I just tried to make the LUKS encrypted root filesystem read-only, as outlined here (root fs overlay). But after reboot, the zymkey is no longer bound (console says: ERROR: no zymkeys installed.)
Is the zymkey somehow bound to (some ID of) the filesystem? Has anyone else tried this?
Thanks in advance.
I solved it by running update_encr_initrd
(with no arguments) instead of update-initramfs
after setting up the overlay scripts.
I don’t understand. How is it possible to use LUKS encrypted file system as read-only? Would it be possible to get some advice on how to do it?
We believe it is possible to do, but you will have to prepare the volume for read-only after successful encryption.
One thing to be aware of is that the Zymkey might need to rebind itself from time to time when in developer mode. If this is the case, it will need write access to the directory /var/lib/zymbit. Rebinding typically occurs if you have switched components of the system such as the host pi or the SD card or if the i2c bus has been really busy with other traffic.