne)
-  * [Digi P/N CC-MX-JN58-Z1](http://www.digi.com/products/models/cc-mx-jn58-z1)
 * Digi ConnectCore 6UL Starter Kit
   * [Digi P/N CC-WMX6UL-START](http://www.digi.com/products/models/cc-wmx6ul-start) ([Get Started](https://www.digi.com/resources/documentation/digidocs/90001514/default.htm#concept/yocto/c_get_started_with_yocto.htm))
 
@@ -52,13 +54,11 @@ Documentation is available online on the Digi documentation site:
 
 # Downloads
 
-* [Demo images](TBC)
-* [Software Development Kit (SDK)](TBC)
+* Demo images: ftp://ftp1.digi.com/support/digiembeddedyocto/2.0/r3/images/
+* Software Development Kit (SDK): ftp://ftp1.digi.com/support/digiembeddedyocto/2.0/r3/sdk/
 
 # Release Changelog
 
-## 2.0-r4
-
 ## 2.0-r3
 
 * Support for the new Digi ConnectCore 6UL System-On-Module and Starter Kit
@@ -90,9 +90,18 @@ Documentation is available online on the Digi documentation site:
 
 # Known Issues and Limitations
 
+This is a list of known issues and limitations at the time of release. An
+updated list can be found on the online documentation.
+
+* When using the TrustFence (TM) U-Boot environment encryption, access to the
+U-Boot environment from the Linux OS is not supported.
+
 ## Digi ConnectCore 6UL
 
-## Digi ConnectCore 6UL Starter Kit
+* In the Bluetooth interface, the UART hardware flow control doesn’t work
+properly. To work around this problem the UART is configured without hardware
+flow control at 115200 bps, reducing the maximum throughput of this interface.
+This problem will be corrected in newer revisions of the hardware.
 
 ## Digi ConnectCore 6
 
@@ -108,19 +117,21 @@ modes:
 softAP mode
 * A maximum of ten connected devices are supported when using Qualcomm's AR6233
 Bluetooth Low Energy mode
-* When using TrustFence encrypted images secure boot support, the CAAM will
-hang the processor when trying to authenticate an encrypted kernel image after
-a failed attempt. Hence the target needs to be reset after an authentication
-failure.
 * NXP i.MX6 processor does not set the sticky bit which write protects the
 SRK_REVOKE eFuse on closed devices. This means that in the ConnectCore 6,
 key revocation is always possible, no matter the value of the Yocto macro
 TRUSTFENCE_UNLOCK_KEY_REVOCATION.
+* When using TrustFence (TM)  encrypted images secure boot support, the CAAM
+will hang the processor when trying to authenticate an encrypted kernel image
+after a failed attempt. Hence the target needs to be reset after an
+authentication failure.
 
 ## Digi ConnectCore 6 SBC
 
 * The Micrel PHY KSZ9031 may take between five and six seconds to
 auto-negotiate with Gigabit switches
+* Secure uSD booting only supports booting signed images. A uSD image is not
+generated if TrustFence (TM) image encryption support is enabled.
 
 # Support Contact Information
 
diff --git a/meta-digi-arm/classes/image_types_digi.bbclass b/meta-digi-arm/classes/image_types_digi.bbclass
index 1805de6e7..9588d2d86 100644
--- a/meta-digi-arm/classes/image_types_digi.bbclass
+++ b/meta-digi-arm/classes/image_types_digi.bbclass
@@ -185,8 +185,14 @@ IMAGE_CMD_sdcard() {
 	parted -s ${SDIMG} -- unit KiB mkpart primary ext2 $(expr ${IMAGE_ROOTFS_ALIGNMENT} \+ ${BOOT_SPACE_ALIGNED}) -1s
 	parted -s ${SDIMG} unit KiB print
 
+	# Set u-boot image to flash depending on whether TRUSTFENCE_SIGN is enabled
+	SDIMG_UBOOT="${DEPLOY_DIR_IMAGE}/${UBOOT_SYMLINK}"
+	if [ "${TRUSTFENCE_SIGN}" = "1" ]; then
+		SDIMG_UBOOT="$(readlink -e ${SDIMG_UBOOT} | sed -e 's,u-boot-,u-boot-signed-,g')"
+	fi
+
 	# Burn bootloader, boot and rootfs partitions
-	dd if=${DEPLOY_DIR_IMAGE}/${UBOOT_SYMLINK} of=${SDIMG} conv=notrunc,fsync seek=2 bs=512
+	dd if=${SDIMG_UBOOT} of=${SDIMG} conv=notrunc,fsync seek=2 bs=512
 	dd if=${SDIMG_BOOTFS} of=${SDIMG} conv=notrunc,fsync seek=1 bs=$(expr ${IMAGE_ROOTFS_ALIGNMENT} \* 1024)
 	dd if=${SDIMG_ROOTFS} of=${SDIMG} conv=notrunc,fsync seek=1 bs=$(expr ${IMAGE_ROOTFS_ALIGNMENT} \* 1024 + ${BOOT_SPACE_ALIGNED} \* 1024)
 }
diff --git a/meta-digi-arm/conf/machine/include/ccimx6.inc b/meta-digi-arm/conf/machine/include/ccimx6.inc
index b0d4e2a7c..2d73b7725 100644
--- a/meta-digi-arm/conf/machine/include/ccimx6.inc
+++ b/meta-digi-arm/conf/machine/include/ccimx6.inc
@@ -27,7 +27,7 @@ MACHINE_EXTRA_RDEPENDS += " \
     e2fsprogs-mke2fs \
     e2fsprogs-resize2fs \
     parted \
-    u-boot-fw-utils \
+    ${@base_conditional('TRUSTFENCE_ENCRYPT_ENVIRONMENT', '1', '', 'u-boot-fw-utils', d)} \
 "
 MACHINE_EXTRA_RRECOMMENDS += "${MACHINE_FIRMWARE} ${WIRELESS_MODULE}"
 MACHINE_EXTRA_RRECOMMENDS += "fsl-alsa-plugins cryptodev-module rng-tools"
diff --git a/meta-digi-arm/conf/machine/include/ccimx6ul.inc b/meta-digi-arm/conf/machine/include/ccimx6ul.inc
index e8aa9ce89..1b4302fe7 100644
--- a/meta-digi-arm/conf/machine/include/ccimx6ul.inc
+++ b/meta-digi-arm/conf/machine/include/ccimx6ul.inc
@@ -22,7 +22,7 @@ MACHINE_FIRMWARE ?= ""
 MACHINE_EXTRA_RDEPENDS += " \
     imx-kobs \
     mtd-utils-ubifs \
-    u-boot-fw-utils \
+    ${@base_conditional('TRUSTFENCE_ENCRYPT_ENVIRONMENT', '1', '', 'u-boot-fw-utils', d)} \
 "
 MACHINE_EXTRA_RRECOMMENDS += "${MACHINE_FIRMWARE} ${WIRELESS_MODULE}"
 MACHINE_EXTRA_RRECOMMENDS += "fsl-alsa-plugins cryptodev-module"
diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb
index 14e0058c0..daf4509e3 100644
--- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb
+++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb
@@ -36,7 +36,7 @@ UBOOT_EXTRA_CONF ?= ""
 
 python __anonymous() {
     if (d.getVar("TRUSTFENCE_DEK_PATH", True) not in ["0", None]) and (d.getVar("TRUSTFENCE_SIGN", True) != "1"):
-         bb.fatal("Only signed U-Boot images can be encrypted. Generate signed images (TRUSTFENCE_SIGN=1) or remove encryption (TRUSTFENCE_DEK_PATH = 0)")
+         bb.fatal("Only signed U-Boot images can be encrypted. Generate signed images (TRUSTFENCE_SIGN = \"1\") or remove encryption (TRUSTFENCE_DEK_PATH = \"0\")")
 }
 
 do_compile () {
diff --git a/meta-digi-arm/recipes-kernel/kernel-module-qualcomm/kernel-module-qualcomm/qualcomm-pre-up b/meta-digi-arm/recipes-kernel/kernel-module-qualcomm/kernel-module-qualcomm/qualcomm-pre-up
index 922b0ce17..60364501f 100644
--- a/meta-digi-arm/recipes-kernel/kernel-module-qualcomm/kernel-module-qualcomm/qualcomm-pre-up
+++ b/meta-digi-arm/recipes-kernel/kernel-module-qualcomm/kernel-module-qualcomm/qualcomm-pre-up
@@ -58,11 +58,13 @@ JP_CODE="0x2"
 # Check if the DTB_REGION_CODE is in the list of valid codes,
 # if not use the OTP programmed value.
 case "${DTB_REGION_CODE}" in
-    ${US_CODE}|${WW_CODE}|${JP_CODE})
-	REGULATORY_DOMAIN=${DTB_REGION_CODE};;
-    *)
-	logger -t qca6564 "[ERROR] Invalid region code in device tree, using OTP value"
-	REGULATORY_DOMAIN=${OTP_REGION_CODE};;
+	${US_CODE}|${WW_CODE}|${JP_CODE})
+		REGULATORY_DOMAIN=${DTB_REGION_CODE};;
+	*)
+		if [ -n "${DTB_REGION_CODE}" ]; then
+			logger -t qca6564 "[ERROR] Invalid region code in device tree, using OTP value"
+		fi
+		REGULATORY_DOMAIN=${OTP_REGION_CODE};;
 esac
 
 BDATA_LINK="${FIRMWARE_DIR}/bdwlan30.bin"
diff --git a/meta-digi-arm/recipes-kernel/linux/linux-dey-4.1/ccimx6ul/defconfig b/meta-digi-arm/recipes-kernel/linux/linux-dey-4.1/ccimx6ul/defconfig
index 78a7376f7..ed1c6ddd4 100644
--- a/meta-digi-arm/recipes-kernel/linux/linux-dey-4.1/ccimx6ul/defconfig
+++ b/meta-digi-arm/recipes-kernel/linux/linux-dey-4.1/ccimx6ul/defconfig
@@ -43,7 +43,6 @@ CONFIG_VFP=y
 CONFIG_NEON=y
 CONFIG_BINFMT_MISC=m
 CONFIG_PM_DEBUG=y
-CONFIG_PM_TEST_SUSPEND=y
 CONFIG_NET=y
 CONFIG_PACKET=y
 CONFIG_UNIX=y
@@ -188,6 +187,7 @@ CONFIG_CPU_THERMAL=y
 CONFIG_IMX_THERMAL=y
 CONFIG_DEVICE_THERMAL=y
 CONFIG_WATCHDOG=y
+CONFIG_WATCHDOG_NOWAYOUT=y
 CONFIG_MCA_CC6UL_WATCHDOG=y
 CONFIG_IMX2_WDT=y
 CONFIG_MFD_DA9052_I2C=y
@@ -216,7 +216,6 @@ CONFIG_V4L_MEM2MEM_DRIVERS=y
 CONFIG_VIDEO_CODA=y
 CONFIG_SOC_CAMERA_OV2640=y
 CONFIG_DRM=y
-CONFIG_DRM_VIVANTE=y
 CONFIG_FB=y
 CONFIG_FB_MXS=y
 CONFIG_FB_MXC_SYNC_PANEL=y
@@ -308,7 +307,6 @@ CONFIG_MXC_PXP_V2=y
 CONFIG_MXC_PXP_V3=y
 CONFIG_IMX_SDMA=y
 CONFIG_MXS_DMA=y
-CONFIG_DMATEST=m
 CONFIG_STAGING=y
 CONFIG_STAGING_MEDIA=y
 # CONFIG_IOMMU_SUPPORT is not set
@@ -332,11 +330,6 @@ CONFIG_QUOTA_NETLINK_INTERFACE=y
 # CONFIG_PRINT_QUOTA_WARNING is not set
 CONFIG_AUTOFS4_FS=y
 CONFIG_FUSE_FS=y
-CONFIG_ISO9660_FS=m
-CONFIG_JOLIET=y
-CONFIG_ZISOFS=y
-CONFIG_UDF_FS=m
-CONFIG_MSDOS_FS=m
 CONFIG_VFAT_FS=y
 CONFIG_TMPFS=y
 CONFIG_JFFS2_FS=y
@@ -380,10 +373,10 @@ CONFIG_CRYPTO_TWOFISH=y
 # CONFIG_CRYPTO_ANSI_CPRNG is not set
 CONFIG_CRYPTO_DEV_FSL_CAAM=y
 CONFIG_CRYPTO_DEV_FSL_CAAM_SM=y
-CONFIG_CRYPTO_DEV_FSL_CAAM_SM_TEST=y
 CONFIG_CRYPTO_DEV_FSL_CAAM_SECVIO=y
 CONFIG_CRC_CCITT=m
 CONFIG_CRC_T10DIF=y
+CONFIG_CRC_ITU_T=m
 CONFIG_CRC7=m
 CONFIG_LIBCRC32C=m
 CONFIG_FONTS=y
diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass
index 49aa5459d..113ca14ff 100644
--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@@ -65,3 +65,6 @@ python () {
     if (d.getVar("TRUSTFENCE_ENCRYPT_ENVIRONMENT", True) == "1"):
         d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_ENV_AES=y CONFIG_ENV_AES_CAAM_KEY=y')
 }
+
+# SDCARD image is not supported when encryption is enabled, so disable it in such cases
+IMAGE_FSTYPES_remove = "${@'' if d.getVar('TRUSTFENCE_DEK_PATH', True) == '0' else 'sdcard'}"
diff --git a/meta-digi-dey/conf/distro/dey.conf b/meta-digi-dey/conf/distro/dey.conf
index 8e0fbfbe0..83b9a1377 100644
--- a/meta-digi-dey/conf/distro/dey.conf
+++ b/meta-digi-dey/conf/distro/dey.conf
@@ -1,6 +1,6 @@
 DISTRO = "dey"
 DISTRO_NAME = "Digi Embedded Yocto"
-DISTRO_VERSION = "2.0-r2"
+DISTRO_VERSION = "2.0-r3"
 DISTRO_CODENAME = "jethro"
 SDK_VENDOR = "-deysdk"
 SDK_VERSION := "${@'${DISTRO_VERSION}'}"
diff --git a/meta-digi-dey/recipes-core/base-files/base-files/resize-ext4fs.sh b/meta-digi-dey/recipes-core/base-files/base-files/resize-ext4fs.sh
index 1f726b37a..74ce0a3f3 100755
--- a/meta-digi-dey/recipes-core/base-files/base-files/resize-ext4fs.sh
+++ b/meta-digi-dey/recipes-core/base-files/base-files/resize-ext4fs.sh
@@ -26,9 +26,12 @@ get_emmc_block_device() {
 }
 
 RESIZE2FS="$(which resize2fs)"
+DM_BLOCK_DEVICE="/dev/dm-"
 EMMC_BLOCK_DEVICE="$(get_emmc_block_device)"
 if [ -x "${RESIZE2FS}" -a -n "${EMMC_BLOCK_DEVICE}" ]; then
 	PARTITIONS="$(blkid | sed -ne "{s,\(^${EMMC_BLOCK_DEVICE}[^:]\+\):.*TYPE=\"ext4\".*,\1,g;T;p}" | sort -u)"
+	# Add possible device mapper devices
+	PARTITIONS="${PARTITIONS} $(blkid | sed -ne "{s,\(^${DM_BLOCK_DEVICE}[^:]\+\):.*TYPE=\"ext4\".*,\1,g;T;p}" | sort -u)"
 	for i in ${PARTITIONS}; do
 		if ! ${RESIZE2FS} ${i} 2>/dev/null; then
 			echo "ERROR: resize2fs ${i}"
diff --git a/meta-digi-dey/recipes-core/busybox/busybox-1.23.2/ccimx6ul/acpid.map b/meta-digi-dey/recipes-core/busybox/busybox-1.23.2/ccimx6ul/acpid.map
new file mode 100644
index 000000000..7755a2a33
--- /dev/null
+++ b/meta-digi-dey/recipes-core/busybox/busybox-1.23.2/ccimx6ul/acpid.map
@@ -0,0 +1,3 @@
+#s_type	n_type(hex)	s_code		n_code	value	description
+EV_KEY	0x01		KEY_SLEEP	142	1	pswitch-suspend
+EV_KEY	0x01		KEY_POWER	116	1	pswitch-poweroff
diff --git a/meta-digi-dey/recipes-core/busybox/busybox-1.23.2/ccimx6ul/suspend b/meta-digi-dey/recipes-core/busybox/busybox-1.23.2/ccimx6ul/suspend
index d597339b6..a87cdcd65 100755
--- a/meta-digi-dey/recipes-core/busybox/busybox-1.23.2/ccimx6ul/suspend
+++ b/meta-digi-dey/recipes-core/busybox/busybox-1.23.2/ccimx6ul/suspend
@@ -29,12 +29,16 @@ suspend_interfaces() {
 	if grep -qs '^wlan0' /var/run/ifstate; then
 		ifdown wlan0 && up_wlan_on_resume="1" && sleep 0.5 && rmmod wlan
 	fi
+	if hcitool -i hci0 dev >/dev/null 2>&1; then
+		hciconfig hci0 down && up_hci0_on_resume="1" && sleep 0.5
+	fi
 }
 
 resume_interfaces() {
 	if ! grep -qs '^wlan0' /var/run/ifstate; then
 		[ -n "${up_wlan_on_resume}" ] && modprobe wlan && sleep 0.5 && ifup wlan0
 	fi
+	[ -n "${up_hci0_on_resume}" ] && hciconfig hci0 up
 }
 
 while getopts "h" c; do
diff --git a/meta-digi-dey/recipes-core/busybox/busybox_1.23.2.bbappend b/meta-digi-dey/recipes-core/busybox/busybox_1.23.2.bbappend
index 89ba06284..f7b942600 100644
--- a/meta-digi-dey/recipes-core/busybox/busybox_1.23.2.bbappend
+++ b/meta-digi-dey/recipes-core/busybox/busybox_1.23.2.bbappend
@@ -38,6 +38,9 @@ FILES_${PN}-acpid = " ${sysconfdir}/init.d/busybox-acpid \
 INITSCRIPT_PACKAGES =+ "${PN}-acpid"
 INITSCRIPT_NAME_${PN}-acpid = "busybox-acpid"
 
+# Start busybox-syslog at a very early state
+INITSCRIPT_PARAMS_${PN}-syslog = "defaults 02"
+
 # static-nodes package (create static nodes from /etc/device_table)
 PACKAGES =+ "${PN}-static-nodes"
 FILES_${PN}-static-nodes = "${sysconfdir}/init.d/busybox-static-nodes"
diff --git a/meta-digi-dey/recipes-core/init-ifupdown/init-ifupdown_1.0.bbappend b/meta-digi-dey/recipes-core/init-ifupdown/init-ifupdown_1.0.bbappend
index ff4378aa5..35acc7e94 100644
--- a/meta-digi-dey/recipes-core/init-ifupdown/init-ifupdown_1.0.bbappend
+++ b/meta-digi-dey/recipes-core/init-ifupdown/init-ifupdown_1.0.bbappend
@@ -46,37 +46,38 @@ do_install_append() {
 	# Cellular interface
 	if [ -n "${@bb.utils.contains('DISTRO_FEATURES', 'cellular', '1', '', d)}" ] && [ -n "${CELLULAR_INTERFACE}" ]; then
 		cat ${WORKDIR}/interfaces.cellular >> ${D}${sysconfdir}/network/interfaces
+		[ -n "${CELLULAR_AUTO}" ] && sed -i -e 's/^#auto ##CELLULAR_INTERFACE##/auto ##CELLULAR_INTERFACE##/g' ${D}${sysconfdir}/network/interfaces
 		sed -i -e 's,##CELLULAR_INTERFACE##,${CELLULAR_INTERFACE},g' ${D}${sysconfdir}/network/interfaces
-		[ -n "${CELLULAR_AUTO}" ] && sed -i -e 's/#auto/auto/g' ${D}${sysconfdir}/network/interfaces
+
 		if [ -n "${CELLULAR_APN}" ]; then
-			sed -i -e 's/apn/apn ${CELLULAR_APN}/g' ${D}${sysconfdir}/network/interfaces
+			sed -i -e 's/^\([[:blank:]]*\)apn/\1apn ${CELLULAR_APN}/g' ${D}${sysconfdir}/network/interfaces
 		else
-			sed -i -e '/apn/d' ${D}${sysconfdir}/network/interfaces
+			sed -i -e '/^[[:blank:]]*apn/d' ${D}${sysconfdir}/network/interfaces
 		fi
 
 		if [ -n "${CELLULAR_PIN}" ]; then
-			sed -i -e 's/pin/pin ${CELLULAR_PIN}/g' ${D}${sysconfdir}/network/interfaces
+			sed -i -e 's/^\([[:blank:]]*\)pin/\1pin ${CELLULAR_PIN}/g' ${D}${sysconfdir}/network/interfaces
 		else
-			sed -i -e '/pin/d' ${D}${sysconfdir}/network/interfaces
+			sed -i -e '/^[[:blank:]]*pin/d' ${D}${sysconfdir}/network/interfaces
 		fi
 
 		if [ -n "${CELLULAR_PORT}" ]; then
-			sed -i -e 's/port/port ${CELLULAR_PORT}/g' ${D}${sysconfdir}/network/interfaces
+			sed -i -e 's/^\([[:blank:]]*\)port/\1port ${CELLULAR_PORT}/g' ${D}${sysconfdir}/network/interfaces
 			sed -i -e 's,dhcp,manual,g' ${D}${sysconfdir}/network/interfaces
 		else
-			sed -i -e '/port/d' ${D}${sysconfdir}/network/interfaces
+			sed -i -e '/^[[:blank:]]*port/d' ${D}${sysconfdir}/network/interfaces
 		fi
 
 		if [ -n "${CELLULAR_USER}" ]; then
-			sed -i -e 's/user/user ${CELLULAR_PORT}/g' ${D}${sysconfdir}/network/interfaces
+			sed -i -e 's/^\([[:blank:]]*\)user/\1user ${CELLULAR_USER}/g' ${D}${sysconfdir}/network/interfaces
 		else
-			sed -i -e '/user/d' ${D}${sysconfdir}/network/interfaces
+			sed -i -e '/^[[:blank:]]*user/d' ${D}${sysconfdir}/network/interfaces
 		fi
 
 		if [ -n "${CELLULAR_PASSWORD}" ]; then
-			sed -i -e 's/password/password ${CELLULAR_PORT}/g' ${D}${sysconfdir}/network/interfaces
+			sed -i -e 's/^\([[:blank:]]*\)password/\1password ${CELLULAR_PASSWORD}/g' ${D}${sysconfdir}/network/interfaces
 		else
-			sed -i -e '/password/d' ${D}${sysconfdir}/network/interfaces
+			sed -i -e '/^[[:blank:]]*password/d' ${D}${sysconfdir}/network/interfaces
 		fi
 	fi
 
diff --git a/meta-digi-dey/recipes-core/packagegroups/packagegroup-dey-core.bb b/meta-digi-dey/recipes-core/packagegroups/packagegroup-dey-core.bb
index 7b6c6baa7..ecacb5581 100644
--- a/meta-digi-dey/recipes-core/packagegroups/packagegroup-dey-core.bb
+++ b/meta-digi-dey/recipes-core/packagegroups/packagegroup-dey-core.bb
@@ -55,3 +55,5 @@ RRECOMMENDS_${PN} = "\
     ${MACHINE_ESSENTIAL_EXTRA_RRECOMMENDS} \
     ${MACHINE_EXTRA_RRECOMMENDS} \
 "
+
+do_package[vardeps] = "TRUSTFENCE_ENCRYPT_ENVIRONMENT"
diff --git a/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs.bb b/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs.bb
index dfe67b5a9..7fb2bdc45 100644
--- a/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs.bb
+++ b/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs.bb
@@ -4,13 +4,17 @@ SUMMARY = "Trustfence initramfs required files"
 LICENSE = "GPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
 
-SRC_URI = "file://trustfence-initramfs-init"
+SRC_URI = " \
+    file://trustfence-initramfs-init \
+    file://trustfence-install.sh \
+"
 
 S = "${WORKDIR}"
 
 do_install() {
-	install -d ${D}${sbindir}
+	install -d ${D}${base_sbindir}
 	install -m 0755 trustfence-initramfs-init ${D}/init
+	install -m 0755 trustfence-install.sh ${D}${base_sbindir}
 }
 
 # Do not create debug/devel packages
diff --git a/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/trustfence-initramfs-init b/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/trustfence-initramfs-init
index 441635f73..899f5c4e0 100644
--- a/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/trustfence-initramfs-init
+++ b/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/trustfence-initramfs-init
@@ -31,10 +31,13 @@ mkdir -p /var/run && rngd
 
 for arg in $(cat /proc/cmdline); do
 	case "${arg}" in
-		init=*|rescue=1|root=*) eval ${arg};;
+		init=*|rescue=1|root=*|trustfence_install=*) eval ${arg};;
 	esac
 done
 
+# Translate "PARTUUID=..." to real device
+root="$(findfs ${root})"
+
 # Jump to a rescue shell if requested
 if [ -n "${rescue}" ]; then
 	# Expand console and respawn if exited
@@ -44,8 +47,14 @@ if [ -n "${rescue}" ]; then
 	done
 fi
 
-# Translate "PARTUUID=..." to real device
-root="$(findfs ${root})"
+# Run install script if "trustfence_install" kernel parameter exists
+if [ -n "${trustfence_install}" ]; then
+	trustfence-install.sh ${trustfence_install} ${root}
+	sleep 1
+	echo ">> Rebooting the system"
+	sleep 1
+	sync && reboot -f
+fi
 
 # Open LUKS encrypted device
 if trustfence-tool ${root} cryptroot; then
diff --git a/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/trustfence-install.sh b/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/trustfence-install.sh
new file mode 100644
index 000000000..4b83e3caf
--- /dev/null
+++ b/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/trustfence-install.sh
@@ -0,0 +1,89 @@
+#!/bin/sh
+#===============================================================================
+#
+#  trustfence-install.sh
+#
+#  Copyright (C) 2016 by Digi International Inc.
+#  All rights reserved.
+#
+#  This program is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU General Public License version 2 as published by
+#  the Free Software Foundation.
+#
+#
+#  !Description: Wrapper script for initial deployment of encrypted rootfs
+#
+#  The script gathers the needed information from the 'trustfence_install'
+#  kernel command line parameter with following syntax:
+#
+#    trustfence_install="source:serverip:filename"
+#      source   -> 'tftp' | <block-device>
+#      serverip -> <tftp-ip> | ''               (serverip or empty if local)
+#      filename -> <image-filename>             (path relative to 'source')
+#
+#  For 'tftp' mode the kernel IP autoconfig may be used to bring the network
+#  interface up, with 'ip' kernel parameter. Examples:
+#
+#    ip=<static-ip>:::<netmask>::eth0:off
+#    ip=dhcp
+#
+#  This script is meant for testing purposes. It's NOT a stable API and may
+#  be subject to change.
+#
+#===============================================================================
+
+set -o pipefail
+
+TF_INSTALL_INFO="${1}"
+TF_ROOTFS_DEV="${2}"
+
+error() {
+	[ "${#}" != "0" ] && printf "\n[ERROR]: %s\n\n" "${1}"
+	exit 1
+}
+
+# Parse trustfence_install kernel parameter
+IFS=":" read SOURCE SERVERIP FILENAME <<_EOF_
+${TF_INSTALL_INFO}
+_EOF_
+
+# Validate command line arguments
+if [ -z "${SOURCE}" ] || [ -z "${FILENAME}" ] || { [ "${SOURCE}" = "tftp" ] && [ -z "${SERVERIP}" ]; }; then
+	error "wrong 'trustfence_install' parameter: ${TF_INSTALL_INFO}"
+elif ! [ -b "${TF_ROOTFS_DEV}" ]; then
+	error "${TF_ROOTFS_DEV} is not a block device"
+fi
+
+# Generate random key, initialize the partition and open the virtual mapped device
+trustfence-tool --format --newkey "${TF_ROOTFS_DEV}" cryptroot
+if [ "${?}" != "0" ]; then
+	error "trustfence-tool: open mapped device"
+fi
+
+# Install image to the encrypted mapped device
+if [ "${SOURCE}" = "tftp" ]; then
+	printf "\nInstalling ${FILENAME} from TFTP\n\n"
+	tftp -g -l - -r "${FILENAME}" "${SERVERIP}" | pv -tprebW | dd of=/dev/mapper/cryptroot 2>/dev/null
+	if [ "${?}" != "0" ]; then
+		error "write ${FILENAME}"
+	fi
+elif [ -b "${SOURCE}" ]; then
+	printf "\nInstalling ${FILENAME} from local media\n\n"
+	MOUNTPOINT="/media/$(basename ${SOURCE})"
+	FSTYPE="$(blkid ${SOURCE} | sed -e 's,.*TYPE="\([^"]\+\)".*,\1,g')"
+	mkdir -p ${MOUNTPOINT}
+	mount -r ${FSTYPE:+-t ${FSTYPE}} ${SOURCE} ${MOUNTPOINT}
+	pv -tprebW ${MOUNTPOINT}/${FILENAME} | dd of=/dev/mapper/cryptroot 2>/dev/null
+	if [ "${?}" != "0" ]; then
+		error "write ${FILENAME}"
+	fi
+	umount ${SOURCE}
+else
+	error "${SOURCE} is neither a block device nor 'tftp'"
+fi
+
+echo ""
+echo "#######################"
+echo "#  Install completed  #"
+echo "#######################"
+echo ""
diff --git a/meta-digi-dey/recipes-core/trustfence/trustfence-tool_1.0.bb b/meta-digi-dey/recipes-core/trustfence/trustfence-tool_1.0.bb
index 88eb069b9..7d42d034e 100644
--- a/meta-digi-dey/recipes-core/trustfence/trustfence-tool_1.0.bb
+++ b/meta-digi-dey/recipes-core/trustfence/trustfence-tool_1.0.bb
@@ -6,7 +6,7 @@ LICENSE = "CLOSED"
 
 SRC_URI = "${DIGI_PKG_SRC}/${BP}.tar.gz"
 
-SRC_URI[md5sum] = "1140b71d0e619001b677117e8938be48"
-SRC_URI[sha256sum] = "13eecca139dfb6470204c75291c5791144dea098653f52d39d847b2aee3fe19b"
+SRC_URI[md5sum] = "eea4efe8b8e7527a0ffeea16fd238ba3"
+SRC_URI[sha256sum] = "aefeb08f2db59c891cf1162488499448bf9d80d64b2778d4fda11343793373e7"
 
 inherit bin_package
diff --git a/sdk/build-github.sh b/sdk/build-github.sh
index 6ec295345..bbe509e71 100755
--- a/sdk/build-github.sh
+++ b/sdk/build-github.sh
@@ -29,7 +29,7 @@ MANIFEST_URL="https://github.com/digi-embedded/dey-manifest.git"
 RM_WORK_CFG="
 INHERIT += \"rm_work\"
 # Exclude rm_work for some key packages (for debugging purposes)
-RM_WORK_EXCLUDE += \"dey-image-qt linux-dey u-boot-dey\"
+RM_WORK_EXCLUDE += \"dey-image-qt linux-dey qtbase u-boot-dey\"
 "
 
 X11_REMOVAL_CFG="
diff --git a/sdk/build.sh b/sdk/build.sh
index c668c50ef..ba4533982 100755
--- a/sdk/build.sh
+++ b/sdk/build.sh
@@ -42,7 +42,7 @@ BB_GENERATE_MIRROR_TARBALLS = \"1\"
 RM_WORK_CFG="
 INHERIT += \"rm_work\"
 # Exclude rm_work for some key packages (for debugging purposes)
-RM_WORK_EXCLUDE += \"dey-image-qt linux-dey u-boot-dey\"
+RM_WORK_EXCLUDE += \"dey-image-qt linux-dey qtbase u-boot-dey\"
 "
 
 X11_REMOVAL_CFG="
@@ -238,7 +238,7 @@ for platform in ${DY_PLATFORMS}; do
 					printf "\n[INFO] Building the ${target} target.\n"
 					time bitbake ${target}
 					# Build the toolchain for DEY images
-					if [ "${DY_BUILD_TCHAIN}" = "true" ] && echo "${target}" | grep -qs '^dey-image-[^-]\+$'; then
+					if [ "${DY_BUILD_TCHAIN}" = "true" ] && echo "${target}" | grep -qs '^\(core\|dey\)-image-[^-]\+$'; then
 						printf "\n[INFO] Building the toolchain for ${target}.\n"
 						time bitbake -c populate_sdk ${target}
 					fi
diff --git a/sdk/mkproject.sh b/sdk/mkproject.sh
index 1c70b14e6..946dad902 100755
--- a/sdk/mkproject.sh
+++ b/sdk/mkproject.sh
@@ -28,7 +28,7 @@ MKP_NONE="\033[0m"
 MKP_CONFIGPATH="${MKP_SCRIPTPATH}/sources/meta-digi/sdk/config"
 
 # Blacklist platforms (not officially supported in a DEY release)
-MKP_BLACKLIST_PLATFORMS=""
+MKP_BLACKLIST_PLATFORMS="ccardimx28js"
 
 MKP_SETUP_ENVIRONMENT='#!/bin/bash