Removing the Zymkey after decryption?

ZYMKEY4 Encrypting File System
1

Hello everyone!

I followed the guide’s Option 1 to encrypt my Raspberry Pi using Zymbit: Encrypting Root File System with Zymbit Security Modules |.

I’d like to know if it’s possible to remove the Zymkey once the LUKS partition is decrypted after boot. This way, it could be used only for booting and then removed and secured. The idea is that if the Pi is stolen, nothing can be decrypted once powered down.

The documentation suggests that there’s a check in place letting me believe it is not possible: ‘Each time the host device boots, and at random intervals thereafter, the Zymbit Security Module rechecks the ID fingerprint. If any of the system components have changed, the fingerprint changes, and the system is considered compromised, leading to authentication failure and shutdown of security services.’

Could someone confirm whether achieving this with the Zymbit module is possible ?"
Thank you

2

@Nuopel Interesting idea. Yes, if you are not using the ZYMKEY for anything other than unlocking the encryption key at boot time, you can remove the ZYMKEY once you are booted. Of course you’ll need the ZYMKEY back in place next time you boot.

1 Like
3

@Bob_of_Zymbit Great to hear, thank you !

Could you or someone else elaborate on the ‘random intervals’ check performed by the Zymbit Security Module in this case ? I’m bit confused by this part and to what it refers now…

From the doc : ‘Each time the host device boots, and at random intervals thereafter, the Zymbit Security Module rechecks the ID fingerprint. If any of the system components have changed the fingerprint changes and the system is deemed to have been compromised, authentication fails and all security services are shut down.’