8

I need to store sensitive data on Raspberry so that software running on Raspberry can use it, but nobody else cannot. I can set hard password, disable tty's and so on, but it's easy to remove SD card and examine in on a PC.

My first try is eCryptFS. It seems to be good, but there is a problem. How do I store passphrase and use it to mount encrypted fs? eCryptFS can read passphrase from file or take it as mount argument. Obviously, I cannot use file as it's stored insecurely. Also I can write a program which will feed a hard-coded (and obfuscated) passphrase to mount.ecryptfs either as cli parameter or from stdin. But in this case it's also possible to run this program and see whole command line with passphrase in a process list.

Now I'm considering hard-coding my passphrase in ecryptfs itself (or even read it from protected eeprom) so it will work only on my device. Or I can use another encryption systems, but all of them have to take a key form somewhere. So the only way do do this as I see is eeprom or hard-coding.

Are there better ways to store sensitive data securely on Raspberry's SD card?

Oleg Antonyan
  • 2,943
  • 3
  • 28
  • 44
  • I haven't tried [eCryptFS](https://wiki.archlinux.org/index.php/ECryptfs) but I think what you're looking for is what's called an '[encrypted root](https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system)'. Use [dm-crypt](https://wiki.archlinux.org/index.php/Dm-crypt). – Steve Jan 01 '15 at 14:18
  • There is still the same problem with dm-crypt: how to store key/paraphrase? When you don't have physical access to storage device it's ok to put it into /root/somewhere with 400 permissions. But anybody can pull sd card and easily use it to mount encrypted partition – Oleg Antonyan Jan 02 '15 at 08:56
  • For non-root partitions, like `home` and `swap`, put your LUKS keys in `/etc` (i.e. under root). For the root partition, you still need some way of manually entering a root passphrase. If you don't have physical access to your RPi, you can use [dropbear SSH](https://wiki.archlinux.org/index.php/Secure_Shell#Dropbear) (early-SSH) which provides a simple initramfs hook. – Steve Jan 03 '15 at 00:58

2 Answers2

8

You could use the RaspberryPi unique Serial Number.

You can retrieve it from /proc/cpuinfo

~# cat /proc/cpuinfo 
[...]
Hardware    : BCM2709
Revision    : a01041
Serial      : 00000000407xxxxx

Direct bash command:

~# ID=$(cat /proc/cpuinfo | grep ^Serial | cut -d":" -f2)
~# echo $ID
00000000407xxxxx

If you need to periodically change the encryption password, use the Rpi serial number as a decryption key for a static file that returns the ecryptfs encryption password. OpenSSL is your friend :D

Hope it helps.

Marcolino
  • 201
  • 2
  • 4
  • I like your suggestion! I have been looking for a way to 'bind' a sd card to a raspberry, nothing fancy high security but just to avoid having data too open on the card. – THX Dec 11 '15 at 09:11
  • 1
    You can use the blkid command which retrieves the UUID that is a unique identifier of a partition. – Marcolino Dec 12 '15 at 09:31
  • 5
    But everyone can have the serial number. Just put another non encrypted sdcard and make 'cat /proc/cpuinfo' command. After use it to decrypt the encrypted SD card. – doom Oct 27 '17 at 20:11
-1

You can set password as eth0 hw ether mac address. It can't be used to crypt root partition though.

Vladimir Kunschikov
  • 1,735
  • 1
  • 16
  • 16