Yes, there is no trusted execution environment (TEE) on the Nano, so solutions that require that won’t work. But Simon would like to know what can be done on a Nano.
First, because there is no TEE, the disk encryption/decryption key would likely have to be stored in RAM at some point. A sophisticated attacker with physcal access to the machine might be able to extract the key by probing the memory bus. But if this risk is acceptable, then would the following work?
(1) embed the disk encryption/decryption key in the bootloader
(2) encrypt the bootloader with the secureboot key (SBK) using the standard Nano secureboot approach
(3) sign the bootloader using the standard Nano secureboot approach
(4) the bootloader should only load a signed OS, which uses the key to decrypt the disk
Alternatively, in another post it has been suggested that a disk encryption/decryption key could be stored in the odm_reserved fuses, but I have had trouble finding documentation that explains how, when, and whether these fuses can be read by OS during or after boot.
Jerry, can you point us to more specific documentation about odm_reserved?