Binding, Device ID, and Authentication

Good security begins with assigning each device a unique and unalterable identity (Device ID), that is used to authenticate subsequent interactions with the device.

ZYMKEY generates a unique Device ID by measuring certain attributes of the specific host (Measurement), and then combining that Measurement with the unique ID of that specific ZYMKEY. The process of combing these identifiers uses a cryptographic function, and this process is generally termed binding.

On completion of the binding process, the ZYMKEY is said to be bound to the Pi.

ZYMKEY supports two operating modes:

Developer Mode

: Binding is temporary and the ZYMKEY can be used with a different host SBC and SD card in the future.

Production Mode

: Binding in production mode is permanent! The ZYMKEY can NOT be moved to different host SBC or used with a different SD card.

The tables below summarize the actions in Development Mode vs Production Mode with an encrypted root filesystem.

Developer vs Production Mode

SD Card A′ - image copy of original, encrypted SD Card A

Developer Mode

SD CardZYMKEYPI4Locks/Unlocks
AAAUnlocks
A′AAUnlocks
ABALocked
A′BALocked
AABUnlocks
A′ABUnlocks
ABBLocked
A′BBLocked

Summary: Developer Mode is lenient and will accommodate an SD card change, or a PI4 change (or both). You cannot use a different ZYMKEY.

You also can always start over and re-use the ZYMKEY in a new setup

Production Mode

SD CardZYMKEYPI4Locks/Unlocks
AAAUnlocks
A′AALocked
ABALocked
A′BALocked
AABLocked
A′ABLocked
ABBLocked
A′BBLocked

Summary: Production Mode is strict and will not unlock an encrypted rootfs without the original SD card, original ZYMKEY and original PI. You cannot re-use that ZYMKEY in a different setup.