I’m thrilled to have found your Zymkey solution as I am working on a project that intends to use both the RPi3 and Zero W as micro web servers to give users local access to private files. Currently we have a master image that gets inserted into each device which is then connected to a CMS so that the content can be customised and managed centrally and remotely from the user. We need to protect the material (it’s nothing juicy) from being accessed by merely removing it and inserting into a computer.
Having read your setup procedures and comments on the blog (along with your intention to ship pre-integrated units in Q4), as each unit is initially identical, is it possible to streamline the setup process in our use case by creating a master config which we can continue to replicate at scale allowing us to make the final lockdown/binding of the key to the device? Initially the build would be based on 10’s of devices but ramping to a few thousand, so need to reduce the manual setup process as much as possible.
Would very much appreciate your guidance.
Your app sounds like a perfect fit for Zymkey 4i.
Regarding your question, you ave a few options that trade speed-of-manufacture with level of security:
1. Unique Key for Each Instance - Most Secure (recommended)
The most secure method is to encrypt your file system with a unique key for each specific Raspberry Pi / Zymkey pair. In this case:
a) start with an un-encrypted file system, preferably on a USB disk to speed things up.
b) bind the Zymkey to the host to create a unique Pair
c) run the LUKS file encryption service: using a Pair unique key the in-the-clear data is encrypted and placed onto the SD card.
d) remove USB drive
2. Fleet Master Key - Faster, Less Secure
A faster method is to pre-encrypt the file system using a common Master Key across your fleet of devices.
a) Start with a pre-encrypted file system on the SD card. You will encrypt offline using a Master Key of your choice.
b) Bind the Zymkey to the host to create a unique Pair
c) Run the data blob encryption service to encrypt and store your Master Key
Before deciding which is optimal, we suggest you actually try method 1 to determine how long this process takes for your specific application. We have seen ‘encrypt’ times as short at 5 mins. We recommend using a Class 10 SD card and 2X your file system size if you don’t use a USB card (as encrypting needs to working space).
Hopefully that gives you enough information to move forward with.
Let us know if you have more questions, or if you want to move to a private dialogue then you can contact us here