Page 1 of 1

Securing SD card Image by encrypting in raspberry pi 3

Posted: Fri Apr 21, 2017 1:55 pm
by pnaven03
Hi Team,

We are using Raspberry pi 3 and kernel version Linux raspberrypi 4.4.11-v7+ #888 SMP Mon May 23 20:10:33 BST 2016 armv7l GNU/Linux,How my sdcard image encrypting,this is for the security purpose please any one can help on this.

Regards,
Nv

Re: Securing SD card Image by encrypting in raspberry pi 3

Posted: Fri Apr 21, 2017 2:34 pm
by mattmiller
Short answer is no - cant be done in any way that makes sense.
No way of securing a Pi image on an SD card that is of any practical use.

Re: Securing SD card Image by encrypting in raspberry pi 3

Posted: Sat Apr 22, 2017 2:26 am
by peterlite
You cannot encrypt the Ext4 partition because the boot code in the FAT partition can not read an encrypted partition. You would have to split the Ext4 partition in two, one for the operating system and one for your encrypted data.

Big computers have encryption at the disk level because they have megabytes of BIOS running before booting the operating system. To do that, you need a big processor with a noisy fan or a dedicated encryption chip. $$$$

Re: Securing SD card Image by encrypting in raspberry pi 3

Posted: Sat Apr 22, 2017 10:03 am
by pnaven03
Thanks for the reply,

What is the best method to provide security to my device,am disabling ssh,root access etc , but i need sdcard security also,
in sdcard loads my application code, if any other persons open sdcard he will not understand my code.
This is my costumer requirement , please any one help me on this.

Regards,
Nv

Re: Securing SD card Image by encrypting in raspberry pi 3

Posted: Sat Apr 22, 2017 10:49 am
by DougieLawson
pnaven03 wrote:... but i need sdcard security also, in sdcard loads my application code, if any other persons open sdcard he will not understand my code. This is my costumer requirement , please any one help me on this.
It's not possible.

Re: Securing SD card Image by encrypting in raspberry pi 3

Posted: Mon Apr 24, 2017 5:31 pm
by gordon@drogon.net
pnaven03 wrote:Thanks for the reply,

What is the best method to provide security to my device,am disabling ssh,root access etc , but i need sdcard security also,
in sdcard loads my application code, if any other persons open sdcard he will not understand my code.
This is my costumer requirement , please any one help me on this.

Regards,
Nv
You could re-partition the SD card and create a new empty, encrypted partition. Then you put all your applications and data in this partition with the rest of the usual/generic Raspbian in the first partition, as normal. You can also encrypt the whole / partition (but not the /boot partition). You can even do this on an already setup Pi.

Downsides -
(a) You/Someone will need to provide the password at boot time every time the Pi is booted. Unattended reboots will not be possible. This may or may not be acceptable to you or your client.
(b) It will be slower than it already is.
(c) google it - the first 2 links I got told me all I needed to know.
(d) You have not thought of this yourself. If I were your client, you'd be sacked by now.

First link on google: https://github.com/NicoHood/NicoHood.gi ... n-Tutorial

-Gordon

Re: Securing SD card Image by encrypting in raspberry pi 3

Posted: Tue Apr 25, 2017 9:09 am
by pnaven03
Gordon,

Thanks for the reply,

client will not accept to enter the password.
if any other methods please provide me link.

Regards,
Nv

Re: Securing SD card Image by encrypting in raspberry pi 3

Posted: Tue Apr 25, 2017 9:25 am
by RaTTuS
other ideas - all are defeatable
hot glue the sdcard into place
make tamper proof case
make the code work via a internet connection and only allow from authorized hosts

Re: Securing SD card Image by encrypting in raspberry pi 3

Posted: Tue Apr 25, 2017 12:52 pm
by gordon@drogon.net
pnaven03 wrote:Gordon,

Thanks for the reply,

client will not accept to enter the password.
if any other methods please provide me link.

Regards,
Nv
Better still, we could bypass the middle-man and give your client my email address and I'll collect the fee...

-Gordon

Re: Securing SD card Image by encrypting in raspberry pi 3

Posted: Fri Jul 07, 2017 1:44 pm
by RaTTuS

Re: Securing SD card Image by encrypting in raspberry pi 3

Posted: Fri May 18, 2018 6:11 pm
by haggy
This looks really promising actually! Im also looking for an EFS solution for the RPi so I'll definitely be keeping up with zymbit.

Re: Securing SD card Image by encrypting in raspberry pi 3

Posted: Mon Oct 14, 2019 7:01 am
by le_
Is it possible to use chroot with encryption?
Instead of encrypting the entire disk, it might be possible to encrypt a single partition. The raspbian system would boot normally, and then you could mount and load the chroot from the encrypted partition...
And anything that requires encryption protection could be transferred to chroot.

Re: Securing SD card Image by encrypting in raspberry pi 3

Posted: Tue Feb 18, 2020 4:30 pm
by acawley
I'm confused by the negative responses on this, as though it is impossible to encrypt a device.

Would it not be possible to implement some form of full disk encryption on the SD card in a way that it prompts the user for a decryption key on-boot. So the user holds the secret key (a good password in their mind) which is used to decrypt the whole system?

I use full disk encryption on Windows and Linux desktops and laptops, so I had hoped that something similar might be possible on a Raspberry Pi. It would be good peace of mind to know that SSH keys were secured in the event of physical theft.

Although perhaps the full disk encryption I use on some of my Windows & Linux systems relies on complicated boot processes that simply aren't possible on the Pi hardware, I'm not sure?

I'm thinking of things like VeraCrypt (or other Linux alternatives).

For me I have Pi Zero's in headless situations which are powered on for a long time (weeks continiously). Even if I had to plug a keyboard in on first boot to enter in my password blindly I would prefer that if I knew it was more secure in the event of theft / power-down.

Any thoughts?

Re: Securing SD card Image by encrypting in raspberry pi 3

Posted: Tue Feb 18, 2020 4:40 pm
by B.Goode
acawley wrote:
Tue Feb 18, 2020 4:30 pm
I'm confused by the negative responses on this, as though it is impossible to encrypt a device.

Would it not be possible to implement some form of full disk encryption on the SD card in a way that it prompts the user for a decryption key on-boot. So the user holds the secret key (a good password in their mind) which is used to decrypt the whole system?

I use full disk encryption on Windows and Linux desktops and laptops, so I had hoped that something similar might be possible on a Raspberry Pi. It would be good peace of mind to know that SSH keys were secured in the event of physical theft.

Although perhaps the full disk encryption I use on some of my Windows & Linux systems relies on complicated boot processes that simply aren't possible on the Pi hardware, I'm not sure?

I'm thinking of things like VeraCrypt (or other Linux alternatives).

For me I have Pi Zero's in headless situations which are powered on for a long time (weeks continiously). Even if I had to plug a keyboard in on first boot to enter in my password blindly I would prefer that if I knew it was more secure in the event of theft / power-down.

Any thoughts?

At least 2 of the responses were positive and drew attention to a possible solution.

Repeated here: https://community.zymbit.com/t/encrypti ... -crypt/150

Re: Securing SD card Image by encrypting in raspberry pi 3

Posted: Tue Feb 18, 2020 4:46 pm
by acawley
Apologies! I did indeed miss that link it seems, thank you for bringing it to my attention, I will certainly be giving it a read and a go myself when I have time.

Anyone out there given it a go? What were your experiences?

Re: Securing SD card Image by encrypting in raspberry pi 3

Posted: Sat Feb 29, 2020 3:44 am
by cleverca22
peterlite wrote:
Sat Apr 22, 2017 2:26 am
You cannot encrypt the Ext4 partition because the boot code in the FAT partition can not read an encrypted partition. You would have to split the Ext4 partition in two, one for the operating system and one for your encrypted data.

Big computers have encryption at the disk level because they have megabytes of BIOS running before booting the operating system. To do that, you need a big processor with a noisy fan or a dedicated encryption chip. $$$$
if you use an initrd, you can easily encrypt the ext4 partition, but you still have problems (that might have already been mentioned in this thread)

the password to decrypt that ext4 end, must enter the pi somehow, either by being in the fat32 partition (then you have no security) or by entering it on the keyboard every time you boot (then it cant boot without your permission)

Re: Securing SD card Image by encrypting in raspberry pi 3

Posted: Sat Feb 29, 2020 4:15 am
by dustnbone
Doing this in a way that doesn't require a key being stored unencrypted, or a password to be entered at boot, or some kind of other authentication mechanism, is physically impossible.

You can encrypt things to your hearts content, but the decryption key needs to be provided somehow if you plan to access said encrypted data.

Re: Securing SD card Image by encrypting in raspberry pi 3

Posted: Fri Dec 18, 2020 4:08 am
by pavithran
pnaven03 wrote:
Fri Apr 21, 2017 1:55 pm
Hi Team,

We are using Raspberry pi 3 and kernel version Linux raspberrypi 4.4.11-v7+ #888 SMP Mon May 23 20:10:33 BST 2016 armv7l GNU/Linux,How my sdcard image encrypting,this is for the security purpose please any one can help on this.

Regards,
Nv
Cannot encrypt the boot partition. Raspberry pi SD card will have two partitions one for boot another one for root.
Here we can encrypt the root partition. Once encrypted next time when the system boots it will ask for password what we set at the time of encryption. The system will allow to boot OS only when the root partition decrypted with valid password unless it will not boot.
You can refer this link for encryption and manual decryption of root file.

viewtopic.php?t=219867

We also can make unattended boot by creating key file in a secured place and mapping it to crypttab. It will auto decrypt root file when the manual interaction is not required.
As this is auto process it's not good practice to keep the key file in boot partition as it will be easily tampered, also cannot be keep it in root partition as that will be encrypted initially cannot read without decrypt. Need to find some secure place to store like secure storage chip to establish root of trust.
You can refer this link for auto decrypt root partition at boot

https://www.howtoforge.com/automaticall ... -a-keyfile
https://linuxconfig.org/how-to-use-a-fi ... device-key

Finally once we generated and mapped the keys to LUKS and updated crypttab need to rebuild initramfs. It's important to rebuild or update initramfs to update our new changes from cryptab and fstab to initramfs image file otherwise our new changes will not work.

Use this script to rebuild
sudo mkinitramfs -o /boot/initramfs.gz -k -v 5.4.79-v7l+

Here 5.4.79-v7l+ is our LINUX kernal version. You can find your own version by uname -r