Hi there! I’ve just bought a couple of Zymkeys and I’m really excited to try them out. One thing that occurred to me is - what happens when the battery dies and perimeter integrity is set to delete? I’d like to be able to change the battery without bricking the device. Is this possible?
On the zymkey 4i, the tamper detect circuits are inactive when the battery dies. At this point, you can safely change the batteries.
Having said that, there is currently no way to know when the batteries have died. Our future Zymkey 6 will have a battery status feature.
Also FYI, nominal designed battery life is 2.5 years on the 4i.
But once the battery is on again, I imagine that the perimeter will still be breached so that I can access the battery, so it would immediately detect it as a breach. Or am I misunderstanding something?
You are correct, unless you design in some way to connect the tamper detect loop(s) prior to closing up your enclosure.
Is it possible to mount a rechargeable battery that it will charge itself when connected to power? Designing something that can bypass the tamper detect loop seems a backdoor to me.
The simplest, most robust solution is to use a larger non-rechargeable battery; an 800mAH battery, such as a CR2 3.0V industrial lithium should give you up to 10 years of working life, limited only by the battery, not the zymkey power consumption.
A CR2 (or something of similar capacity) can be connected to the Zymkey with an adapter, such as below.
Make sure to use a 3.0V battery, not 3.6V
Let us know if you need help sourcing the battery/adapter; we can make direct contact with you, or send to firstname.lastname@example.org.
@Phil_of_Zymbit Using such a solution just postpone the issue, not solving it.
Perhaps i misunderstood your use case. If you could share a few objectives that would be helpful.
- What is the desired operating lifetime for your product ?
- Do you need the ability to open your device (breach the perimeter) during this operating lifetime ?
- If yes, then why do you need the ability to open your device - change battery? or something else ?
As a customer of Zymbit, I also had same concern…but soon decided that it is a great thing for the battery to die (not too soon of course) and wipe the keys…ironic but true (no one likes to have abandoned devices but a working device 10 years later, I doubt would even be possible-unless you are building your own kernel and OS?). I also do not want stale devices out there with outdated updates…better to just kill them and warranty them if clients need that…way cheaper for your fleet of devices, unless you’re making just one? If just one device, do you need an HSM?
Question to answer for yourself (as I had to come to the same realization):
“How long do you want your product to sit idle and unused while technology advances and your company advances? (Remember the battery draw is only when sitting idle). Phil’s solution provides 10 years out of the box.”. IMO, that’s way beyond what we should allow, but this recommendation gives you plenty of time. I mean, if you sell or make a device that sits idle for 10 years, why even bother…after 10 years, and the way the IoT is going, Armageddon will happen before then.
Reply back if more questions, but Zymbit kicks @$$…hands down…don’t be afraid the battery will die…it will die as it should and keep your software and future devices safe.
Sorry for the late reply. I’m going to make a OpenPGP master key store and intended for long term storage. However, after reading hbmaddog’s commend, I realize that after 10 years and technology evolves, my master key should be updated to a newer algorithm/bigger key size any way. Breaching the perimeter isn’t that important anymore.
P.S.: I know many people ditch OpenPGP because of difficulties of securing master key and key rotation, but I still want to give a try and see how long I can maintain it.
What happens if the battery dies and you are not using perimeter detection? If you replace the battery and reboot the device will it decrypt the volume as required still or is the key on the zymbit lost?
Had same response and soon revoked my “I don’t care about perimeter breech”
To my understanding, yes, Zymkey will work as you described provided perimeter breech disabled to wipe the encryption keys…but, imagine your case opened, Zymkey disabled to wipe, hacker tethers your device, Zymkey is now decrypted because you chose not to wipe the keys, hacker steals your code and algos to your entire fleet…and the secrets to gain computing power for malicious code injections.
Once I see that, yeah, can’t imagine not using perimeter breech to it’s fullest to protect my entire fleet.
It’s a matter of cost vs reward. If the cost of jeopardizing your entire fleet doesn’t outway the reward of a single device, then I guess perimeter detection/breech can be disabled.
Truthfully, I am putting in a request to the Zymbit team to make this a required feature, not optional feature.
Please respond if any other questions…
@Todd - in answer to your specific question,
"What happens if the battery dies and you are not using perimeter detection? If you replace the battery and reboot the device will it decrypt the volume as required still or is the key on the zymbit lost?
Zymkey4 standard behaviour is as follows; if the battery dies, your keys are not lost in Zymkey. When you reapply power from the host, (with or our without the battery), the LUKS encryption can still utilize the keys as needed, (assuming the same host and SD card).
Back to the original question and response. With all due respect “battery status” should have been a feature implemented right from the start, not on version 6 of your product. Without it, swapping the battery becomes a guessing game. If the battery isn’t dead you brick the system. If the battery IS dead… WHEN did it die? How long have you been running w/o security?
In response to inserting a new battery triggering a breach you wrote “…unless you design in some way to connect the tamper detect loop(s) prior to closing up your enclosure”. I can’t think of a design that has a tight enough loop to trigger when the enclosure is opened yet allows wide enough access to change the battery. I’m thinking at this point you’re bricking your setup when you change the battery, period.
Chasing that thought I realized one needs both encryption AND perimeter breach in order to ensure the security of their system. If a thief were lucky enough to steal a unit with a dead battery, after opening the case they simply remove the Zymkey and voila! Now if you only there was a way for you to keep a fresh battery in there w/o bricking the system yourself…
While we’re on the subject of batteries - CR1025 aren’t exactly easy to come by. While you can order them online they’re not standard size and aren’t available in stores (at least in my experience). Is there a substitute that’s more readily available?
When Zymkey 4i was originally designed the battery was not intended to be field replaceable. The designed use case was ‘return to factory’ for authorized service, which included battery replacement. The recommended service cycle was 2yrs (depending on use case). This policy was based upon requests from OEMs who, for security reasons, did not want to have their devices opened in the field, by any person; instead they adopted a device-exchange & return-to-factory program.
Such a ‘return to factory for service’ does not suite every customer application, hence in our new Zymkey 6 we have addressed the use case of ‘field replaceable battery’. The details of how this will work have not yet been made public, but if you would like to learn more to determine if this is suitable for your application then please Contact Zymbit >. We would certainly value your input and feedback.
Regarding availability of CR1025 batteries, they are definitely a standard size manufactured by multiple mainstream battery vendors and available through commercial channels. Admittedly less available in retail channels. The following distributors sell CR1025:
The CR1025 battery was selected for its small size / capacity. Unfortunately there are no ‘equivalents’. A practical solution is to use an adapter which allows connection of a larger external (to the zymkey) battery such as the CR2 detailed above or CR2032 shown below. Let us know if you would like us to send you one.
(FYI the zymkey 6 does provide for an external battery).
My thinking is field replaceable would mean you need to provide method for - and tell people - how to bypass the perimeter detection to open the device and change the battery? Would that not create more risk for physical breach?
Just my 2c.
@nonoti - indeed, you are correct. By allowing the unit to be opened in the field, even by ‘authorized personnel’, you introduce a threat vector. Like all security matters though, nothing is absolute and there will always be a trade off between convenience and security that is dictated by the specific needs of the application. That is why in Zymkey 6, we will be giving the developer the tools to build their own policy - ‘in field battery replacement’, or ‘exchange and return to factory’, or some variant of.
Good discussion…on really important stuff.
Is it possible to use zymbit without a battery ?
The battery is required to maintain the Real Time Clock, and the perimeter detect circuits when the host power is removed. Without the battery, these two functions will not be active when the host power is removed.
All other functions work without a battery, assuming host power is applied.
I designed my application with an external arduino that takes care of power management so it can turn on and off the RPi from an external button. I guess I’ll also reserve some ADC sensing for checking on the battery. @Scott_of_Zymbit mentioned there is no way to know if the battery died. I am guessing there is not a way to determine whether the tamper circuit is inactive without checking on the battery. The question that arise for Zymkey 4i is:
- At what battery voltage should I safely consider the battery dead? This is the voltage at which the tamper detect circuits become inactive, so I can open the device to replace the battery without a breach.
- Once the battery has been replaced. What is the procedure to close the device without a breach. Is there a way to make sure the tamper detection circuit was activated?