Hadware encryption strategy


I have board with TPM (TO136). I would like to know what is it the best strategy to add hardware encryption on BalenaOS. Actually, I have /home repository of Debian distribution encrypted by default. During boot, this section is decrypted if µsom have access to the TPM associated. I want to work with BalenaOS while having always persistent data and code source with the most security possible.
Have you any solution for my use case ?


I’ve passed you request internally and we will get back to you.
We already have an internal issue to track TPM on balenaOS but we don’t have a concrete timeline to share.
I’ve associated your request with that issue though, and we will let you know when we add support for this in balenaOS.

Currently we don’t have support for disk encryption in balenaOS. So a frist step would be to add support for disk encryption. A next step would be to add support for hardware backed disk encryption. So the answer to your question is, that unfortunately we don’t have a solution ready for you.

But to extend a bit more on this:

To use a TPM for disk encryption is great, but it depends on the implementation and the thread model one wants to protect against.

  • You can seal secret keys in a TPM and have the TPM measure the software stack that is booted. Only if the measurements match the sealed state the TPM will give access to the secret keys and therefore the disk can be decrypted. This is also called trusted boot with a static root of trust. This would be a very good solution, but it means that for any change to the system one needs to remeasure the new state of the TPM and seal the keys again for the new measurement.

  • One can just keep the secret keys in the TPM and don’t worry about sealing or state of the system, but then an attacker could add software to the none encrypted part of the system that can be written in a way to let them extract the encrypted data from the system anyhow.

I hope this answers your question, if not please let us know. :slight_smile: