The idea came as I have been carrying around several project containing SD cards, and was wondering what could happen if I misplaced them.
The raspberry platform was originally intended for an educational tool, but is widely used for fully fledged embedded projects and production testing. The lack of built-in flash memory makes it hard to protect sensitive code, and unlike most desktop systems that require a log-in key-chain approach, sometimes you just need to power the unit on and just work, without a screen or a keyboard.
So would it not be to have a way to totally encrypt a folder, bind it to the current hardware and software set-up, and automatically unlock it , only when the SD card is run at the intended device without any user input?
The tool collects a lot of information about the hardware/ environment it runs and passes it over to two functions that you need to write yourself which take as input system data and produce a 8 or 16 char passwords fed ecnryptfs that locks, unlocks the directory.
If used at the default level of security it will disallow the following actions:
- Someone cloning the SD card and placing it on another PI device.
- Someone copying over the unlock executable and your encrypted code to another sd card and placing it on the intended device attempting to unlock it.
- Someone running a Qemu instance simulating the original device and trying to unlock it.
Adjusting the tool to your needs, is easy, and about editing two files, a header providing all the hard-coded authorized information and a code file that you need to implement your own password generation logic.
Feel free to read the extended readme at the project's page:
https://github.com/minosg/picrypt
And I am open to any criticism, suggestions or ideas on how it could become even better.
Please note that I do not assume this method is hacker proof, and neither should you.What it does is that it adds a significant amount of pain to third party wanting to read/copy your code.