29

The Raspberry is all well and nice and can run pretty quick. But how can I protect my SD card from offline data attacks. SSH can be protected with a good password or a SSH key but if somebody gets hold of the card I would like it to be encrypted in the most part.

For example all my source php files or any other source code is stored on the SD card and can be easily mounted into another linux system. But i want to prevent this by encryption the entire SD card somehow.

Any suggestions?

WillyWonka
  • 537
  • 1
  • 5
  • 13
  • 1
    Which OS are you using, or would you like an answer for each OS to help you decide between them? – Mark Booth Aug 14 '12 at 16:33
  • Also, bear in mind that even if you encrypt the file system (as described here for debian for instance) the encryption key will still be in memory, so make sure you add some anti tampering protection (such as encasing your Rasberry Pi in resin) though that really requires specialist hardware. – Mark Booth Aug 14 '12 at 16:38
  • 2
    The guide suggest to use AES- Possibly the default is changed now but do not use AES- It is easily cracked. – Piotr Kula Aug 14 '12 at 18:13
  • 1
    You've need to leave /boot decrypted and input a password to mount the root filesystem I suspect. – Alex Chamberlain Aug 15 '12 at 08:26
  • I want to avoiud puttin in passwords. It needs to boot without user input but the SD should be protected without getting the key from the /boot to easily. – WillyWonka Aug 15 '12 at 13:25
  • @WillyWonka - What you ask is impossible then. If the key is stored on the device such that it can be used for an automatic boot then the SD card can be decrypted using that key. If the millions poured into DVD's CSS or Bluerays encryption can't protect the content of DVDs or Blurays, what makes you think the Raspberry Pi can do something they can't? – Mark Booth Aug 15 '12 at 14:03
  • 1
    LOL - So much for DRM hahaha :-) I think some more complex system will be needed to create one time use keys from an internet sercive possibly? BUt that means you need to boot the kernel- make a key getter script and possibly mount an encrypted partition based on that somehow. You know like WoW DRM- No net, no play. – Piotr Kula Aug 15 '12 at 14:32
  • 1
    Then you could just netboot it. Unless they steal your bootserver, they can't do offline attack :) – XTL Aug 22 '12 at 07:14
  • That is interesting concept. Do you have any reading material about this please? :) Or can i get a one time key from a webservice during boot or something.. like DRM? – WillyWonka Oct 02 '12 at 14:04

2 Answers2

14

You could encrypt the whole disk, pv, or volume using LUKS/dm-crypt if your distribution supports it. It's also possible to encrypt files or directories on the disk while leaving the filesystem mountable (but scrambled).

Either way, you'll run into an issue: Before using the clear data, someone has to input the key. If the key is stored on the card, nothing prevents an attacker reading the key from a stolen card. If it's input by a person, that person needs to manually enter the key after every boot.

XTL
  • 1,389
  • 9
  • 22
  • 2
    Can they decrypt data using the key in offline mode?(i suspect the answer is yes) Is there any way to lock a Kernel to a MAC address, CPUID or some something HW specific? – WillyWonka Aug 15 '12 at 08:01
  • 1
    Normally, yes. It doesn't matter if it's your program decrypting or theirs if they have the key. You might be able to use a HW id to generate the key. That won't help if the attacker has access to the whole board but might save you if someone just took or cloned the card. – XTL Aug 15 '12 at 08:48
  • Yea I am not worried about them booting it. They still cannot get Shell access (unless there is a Linux work around to get root???) Most likley they will try and take the SD card and get the source files to see all the secret things on another computer or something :) – WillyWonka Aug 15 '12 at 13:23
  • 2
    If physical access is available, everybody can easily get shell access. You could search for single-user mode.

    Here is an Example for the Pi.

    The boot partition is not encrypted!

     – macrojames Aug 16 '12 at 11:29
8

how about this for a start

sudo apt-get install ecryptfs-utils
sudo apt-get install lsof
sudo ecryptfs-migrate-home -u pi

There will be a bit more to it but thats the main part - it will only cover your home folder. If you want to do more then its something like:

https://www.howtoforge.com/how-to-encrypt-directories-partitions-with-ecryptfs-on-debian-squeeze

Hengjie
  • 105
  • 3
David Lee
  • 81
  • 1
  • 2
  • 4
    The link looks truncated and/or dead. – XTL Apr 07 '15 at 16:20
  • Here's an archive of the linked article for preservation https://web.archive.org/web/20201116213202/https://www.howtoforge.com/how-to-encrypt-directories-partitions-with-ecryptfs-on-debian-squeeze – MrWm Nov 16 '20 at 21:34