Menu
I need to store sensitive data on Raspberry so that software running on Raspberry can use it, but nobody else cannot. I can set hard password, disable tty's and so on, but it's easy to remove SD card and examine in on a PC.
My first try is eCryptFS. It seems to be good, but there is a problem. How do I store passphrase and use it to mount encrypted fs? eCryptFS can read passphrase from file or take it as mount argument. Obviously, I cannot use file as it's stored insecurely. Also I can write a program which will feed a hard-coded (and obfuscated) passphrase to mount.ecryptfs either as cli parameter or from stdin. But in this case it's also possible to run this program and see whole command line with passphrase in a process list.
Now I'm considering hard-coding my passphrase in ecryptfs itself (or even read it from protected eeprom) so it will work only on my device. Or I can use another encryption systems, but all of them have to take a key form somewhere. So the only way do do this as I see is eeprom or hard-coding.
Are there better ways to store sensitive data securely on Raspberry's SD card?
645
By converting the Raspberry Pi into Read-Only, it will never corrupt and your system will work perfectly (or at least until the natural lifespan of an SD-card which is around 10 years).
You could use the RaspberryPi unique Serial Number.
You can retrieve it from /proc/cpuinfo
~# cat /proc/cpuinfo
[...]
Hardware : BCM2709
Revision : a01041
Serial : 00000000407xxxxx
Direct bash command:
~# ID=$(cat /proc/cpuinfo | grep ^Serial | cut -d":" -f2)
~# echo $ID
00000000407xxxxx
If you need to periodically change the encryption password, use the Rpi serial number as a decryption key for a static file that returns the ecryptfs encryption password. OpenSSL is your friend :D
Hope it helps.
163
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
