Everything I’ve found suggests that the zymkey derives the “fingerprint” for the device id /authentication from the host computer and the SD card serial numbers.
What if the pi is booting from encrypted USB storage and does not have an SD card inserted? Does it use the USB device vendor id instead?
If so, does the zymkey use all attached USB device ids as components of it’s fingerprint? In other words, will attaching other USB devices (for instance, additional but non-bootable unencrypted storage) change the fingerprint and disable the zymkey?