sprinkmeier
Posts: 401
Joined: Mon Feb 04, 2013 10:48 am
Contact: Website

Re: Encrypt SD card content

Wed Aug 28, 2013 9:19 pm

Jimbo1954 wrote:I dunno....It's too simple! What have I missed?
Where are you going to store the key used to unlock the main partition?

czbron
Posts: 1
Joined: Fri Sep 06, 2013 9:42 am

Re: Encrypt SD card content

Fri Sep 06, 2013 10:07 am

If I understand correctly, omega1 need protection from simply copy SD card which contain his application.
I suggest that you make small tool which read serial number of every concrete SD card (which you plan to distribute to clients) and write it in your executable files of your application. Your application, after that process, put on concrete SD card.
Your application will be locked on concrete SD card and that is all.
Coping of your application to another SD card will be harder - that client need to ask some hacker or good programmer to think about that ... and pay to him. If that is your case (or you afraid about it), change a condition of your application distribution - something wrong (probably price :) )
Best protection is a price of application - if it's good set, nobody try to broke .

PiGraham
Posts: 2682
Joined: Fri Jun 07, 2013 12:37 pm
Location: Waterlooville

Re: Encrypt SD card content

Fri Sep 06, 2013 3:29 pm

The usual approach is to key some parts of your code to some hardware specific data so that the executable, once licenced, will only run on that hardware.

Therefore you need a unique identifier (hardware signature) from the Pi hardsware that is not easily reprogrammed by a user & not on the SD card!
Use that data to encrypt some or all of your executable code.
From the hardware signature generate a install code. Send that code to a licence server (could be you, a script on your PC, a webserver etc). From the install code generate a licence code that your software can use to decrypt the encrypted executable.

When the user runs your program it will look for the licence code (on the SD card), read the hardware signature, combine them to make a decryption code. Use that to decrypt program code and execute the program.

This means the endpoint code of your program must be un-encrypted so that it can run and decrypt the rest of the code.

I think all protections schemes are potentially crackable, given time and knowhow.

Copying the SD card for use on another Pi won't work because the hardware signature will be different.
Passing Licence codes around won't work because they are tied to the hardware signature.

There are various USB devices that have unique IDs that you could supply a 'dongles' to unlock your code. Dallas One-Wire devices have unique ID numbers.

Network MAC addresses are supposed to be unique to every device, but are typically programmable. The Pi generates a MAC address from the serial number.

/proc/cpuinfo will give you a unique serial number for the Pi, but I don't know if it is secure.

SD cards do have unique serial numbers, so you could use that to limit your program to the specific card. Not sure how to read that.

omega1
Posts: 113
Joined: Mon Jul 02, 2012 3:10 pm
Location: UK
Contact: Website

Re: Encrypt SD card content

Fri Sep 06, 2013 3:43 pm

Some good ideas in there, thank you"
Get your Pi from here! http://bit.ly/18blVup

PiGraham
Posts: 2682
Joined: Fri Jun 07, 2013 12:37 pm
Location: Waterlooville

Re: Encrypt SD card content

Fri Sep 06, 2013 3:54 pm


User avatar
DavidS
Posts: 3009
Joined: Thu Dec 15, 2011 6:39 am
Location: USA
Contact: Website

Re: Encrypt SD card content

Mon Sep 23, 2013 6:27 am

Firstly the issue of attempting to copy protect things:
There have been many people and companies that have used many diverse copy protection scemes over the years. Generaly the better copy protected the more that those that would copy it in the first place work on cracking the copy protection. And they ALWAYS succeed.

If a program is not copy protected on the other hand, there are likely to be fewer that copy it with out permision, and more people will buy it as a result.

Sorry this has been shown by the market.
To be honest, that is exactly what I had originally thought of... I would put an element of the code on the server that the software has to 'get' in order for it to work, as the device would have to be connected to the internet always anyway...
Now this is a royaly bad idea. You would alienate every one that does not connect there RPi to the net, not to mention any one that has a dial up internet connection. And what happens in 10 years, your server is gone to history, and a registered owner of your software license wants to use it on there old legacy first generation genuine Raspbery Pi Model B?
ARM BASIC: For the love of Simplicity, Fast Interpreted BASIC, and Assembly Language.
Always KISS Keep It Simple Silly.

hoffin
Posts: 1
Joined: Sat Jan 18, 2014 9:20 am

Re: Encrypt SD card content

Sat Jan 18, 2014 1:25 pm

Hi,

In the past I have used a similar method but rather than comparing values, I use critical things to generate a hash that is used to decrypt the device. If you change any of these things, it won't boot without resetting the key, using something like luks that allows multiple keys.

You want to generate the hash from the content critical to the boot process.
A simple example would be the boot partition /dev/mmcblk0p1
and the master boot record (the first 512 bytes of the sdcard)

Code: Select all

sudo dd if=/dev/mmcblk0 bs=512 count=1 | sha1sum -
Also /sys/block/mmcblk0/device/cid (for the SSD card unique id)

and if you wanted to tie it to a specific pi board

Code: Select all

cat /proc/cpuinfo | grep Serial


With this concept I would then wrap it in a C program which is called from within initid.
Along with some other other checking to ensure it's being called on boot, check machine state, simple things like the parent process will be 0. And have the program mount the drive using a luks library call.
There are more things that can be done here to protect. Such as put the cpu into debug mode to prevent another debugger doing the same.

So the c program would...

1. Put cpu into debug mode
2. Generate the hash from the partitions, mrb, serials and any system state info you want.
3. Mount the drive
4. a initialise function to allow it set the key to your current state.

The clever bit is that it's self signing, the unlock program is on the initrd, which is included in the hash,

Then lock the system down, iptables is your friend.

Good luck.

dhruvvyas90
Posts: 23
Joined: Thu Nov 21, 2013 2:36 pm

Re: Encrypt SD card content

Mon Feb 10, 2014 5:41 am

Interesting topic and replies. :-)

Well, I don't see any provision by which you can link an SD card with a particular pi which will result in locking.
And hence you might not be able to stop someone using your product if they succeed copying your system exactly.

But if your product is an interactive system, say... with a display or something. You can show your company logo, with an encrypted drive on it as suggested by someone earlier. So the other party can not change the content (logo , code or whatever...or at least it would be a difficult job) and hence there will not be any motivation for them to copy your product. :-)

nachiketh
Posts: 32
Joined: Wed Sep 25, 2013 4:54 pm

Re: Encrypt SD card content

Wed Jan 27, 2016 8:56 am

dauhee wrote:how about this for protecting your intellectual property:

Code: Select all

sudo apt-get install ecryptfs-utils
sudo apt-get install lsof
sudo ecryptfs-migrate-home -u pi
There will be a bit more to it but thats the main part - it will only cover your home folder. If you want to do more then its something like:

http://www.howtoforge.com/how-to-encryp ... an-squeeze
Hi folks,
I tried the above mentioned method and I have a query regarding the same, the contents on the SD Card which were present before mounting the partition as "ecryptfs" have now got encrypted, however all new content which got written after the mount is accessible without needing any passphrase. Is there any other configuration required to encrypt new files that got created after the ecryptfs mount? Please let me know.
TIA!

tufty
Posts: 1454
Joined: Sun Sep 11, 2011 2:32 pm

Re: Encrypt SD card content

Fri Feb 12, 2016 8:19 pm

As I understand it, you're trying to sell a Pi + SD card as a product, but you're afraid that someone will take the SD card, clone it, and thus reduce your potential for profit, right?

No problem with that, at work there's actually a pi in a little plastic case, SD card sticking out of it, running a sales system. As far as I'm aware, nobody has thought of pulling out the SD card and cloning it because what we've bought is not just the system but also the support for the system. Plus I'm probably the only one to know what it even is, but that's a whole different issue. The same logic applies to pretty much every piece of software and hardware we have.

If you want to make it so that people don't copy your stuff, you need to make it so it's not worth their time. The best way of doing this is to supply a service that is more valuable than the hardware.

Still, if you're determined to do this...

There's pretty much nothing you can do to the SD card to stop people copying it. Hell, they tried that with floppy disks, to the point of burning holes in the disks themselves, and that didn't stop copying. So forget that. And you can't really do much with the hardware that can't be reversed either. And any "on the pi" software system will eventually come down to a couple of conditionals that can be flipped.

If it were me and I absolutely had to do this in a way that was a bugger to work around, I'd have a chunk of code delivered via the internet. I'd encrypt comms via some pk framework, and require a valid Pi serial number before you deliver the code to the device. Not perfect, and pretty easy to work around if you control the network the device is on.

But honestly, you're better off just trusting your customers and accepting some losses rather than treating them all as potential thieves.

hardiksharma.sh
Posts: 2
Joined: Wed May 03, 2017 12:36 pm

Re: Encrypt SD card content

Tue Jul 18, 2017 1:38 pm

Jimbo1954 wrote:Lots of interesting comments about ethical considerations, etc, but I'm going to cut to the chase and try for a quick technical fix...tell me your views, you probably have considered this more deeply than I:

1) use full disk encryption to protect your files in the main SD partition
2) create a script that runs at install time and updates another script with the MAC address (or something similar that won't change/is guaranteed unique) of the Pi
3) Arrange that the updated script from 2 above runs at boot time, and compares the MAC address found at install time with the MAC address at run time. If the two are not the same (i.e. the SD card is NOT running on the Pi it was originally installed on) then shutdown.

While running, the files are available on the Pi, but if you block ssh, telnet, etc, and only allow restricted access via Apache or similar, the files will not be observable/copyable. When the person who wants to copy your code tries to examine the SD card, its encrypted. If they simply try to clone the chip blind, the cloned SD will only run in the "parent" Pi, thus making cloning pointless.

I dunno....It's too simple! What have I missed?

Jim

Later:....Well Duuuuhhhhh!! I *said* it was too simple...the passphrase would have to be unencrypted, available at boot and so located somewhere it could be read unencrypted at boot....i.e. on the FAT partition of the SD....So when the encrypted chip was removed, the passphrase would come with it and the whole thing could be decrypted. So let my stupidity be a lesson to you all: When it seems too simple, it is, an you should go away and think again before committing to print!
Here I want to add one thing. is there any possibility of this? we can create c language script which check the mac address. and if it matches then it will give the procceess to decrypt the encrypted img file and run. now convert c file to binary executable file. and delete all readable c files. Now 3rd partition can not understand binary file and even decrypting proccess. so both task can be fullfilled.

User avatar
RaTTuS
Posts: 9588
Joined: Tue Nov 29, 2011 11:12 am
Location: North West UK

Re: Encrypt SD card content

Tue Jul 18, 2017 1:46 pm

necro warning however - the only way I know of is with https://community.zymbit.com/t/encrypt- ... rry-pi/150
I've not used it but there you go -...
How To ask Questions :- http://www.catb.org/esr/faqs/smart-questions.html
WARNING - some parts of this post may be erroneous YMMV

1QC43qbL5FySu2Pi51vGqKqxy3UiJgukSX
Covfefe

User avatar
DougieLawson
Posts: 30430
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website

Re: Encrypt SD card content

Tue Jul 18, 2017 7:31 pm

hardiksharma.sh wrote: Here I want to add one thing. is there any possibility of this? we can create c language script which check the mac address. and if it matches then it will give the procceess to decrypt the encrypted img file and run. now convert c file to binary executable file. and delete all readable c files. Now 3rd partition can not understand binary file and even decrypting proccess. so both task can be fullfilled.
There's nothing to stop the MAC address being spoofed. In much the same way that the cpu serial can be spoofed. You can't use either as an encryption key as they are not secure.
Microprocessor, Raspberry Pi & Arduino Hacker
Mainframe database troubleshooter
MQTT Evangelist
Twitter: @DougieLawson

Since 2012: 1B*5, 2B*2, B+, A+, Zero*2, 3B*3

Please post ALL technical questions on the forum. Do not send private messages.

rzusman
Posts: 303
Joined: Fri Jan 01, 2016 10:27 pm

Re: Encrypt SD card content

Tue Jul 18, 2017 11:37 pm

The Compute Module has embedded Flash, so that makes it a whole lot harder for the casual user to copy your software.

PiGraham
Posts: 2682
Joined: Fri Jun 07, 2013 12:37 pm
Location: Waterlooville

Re: Encrypt SD card content

Wed Jul 19, 2017 8:34 am

You could add a hardware device to hold an encryption key so that the SD card will only run on a Pi with that key.
A quick search turn up one example: https://www.zymbit.com/keys-to-security-raspberry-pi/

Interesting info on something from Infineon here:
https://raspberrypi.stackexchange.com/q ... on-tpm-hsm

I expect you can find similar devices for USB.

You could program a microcontroller such as PIC or Atmel *Arduino) to do this via USB, UART, SPI or i2c. Consider that the data exchange can be probed so make the data as unpredictable as possible, only transmit encrypted data, not plaintext and compare the encrypted data on both sides.

Of course you have to balance the costs of protection (money, hassle, customer frustration etc.) with losses to copying.

bpfrare
Posts: 1
Joined: Thu Aug 10, 2017 4:23 pm

Re: Encrypt SD card content

Thu Aug 10, 2017 4:27 pm

I found a topic explain how to encrypt the SD card.

Anyone try this?

https://www.offensive-security.com/kali ... ncryption/

User avatar
RaTTuS
Posts: 9588
Joined: Tue Nov 29, 2011 11:12 am
Location: North West UK

Re: Encrypt SD card content

Fri Aug 11, 2017 9:02 am

bpfrare wrote:
Thu Aug 10, 2017 4:27 pm
I found a topic explain how to encrypt the SD card.

Anyone try this?

https://www.offensive-security.com/kali ... ncryption/
unless you use a hardware encryption device like mentioned in viewtopic.php?f=31&t=38213&sid=cbd5b152 ... 5#p1187819 it will not work as software only
How To ask Questions :- http://www.catb.org/esr/faqs/smart-questions.html
WARNING - some parts of this post may be erroneous YMMV

1QC43qbL5FySu2Pi51vGqKqxy3UiJgukSX
Covfefe

Return to “General programming discussion”

Who is online

Users browsing this forum: No registered users and 11 guests