I just got my zymkey to work with a full root disk encryption with the following setup:
- Last raspberry pi OS
- USB boot (no sd card)
- Initramfs decrypt the drive using the zymkey and the “.lock” key file.
The way my IOT is intended to work implies that nobody could interact with the PI physically.
My next step is to have the production mode enabled, which raises a few concerns:
1/ What are the information used to create the pi “fingerprint”? Are these information available on early boot stage? Should I add additional binaries to my initramfs for the production mode?
2/ According to the table found at https://docs.zymbit.com/reference/binding/ , the dev mode doesn’t work with a copied image. In my use-case, I will have to remaster the USB drive after a few operations. Will this prevent the zymkey to work if I use the same PI, same zymkey, same USB drive and an image acquired after (or before?) setting production mode?
3/ Does adding/modifying an USB drive will allow the zymkey to work? If someone takes the USB key out, extract the initramfs he will have the “.lock” file. Does anything prevents him to create a new initramfs, boot another OS (added on a new partition of the original drive or using a second USB) then decrypting the original root drive?
Thank you for your help