0

I have R scripts which are running on a Raspberry Pi device. I want to encrypt the code and data on the device so that if anyone unmounts the disk and try to read the content via other devices they should not be able to do it.

I used ecryptfs for encrypting the folder, but for automounting volume, we need to keep the passphrase on the same volume (in a file) which defeats the purpose. I want to know, what are the best ways to securing data and code on the device.

The Pi needs to be able to perform an unattended boot, without a password being entered.

Neil Smithline
  • 14,621
  • 4
  • 38
  • 55
anand
  • 103
  • 2

1 Answers1

0

If you're ok encrypting the entire filesystem then I'd recommend using LUKS to encrypt the disk. It may be a bit more difficult to set up at first but provides a really nice solution.

Offensive Security does a beautiful job describing the (somewhat lengthy) process:

https://www.offensive-security.com/kali-linux/raspberry-pi-luks-disk-encryption/

They use Kali Linux, but that's not necessary. Just use a different Raspberry PI OS image in place of that.

The high-level steps:

  1. Download the OS image and copy to an SD card
  2. chroot to the image and install/update several files to prep for crypted boot
  3. Create an initramfs file which includes Dropbear and freshly generated SSH keys
  4. rsync the modified rootfs to a temporary backup location and then delete the rootfs partition from the SD.
  5. Recreate an encrypted partition to restore the root partition data

Good luck!

theoneandonly2
  • 428
  • 2
  • 8
  • If I encrypt the whole disk then that will impact read and write as well. and in our case, we have public data in the disk where read/write frequency is higher, but the directory we want to encrypt does not have much read/write operation. – anand Apr 10 '18 at 11:42
  • @anand - be aware that this solution requires you to SSH to the Rasberry Pi to boot it and `enter a decryption password`. From your question, I'm not sure if unattended boot is a requirement, so this may or may not be a problem. – Neil Smithline Apr 10 '18 at 14:08
  • @anand I don't know of a good answer based on what appear to be your requirements (i.e. if you need an unattended boot). My intuition tells me this isn't possible with a base hardware configuration as one way or another you will need a private key or shared secret on the SD Card, in plain text, to be used to encrypt/decrypt. Take a look at Zymkey, maybe it will meet your requirements. I've never used it, but the 'lock' API function may be useful for encrypting the data using the factory keys and storing it on the SD Card (https://s3.amazonaws.com/zk-sw-repo/zk_app_utils.py.pdf). – theoneandonly2 Apr 10 '18 at 18:11
  • @NeilSmithline Pi may be rebooted on certain conditions so we can not attend all the boots. thus we have to automount ecryptfs. – anand Apr 10 '18 at 18:56
  • Not sure that this is possible @anand. – Neil Smithline Apr 10 '18 at 21:22