Here is a security tip, which might help people in a similar situation to myself …
You have physically protected your RPi and Zymkey in a box and deployed it. The customer is using it at their location and you don’t need to do anything in the way of remotely accessing it, but you do know that you may need to access it but are paranoid enough to only be able to access it when you have it back in the office on the bench in front of you, on your own private network.
If this is the case then simply configure it to check what IP address it is given by the DHCP server on the network that it is connected to when it boots.
Using your own specially configured DHCP server - solely for this purpose - you can assign a currently used public IP address to the device, because it won’t ever get assigned that address when it is in use with the customer. You could, for example use a Google DNS server IP address… but don’t because that’ll be the first ones that they try now I’ve told you. You do, actually, have the entire IPv4 address space, minus the ‘private address’, space to use because there are only two devices (maybe three) on this special private network.
You do, of course, need to keep this IP address secret, just like your private SSH key.
So, when the unit boots it checks to see what IP address it has assigned to it. If and only if, it is the “magic public address” it enables the SSH server and also, importantly, the RPi’s SSH server is configured to only allow a login by root at a known IP address. This means you can have full root access to your machine, using SSH.
SSH only works at an IP address that cannot be guessed or probed by the customer. When the unit is with them the SSH process is dead and so cannot be compromised. You could even apply this test to other services that are not needed when the RPi is deployed but are very much needed when maintaining it. Oh, and it hardly goes without saying, don’t use port 22 for SSH!
Now that’s security taken to a truly paranoid level…
I do hope this tip helps someone who is as concerned about security as I.