Just SD encryption

We use the zymkey only for encryption of the SD card.
(raspian buster created with the latest raspberry pi imager)

And as per the getting started guide: Getting Started with ZYMKEY 4i
And the LUKS guide: Encrypting Your Root File System on Raspberry Pi - using LUKS & dm-crypt
We get our pi to a state where it is bound in development mode and the SD is encrypted with:

Option 1 - Convert existing SD Card to LUKS

curl -G https://s3.amazonaws.com/zk-sw-repo/mk_encr_sd_rfs.sh | sudo bash
(although i have no way of verifying this)

So far so good but…
5. Set Perimeter Event Actions to “none” or “notify only”
How do i do this? What is the default setting?
I care not for the API nor do I intend to plan on integrating it in our software.
All i care about is encrypting the SD card so it can’t be used elsewhere.
If i’m actually required to set this to “none” because nowhere does it say what the default value is…
I would just like to be able to run a bash script to set it to “none”, for example:
curl -G https://s3.amazonaws.com/zk-sw-repo/disable_permimeter_detection.sh | sudo bash

I would like two things:

  • Complete the getting started guide without having to dive into the python modules (a script to disable perimeter)
  • A script i can run to verify the encryption status

Futher more:
Do i require a battery when we use the zymkey only for SD encryption?

As stated in Using Perimeter Detect
It seems for SD encryption only the 4i lite version is enough…
(we use the 4i version currently)
But where do i order these 4i lite versions?

Hi Sebastiaan,

The default is set to notify only. There is nothing you need to do. You do not need to use the API.

To verify the root file system is encrypted, you can use the lsblk command and/or look at the contents of /etc/fstab. You can also check /boot/cmdline.txt to see root file system mount:

pi@raspberrypi:~ $ lsblk
NAME         MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
mmcblk0      179:0    0 14.9G  0 disk  
├─mmcblk0p1  179:1    0  256M  0 part  /boot
└─mmcblk0p2  179:2    0 14.6G  0 part  
  └─cryptrfs 254:0    0 14.6G  0 crypt /
pi@raspberrypi:~ $ 
pi@raspberrypi:~ $ cat /etc/fstab
proc            /proc           proc    defaults          0       0
PARTUUID=21df6806-01  /boot           vfat    defaults          0       2
# a swapfile is not a swap partition, no line here
#   use  dphys-swapfile swap[on|off]  for that


# crypto root fs
/dev/mapper/cryptrfs /             ext4    defaults,noatime  0       1
pi@raspberrypi:~ $ cat /boot/cmdline.txt 
console=tty1  elevator=deadline fsck.repair=yes rootwait quiet splash plymouth.ignore-serial-consoles  root=/dev/mapper/cryptrfs cryptdevice=/dev/mmcblk0p2:cryptrfs rng_core.default_quality=1000
pi@raspberrypi:~ $ 

The battery is not required for doing SD encryption.

The 4i lite is a legacy product that is no longer available.

Regards,

Bob