Here's my 2 pence woth:
ilan_sw wrote: ↑
Thu May 23, 2019 9:19 am
1. What are the common methods for this?
Dunno. Frankly I'm not even sure it's possible. The card has to be readable in order to be bootable. You could encrypt the root partition and prompt for a password on boot or store the key on an external device
2. If it's physical barrier - what method / material is recommended?
A physical barrier won't prevent someone getting at the SD card. It'll slow them down and make it more obvious that tampering has occured but that's all. If you glue in the SD card you'll be making problems for later: if the SD card fails (or you need to upgrade it) you can't just swap it out.
If the Pi can be connected to over a network (or serial if the GPIO header is exposed), or if the USB ports are open, a physical barrier on the SD card will be of little value. You don't need physical access to the SD card to read or copy its contents
3. If there are more delicate way, using SW / HW - what are they?
Encrypt your "semi-sensitive data". Store the decryption key on a seperate device (internet server, USB dongle, user's head). If using a password to access this data, store and compare the password the same way that linux does: one way encrypted and compare it against the encrypted one from the user. Use a different password/key for each Pi/SD card.
You could tie things into the Pi's serial number but that could cause maintenance problems (you can't swap out the hardware and keep the same SD card) and there are know to be duplicate serial numbers in the wild.