A little clarification is in order: It is not possible to encrypt the boot partition on a Raspberry Pi. This is because the GPU, which is responsible for the first stage of the boot process on the Broadcomm CPU, would not know how to decrypt the volume.
The solution that we offer is to encrypt the root file system using LUKS. Zymkey is responsible for encrypting/decrypting the LUKS passphrase.
- Will I be able to upgrade the OS to a later version when the boot volume is encrypted with Zymbit ?
If the root file system is encrypted, it is possible to upgrade the OS. However, if the upgrade is a major distribution release, (e.g. Jessie to Stretch) this may not be possible in general.
- For production release, with the Zymbit locked,
I ) If the SD card is to be corrupted, is it possible to reinstall the OS again
No. Even without Zymkey, you would have to reflash the SD card with a new image if the corruption was bad enough that fsck could not repair the volume.
II) If the SD card is bad, Does that mean that I would need a new Zymbit module?
Yes. This is because the SD card CID is used in the fingerprint that Zymkey uses as part of its authorization procedure.
Zymbit recommends the use of high quality SD cards when deploying to the field in order to avoid corruption issues. Also, even though the journaling of the ext4 file system is extremely robust, Zymbit always recommends shutting down a running system in an orderly fashion (e.g. shutdown -H now) as opposed to just cutting off power.