Your app sounds like a perfect fit for Zymkey 4i.
Regarding your question, you ave a few options that trade speed-of-manufacture with level of security:
1. Unique Key for Each Instance - Most Secure (recommended)
The most secure method is to encrypt your file system with a unique key for each specific Raspberry Pi / Zymkey pair. In this case:
a) start with an un-encrypted file system, preferably on a USB disk to speed things up.
b) bind the Zymkey to the host to create a unique Pair
c) run the LUKS file encryption service: using a Pair unique key the in-the-clear data is encrypted and placed onto the SD card.
d) remove USB drive
2. Fleet Master Key - Faster, Less Secure
A faster method is to pre-encrypt the file system using a common Master Key across your fleet of devices.
a) Start with a pre-encrypted file system on the SD card. You will encrypt offline using a Master Key of your choice.
b) Bind the Zymkey to the host to create a unique Pair
c) Run the data blob encryption service to encrypt and store your Master Key
Before deciding which is optimal, we suggest you actually try method 1 to determine how long this process takes for your specific application. We have seen ‘encrypt’ times as short at 5 mins. We recommend using a Class 10 SD card and 2X your file system size if you don’t use a USB card (as encrypting needs to working space).
Hopefully that gives you enough information to move forward with.
Let us know if you have more questions, or if you want to move to a private dialogue then you can contact us here