We are using LEDE 17.01 on our embedded board. We would like to secure the "config files", "custom shell scripts" that are part of LEDE image. WE are looking into LUKS concept(cryptsetup) to create a loop container to mount the /etc/config folder into encrypted container. We are using the below steps to create the container and encrypt the folder. THe system is using JFFS2 filesystem .
The config files need to be readable (and, in some cases writable) on the router at any point in time that a change to the running system is made (not just at boot and not just when "changes" are made to the config, such as hot-plug events and DHCP lease acquisition)
Embedded devices don't have a console on which a decryption key can be entered
This seems to mean that the decryption key needs to be "root-readable" at any point in time
If the decryption key is root-readable, then what does encryption provide you that
hmm, so at every reboot someone has to type a passphrase!?!
We still need to explore how to overcome this step. Either hardcoding passphrase or other means.
The config files need to be readable (and, in some cases writable) on the router at any point in time that a change to the running system is made (not just at boot and not just when "changes" are made to the config, such as hot-plug events and DHCP lease acquisition)
Yes config files need to be readable, so we want to atleast prevent offline reading of config/scripts using binwalk etc..
If the decryption key is root-readable, then what does encryption provide you that
Yes , we have to identify a way to hardcode the key in application or save in a safe location.
I do not think we should support this kind of business... OP is trying to distribute locked down routers, and I think that goes against the spirit of OpenWrt.