Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Securing data on SD card Raspberry Pi

I need to store sensitive data on Raspberry so that software running on Raspberry can use it, but nobody else cannot. I can set hard password, disable tty's and so on, but it's easy to remove SD card and examine in on a PC.

My first try is eCryptFS. It seems to be good, but there is a problem. How do I store passphrase and use it to mount encrypted fs? eCryptFS can read passphrase from file or take it as mount argument. Obviously, I cannot use file as it's stored insecurely. Also I can write a program which will feed a hard-coded (and obfuscated) passphrase to mount.ecryptfs either as cli parameter or from stdin. But in this case it's also possible to run this program and see whole command line with passphrase in a process list.

Now I'm considering hard-coding my passphrase in ecryptfs itself (or even read it from protected eeprom) so it will work only on my device. Or I can use another encryption systems, but all of them have to take a key form somewhere. So the only way do do this as I see is eeprom or hard-coding.

Are there better ways to store sensitive data securely on Raspberry's SD card?

like image 645
Oleg Antonyan Avatar asked Jan 01 '15 12:01

Oleg Antonyan


People also ask

How do I stop my Raspberry Pi from corrupting my SD card?

By converting the Raspberry Pi into Read-Only, it will never corrupt and your system will work perfectly (or at least until the natural lifespan of an SD-card which is around 10 years).


1 Answers

You could use the RaspberryPi unique Serial Number.

You can retrieve it from /proc/cpuinfo

~# cat /proc/cpuinfo 
[...]
Hardware    : BCM2709
Revision    : a01041
Serial      : 00000000407xxxxx

Direct bash command:

~# ID=$(cat /proc/cpuinfo | grep ^Serial | cut -d":" -f2)
~# echo $ID
00000000407xxxxx

If you need to periodically change the encryption password, use the Rpi serial number as a decryption key for a static file that returns the ecryptfs encryption password. OpenSSL is your friend :D

Hope it helps.

like image 163
Marcolino Avatar answered Oct 19 '22 17:10

Marcolino