We’re currently investigating the use of the Zymkey 4i for encrypting our Linux rootfs on an RPi CM3+. Previous investigations during Ubuntu 20.04 times showed it would be possible to just generate a locked key from within a special initramfs for easy first-bootup setup in a factory, resulting in an encrypted rootfs and bootup via the Zymkey.
With Ubuntu 22.04 though it shows that temporarily running zkifc for setting up /var/lib/zymbit doesn’t result in creation of the required salt file anymore, resulting in an incomplete state during key creation for LUKS to be prepared with a new key.
This is with a custom initramfs which just sets up the device after factory flash and deletes itself from storage after completion.
Have there been changes to the zk utilities that disallow setup without NTP? During factory setup the device wouldn’t have networking abilities, hence it would require a different way of setting up the environment.
@aneum - The short answer is no, nothing changed specifically. I’m not sure if something changed from 20.04 to 22.04. Can you outline the steps that left you without a salt file?
@Bob_of_Zymbit I won’t be able to copy-paste much of the contents from here, again the ZK utilities and key generation scripts are run inside of a custom initramfs which we boot into and remove/shred prior to shipping the device.
Additionally, it required a stub timedatectl script which returns a status output similar to regular timedatectl from systemd when invoked.
I could give adding a bit of sleep after killing zkifc a shot though, but all the hurdles in the way lead me to believe you are not very interested in running this without some NTP time synchronization guarantee.
Yes, zkifc wants an NTP sync, but your binding will take place without it. And your use case sounds like you don’t need zkifc once you get through your initial setup.
@Bob_of_Zymbit I’ve figured out a way to set up the Zymkey with our custom OS and factory process. We do the setup in the main rootfs via a systemd target and a well known “temporary” LUKS key. Boot into the systemd target with the known LUKS key, set it all up, and remove the well-known LUKS key afterwards.