I followed the guide’s Option 1 to encrypt my Raspberry Pi using Zymbit: Encrypting Root File System with Zymbit Security Modules |.
I’d like to know if it’s possible to remove the Zymkey once the LUKS partition is decrypted after boot. This way, it could be used only for booting and then removed and secured. The idea is that if the Pi is stolen, nothing can be decrypted once powered down.
The documentation suggests that there’s a check in place letting me believe it is not possible: ‘Each time the host device boots, and at random intervals thereafter, the Zymbit Security Module rechecks the ID fingerprint. If any of the system components have changed, the fingerprint changes, and the system is considered compromised, leading to authentication failure and shutdown of security services.’
Could someone confirm whether achieving this with the Zymbit module is possible ?"