Is there a way how to encrypt whole SD card so no one can see into my SD card? I saw that ZYMBIT project do this stuff. Is it possible to run BalenaOS with ZYMBIT? If no, is there a way how to add support for ZYMBIT?
File system encryption is tricky as most devices do not support any form of hardware-level encryption, so the decryption keys would have to be stored in an accessible area of the device, which means its not really that secure.
Adding ZYMBIT to BalenaOS is indeed doable. I’ll check with the rest of the balenaOS team to see if that’s on the radar, otherwise keep in mind that BalenaOS is an open source project (https://www.balena.io/os/) and we would welcome these kinds of community contributions!
we’re still discussing this issue internally and there’s no output yet. This will require quite huge amount of work and we have to think about all devices we do support, etc.
ZYMBIT looks interesting however from what I can see it’s just another barrier to be defeated. For ~$50 per unit im not super impressed.
While BalenaOS is open source the difficulty of this work would make this task beyond that of most Balena OS integrators. A framework to support host OS encryption from the Balena side would likely go a long way however.
I agree, but there is small amount of SBC, that has integrated TPM chip, and there is no SBC, that has TPM and is also supported by balenaOS. So I thought, that ZYMBIT might be way for commercial users, that needs encryption and also want to use SBC like Rpi3.