Is there a way to encrypt the files on an SSD that needs to boot unattended?

My company is developing a product that is basically a Linux PC with custom software in a fancy box.

Since it uses a commercial SSD for the filesystem, I'm worried that an unscrupulous customer could disassemble the unit, download all of our software off the SSD, and make their own system.

The obvious answer would be to use a BIOS HDD password, but the system has to boot completely unattended. Are there any options out there to encrypt our data, but still boot without entering any passwords? Maybe something related to the CPU serial number or MAC address?

Chriszuma

Posted 2014-04-14T16:30:24.540

Reputation: 115

If reverse-engineering the device is a concern to you, then why not assign a unique ID for each device manufactured and embedding that ID into the code so that it can be traced in the event someone does reverse-engineer it? – bwDraco – 2014-04-14T16:56:51.673

2I have never seen a Linux implementation, but what you are asking for is basically what the TPM was designed for. Does your system have a TPM? Theoretically the drive encryption keys go on the TPM, and theoretically cannot be extracted. (See bitlocker) – Zoredache – 2014-04-14T17:05:35.783

Answers

You can't encrypt an entire HDD and still boot from it without being able to access the data. I mean, if the bootloader can access it, anyone can. What you want to look into is creating a boot loader that has access to just enough to boot, and make the rest secure.

Preferably you want to compile your OS/program to a state where decompile becomes something so time consuming they'd be better of developing something themselves. Perhaps it is an idea to make the code run solely on specific hardware tags. If the hardware is not present it gives a weird error.

LPChip

Posted 2014-04-14T16:30:24.540

Reputation: 42 190

I was kind of thinking that as well. I guess my follow-up question would be what non-fudgable hardware tag I could use as a lock. – Chriszuma – 2014-04-14T16:38:32.773

@Chriszuma: The classical solution to this problem is code obfuscation. Pay attention to the words "weird error": If it is obvious to the user that the software does not run because it is on unauthorized hardware, the user may try to reverse-engineer the hardware itself. If you leave the user unaware as to the reason for the error, they're less likely to try to reverse-engineer the device.

– bwDraco – 2014-04-14T16:59:09.957

If your're using Linux as OS you should check out LUKS. It is known to work even on mobile devices

yorodm

Posted 2014-04-14T16:30:24.540

Reputation: 171

And how does that permit for the system to be booted un-attended? AFAIK luks requires you to provide a password at the prompt, or as a unecrypted key-file. – Zoredache – 2014-04-14T17:02:51.427

In my opinion "unencrypted key file" sounds like a good place to begin with. Check this and this

– yorodm – 2014-04-14T18:20:48.160