Page 2 of 2

Re: Encrypt SD card content

Posted: Wed Aug 28, 2013 9:19 pm
by sprinkmeier
Jimbo1954 wrote:I dunno....It's too simple! What have I missed?
Where are you going to store the key used to unlock the main partition?

Re: Encrypt SD card content

Posted: Fri Sep 06, 2013 10:07 am
by czbron
If I understand correctly, omega1 need protection from simply copy SD card which contain his application.
I suggest that you make small tool which read serial number of every concrete SD card (which you plan to distribute to clients) and write it in your executable files of your application. Your application, after that process, put on concrete SD card.
Your application will be locked on concrete SD card and that is all.
Coping of your application to another SD card will be harder - that client need to ask some hacker or good programmer to think about that ... and pay to him. If that is your case (or you afraid about it), change a condition of your application distribution - something wrong (probably price :) )
Best protection is a price of application - if it's good set, nobody try to broke .

Re: Encrypt SD card content

Posted: Fri Sep 06, 2013 3:29 pm
by PiGraham
The usual approach is to key some parts of your code to some hardware specific data so that the executable, once licenced, will only run on that hardware.

Therefore you need a unique identifier (hardware signature) from the Pi hardsware that is not easily reprogrammed by a user & not on the SD card!
Use that data to encrypt some or all of your executable code.
From the hardware signature generate a install code. Send that code to a licence server (could be you, a script on your PC, a webserver etc). From the install code generate a licence code that your software can use to decrypt the encrypted executable.

When the user runs your program it will look for the licence code (on the SD card), read the hardware signature, combine them to make a decryption code. Use that to decrypt program code and execute the program.

This means the endpoint code of your program must be un-encrypted so that it can run and decrypt the rest of the code.

I think all protections schemes are potentially crackable, given time and knowhow.

Copying the SD card for use on another Pi won't work because the hardware signature will be different.
Passing Licence codes around won't work because they are tied to the hardware signature.

There are various USB devices that have unique IDs that you could supply a 'dongles' to unlock your code. Dallas One-Wire devices have unique ID numbers.

Network MAC addresses are supposed to be unique to every device, but are typically programmable. The Pi generates a MAC address from the serial number.

/proc/cpuinfo will give you a unique serial number for the Pi, but I don't know if it is secure.

SD cards do have unique serial numbers, so you could use that to limit your program to the specific card. Not sure how to read that.

Re: Encrypt SD card content

Posted: Fri Sep 06, 2013 3:43 pm
by omega1
Some good ideas in there, thank you"

Re: Encrypt SD card content

Posted: Fri Sep 06, 2013 3:54 pm
by PiGraham

Re: Encrypt SD card content

Posted: Mon Sep 23, 2013 6:27 am
by DavidS
Firstly the issue of attempting to copy protect things:
There have been many people and companies that have used many diverse copy protection scemes over the years. Generaly the better copy protected the more that those that would copy it in the first place work on cracking the copy protection. And they ALWAYS succeed.

If a program is not copy protected on the other hand, there are likely to be fewer that copy it with out permision, and more people will buy it as a result.

Sorry this has been shown by the market.
To be honest, that is exactly what I had originally thought of... I would put an element of the code on the server that the software has to 'get' in order for it to work, as the device would have to be connected to the internet always anyway...
Now this is a royaly bad idea. You would alienate every one that does not connect there RPi to the net, not to mention any one that has a dial up internet connection. And what happens in 10 years, your server is gone to history, and a registered owner of your software license wants to use it on there old legacy first generation genuine Raspbery Pi Model B?

Re: Encrypt SD card content

Posted: Sat Jan 18, 2014 1:25 pm
by hoffin
Hi,

In the past I have used a similar method but rather than comparing values, I use critical things to generate a hash that is used to decrypt the device. If you change any of these things, it won't boot without resetting the key, using something like luks that allows multiple keys.

You want to generate the hash from the content critical to the boot process.
A simple example would be the boot partition /dev/mmcblk0p1
and the master boot record (the first 512 bytes of the sdcard)

Code: Select all

sudo dd if=/dev/mmcblk0 bs=512 count=1 | sha1sum -
Also /sys/block/mmcblk0/device/cid (for the SSD card unique id)

and if you wanted to tie it to a specific pi board

Code: Select all

cat /proc/cpuinfo | grep Serial


With this concept I would then wrap it in a C program which is called from within initid.
Along with some other other checking to ensure it's being called on boot, check machine state, simple things like the parent process will be 0. And have the program mount the drive using a luks library call.
There are more things that can be done here to protect. Such as put the cpu into debug mode to prevent another debugger doing the same.

So the c program would...

1. Put cpu into debug mode
2. Generate the hash from the partitions, mrb, serials and any system state info you want.
3. Mount the drive
4. a initialise function to allow it set the key to your current state.

The clever bit is that it's self signing, the unlock program is on the initrd, which is included in the hash,

Then lock the system down, iptables is your friend.

Good luck.

Re: Encrypt SD card content

Posted: Mon Feb 10, 2014 5:41 am
by dhruvvyas90
Interesting topic and replies. :-)

Well, I don't see any provision by which you can link an SD card with a particular pi which will result in locking.
And hence you might not be able to stop someone using your product if they succeed copying your system exactly.

But if your product is an interactive system, say... with a display or something. You can show your company logo, with an encrypted drive on it as suggested by someone earlier. So the other party can not change the content (logo , code or whatever...or at least it would be a difficult job) and hence there will not be any motivation for them to copy your product. :-)

Re: Encrypt SD card content

Posted: Wed Jan 27, 2016 8:56 am
by nachiketh
dauhee wrote:how about this for protecting your intellectual property:

Code: Select all

sudo apt-get install ecryptfs-utils
sudo apt-get install lsof
sudo ecryptfs-migrate-home -u pi
There will be a bit more to it but thats the main part - it will only cover your home folder. If you want to do more then its something like:

http://www.howtoforge.com/how-to-encryp ... an-squeeze
Hi folks,
I tried the above mentioned method and I have a query regarding the same, the contents on the SD Card which were present before mounting the partition as "ecryptfs" have now got encrypted, however all new content which got written after the mount is accessible without needing any passphrase. Is there any other configuration required to encrypt new files that got created after the ecryptfs mount? Please let me know.
TIA!

Re: Encrypt SD card content

Posted: Fri Feb 12, 2016 8:19 pm
by tufty
As I understand it, you're trying to sell a Pi + SD card as a product, but you're afraid that someone will take the SD card, clone it, and thus reduce your potential for profit, right?

No problem with that, at work there's actually a pi in a little plastic case, SD card sticking out of it, running a sales system. As far as I'm aware, nobody has thought of pulling out the SD card and cloning it because what we've bought is not just the system but also the support for the system. Plus I'm probably the only one to know what it even is, but that's a whole different issue. The same logic applies to pretty much every piece of software and hardware we have.

If you want to make it so that people don't copy your stuff, you need to make it so it's not worth their time. The best way of doing this is to supply a service that is more valuable than the hardware.

Still, if you're determined to do this...

There's pretty much nothing you can do to the SD card to stop people copying it. Hell, they tried that with floppy disks, to the point of burning holes in the disks themselves, and that didn't stop copying. So forget that. And you can't really do much with the hardware that can't be reversed either. And any "on the pi" software system will eventually come down to a couple of conditionals that can be flipped.

If it were me and I absolutely had to do this in a way that was a bugger to work around, I'd have a chunk of code delivered via the internet. I'd encrypt comms via some pk framework, and require a valid Pi serial number before you deliver the code to the device. Not perfect, and pretty easy to work around if you control the network the device is on.

But honestly, you're better off just trusting your customers and accepting some losses rather than treating them all as potential thieves.

Re: Encrypt SD card content

Posted: Tue Jul 18, 2017 1:38 pm
by hardiksharma.sh
Jimbo1954 wrote:Lots of interesting comments about ethical considerations, etc, but I'm going to cut to the chase and try for a quick technical fix...tell me your views, you probably have considered this more deeply than I:

1) use full disk encryption to protect your files in the main SD partition
2) create a script that runs at install time and updates another script with the MAC address (or something similar that won't change/is guaranteed unique) of the Pi
3) Arrange that the updated script from 2 above runs at boot time, and compares the MAC address found at install time with the MAC address at run time. If the two are not the same (i.e. the SD card is NOT running on the Pi it was originally installed on) then shutdown.

While running, the files are available on the Pi, but if you block ssh, telnet, etc, and only allow restricted access via Apache or similar, the files will not be observable/copyable. When the person who wants to copy your code tries to examine the SD card, its encrypted. If they simply try to clone the chip blind, the cloned SD will only run in the "parent" Pi, thus making cloning pointless.

I dunno....It's too simple! What have I missed?

Jim

Later:....Well Duuuuhhhhh!! I *said* it was too simple...the passphrase would have to be unencrypted, available at boot and so located somewhere it could be read unencrypted at boot....i.e. on the FAT partition of the SD....So when the encrypted chip was removed, the passphrase would come with it and the whole thing could be decrypted. So let my stupidity be a lesson to you all: When it seems too simple, it is, an you should go away and think again before committing to print!
Here I want to add one thing. is there any possibility of this? we can create c language script which check the mac address. and if it matches then it will give the procceess to decrypt the encrypted img file and run. now convert c file to binary executable file. and delete all readable c files. Now 3rd partition can not understand binary file and even decrypting proccess. so both task can be fullfilled.

Re: Encrypt SD card content

Posted: Tue Jul 18, 2017 1:46 pm
by RaTTuS
necro warning however - the only way I know of is with https://community.zymbit.com/t/encrypt- ... rry-pi/150
I've not used it but there you go -...

Re: Encrypt SD card content

Posted: Tue Jul 18, 2017 7:31 pm
by DougieLawson
hardiksharma.sh wrote: Here I want to add one thing. is there any possibility of this? we can create c language script which check the mac address. and if it matches then it will give the procceess to decrypt the encrypted img file and run. now convert c file to binary executable file. and delete all readable c files. Now 3rd partition can not understand binary file and even decrypting proccess. so both task can be fullfilled.
There's nothing to stop the MAC address being spoofed. In much the same way that the cpu serial can be spoofed. You can't use either as an encryption key as they are not secure.

Re: Encrypt SD card content

Posted: Tue Jul 18, 2017 11:37 pm
by rzusman
The Compute Module has embedded Flash, so that makes it a whole lot harder for the casual user to copy your software.

Re: Encrypt SD card content

Posted: Wed Jul 19, 2017 8:34 am
by PiGraham
You could add a hardware device to hold an encryption key so that the SD card will only run on a Pi with that key.
A quick search turn up one example: https://www.zymbit.com/keys-to-security-raspberry-pi/

Interesting info on something from Infineon here:
https://raspberrypi.stackexchange.com/q ... on-tpm-hsm

I expect you can find similar devices for USB.

You could program a microcontroller such as PIC or Atmel *Arduino) to do this via USB, UART, SPI or i2c. Consider that the data exchange can be probed so make the data as unpredictable as possible, only transmit encrypted data, not plaintext and compare the encrypted data on both sides.

Of course you have to balance the costs of protection (money, hassle, customer frustration etc.) with losses to copying.

Re: Encrypt SD card content

Posted: Thu Aug 10, 2017 4:27 pm
by bpfrare
I found a topic explain how to encrypt the SD card.

Anyone try this?

https://www.offensive-security.com/kali ... ncryption/

Re: Encrypt SD card content

Posted: Fri Aug 11, 2017 9:02 am
by RaTTuS
bpfrare wrote:
Thu Aug 10, 2017 4:27 pm
I found a topic explain how to encrypt the SD card.

Anyone try this?

https://www.offensive-security.com/kali ... ncryption/
unless you use a hardware encryption device like mentioned in viewtopic.php?f=31&t=38213&sid=cbd5b152 ... 5#p1187819 it will not work as software only