Tamper access detection and FS crypting with ZymKey from Zymbit?

Hi,

May be you know such device pour PI https://www.zymbit.com/zymkey/ ?

Would it work for BalenaFin + BalenaOS?

My goal would be to ensure no physical violation nor usurpation of our devices.

Do you have plan to support devices for tamper detection and filesystem encryption?

Regards,
Sylvain.

Hi,
I don’t see why the zymkey should not work with the BalenaFin. We currently don’t support FDE in BalenaOS, but do have plans to implement this. I have not tried zymkey myself, but from what I read from their docs, the PKCS#11 and openssl integration, you should be able to leverage this protection also from your application. Since the application could implement a secure storage, which is protected by the zymkey root of trust.

Best Regards,
Andreas

Hi @afitzek,

Thanks for replying. I mentioned one hardware product because I found it, but it could be another one achieving the same goal that you may integrate in your certified product later. We are interested to follow and test your progress on Tamper detection + FDE, if you have issue tracker with notification, I would be happy to follow the progress and participate.

I found an interesting quote on security using Docker and data encryption on this post:

I will experiment and share some progress on that. I will probably start with some compromise on security regarding network access to the device, and focus on the physical access first.

Regards,
Sylvain.

Hi @Sylvain42,

Our plans are still very very early, so we don’t have any issue yet in public trackers, but we linked this thread to our internal issue. So that we can update you when this is done. Since our support for FDE is in the very very early stages, please don’t expect any update in the near future. It is currently on our road map for sometime next year, but it can easily happen, that this will be postponed even further.

Please do share any progress or insights you make, it will definitely help speed up our efforts.

Best Regards,
Andreas

Hi @afitzek,

Thanks for the feedback.

Do you have other TPM device to suggest so I can explore some other hardware too?

Regards,
Sylvain.

Hi @Sylvain42,

I only know about Letstrust (https://www.letstrust.de/) as well, but afaik this is just a TPM and only a TPM does not help too much. So it depends on your security model if this would be another option. In my personal opinion I think the ZymKey might be the better option.

Regards,
Andreas