Securing services on mini PC running Ubuntu

I'm working for a startup creating a product which will be rolled out complete with the required hardware.

The hardware is a mini PC running Ubuntu 20.04. The application consists of python services inside docker containers, a database and some deep learning models - so essentially the mini PC is used as a server replacement. Users access the application by connecting to a hotspot. At some customers the hardware will be airgapped.

I can't get into too many details, but the configuration makes sense in their special use case.

I have now been tasked with securing the hardware to not allow tempering/modification of the application. I've done a bit of research (see below) but am a little bit out of ideas of what if anything can be done to solve this in a satisfactory way.

My Research:

• My first idea I found was to encrypt the root partition with LUKS and then store the key in TPM - the current hardware does not support TPM (this hopefully is something that can be changed for future hardware purchases)
• The second idea was to encrypt the root partition and also deliver the partition key. Even though you now need two parts, I don't think that this would make it harder to temper with.
• Another idea outside the possibilities of the operating system was to at least obfuscate the application code with something like pyarmor - but this again feels like a very low bar to clear.

I've already tried finding other possibilities - maybe my search queries suck - but I wasn't able to find any satisfactory way to solve this problem. I'm hoping someone here can point me in the right direction.

You seem to be re-inventing the appliance.

• An appliance is a bundled OS + Software package, sometimes with hardware too. When installed, the user has no login or access to the OS; configuration and activity occurs only on the user-facing software interface, GUI, or API.
• Examples at https://ubuntu.com/appliance

In Ubuntu, an appliance is most easily created using Ubuntu Core with your own custom Snap on top. Ubuntu Core and Snaps are designed for this kind of use.

Ubuntu Server is NOT designed for the use case you describe.

Encryption is something different to securing. Encryption only prevents someone from accessing your data in case of theft. Tampering is done on a -running- system and at that moment the system is unlocked.

To make Ubuntu(/your system) secure:

• update your system as soon as possible and always apply security updates. Join a security mailing group so you get instant updates about vulnerabilities. I get reports on CVE's, 99% are not interesting but that 1 time it did it was good to know (the OpenSSL bug).
• use decent passwords for admin and enforce a decent password for other users. And change the admin password.
• do not install 3rd party software unless you can somewhat accept the creator/maintainer. Stick to the base as much as possible.
• remove all software you do not use. If it is a server: no desktop; use command line.
• make backups, write emergency plans, and practice them

obfuscate the application code

That never works. You should consider anyone that should not have access but is getting access to your system to be smart enough to look through that.

1 thing we are currently migraiting to is splitting servers: our software, database and jasperserver are each on their own instance. The last 2 have NO connection to the internet and can only speak with the server that holds the software.