Hi,
I apologize for the probably stupid questions, but I am new to Linux file system/encryption…
I develop public kiosk applications running on RPi4, and would like to secure it against copying / hacking the license, tampering the OS/software, etc. thanks to this awesome product.
does file encryption work with Raspian set as read-only most of the time (overlayFS), except when I have to update the internal kiosk app (e.g running a RW command via ssh) ?
with the encrypted file system, if the internal kiosk app needs to copy some (non encrypted) files from an external USB stick, for example an app update, will they be automatically copied encrypted to the internal SD ?
with the encrypted file system, if the internal kiosk app copies some files (e.g. text log files) from the SD to an external USB stick, will they be copied decrypted ?
@venetasoft - The rootfs partition encryption provided by the Zymkey is based on LUKS, which provides data at rest encryption, i.e. protects data while locked, or offline. Meaning, if someone steals you SDcard, they will not be able to access your data.
While online (rootfs partition unlocked) the data will appear as a normal file system. You are free to see the files and copy non-encrypted files as your RW permissions allow in and out of the partition.
I will study a little bit how LUKS works, but basically, we have 3 requirements:
With the encrypted file system, if someone extracts the SD card from the RPi, and inserts it on a Linux PC, he should not be able to open any file (for example to reverse engineer our binaries, to bypass the license). Is it correct ?
We will “manually” encrypt two files (using your LOCK API): the app license file, and the app settings file. But, if I correctly understood, it should be theoretically not needed, as the entire file system / partition is encrypted. Is this correct…?
Periodically, we need to update our kiosk, downloading some files from our server, or “manually” via USB. With the encrypted file system, these new files will be automatically encrypted by the file system once downloaded/copied to the SD, is it correct ?
Also correct. Locking a file would give you extra assurance. The locked file can only be unlocked with the same ZYMKEY. For example, you could put that locked file on a USB stick and if someone were to get the USB stick, they could not unlock the file on any other system.
Also correct. When the filesystem is unlocked, you are free to add and remove files. The entire partition is encrypted, so yes all files in the partition are encrypted.
My questions may sound dumb, but I wasn’t able to find any answers.
How does the Zymbit 4i secure the files in the encrypted filesystem when the device (Raspberry Pi) is online and someone tries to read the code using an external monitor, keyboard, or copy the data into their flash drive? Is using the LOCK API in this case necessary, and if so, would it solve the problem?
Our software also changes during its operation some files and executes terminal commands. Wouldn’t that be a problem?
For context, we won’t need to update any part of the software, but we need two external USB devices for the software to operate.