Securing data on SD card Raspberry Pi

Oleg Antonyan picture Oleg Antonyan · Jan 1, 2015 · Viewed 9.9k times · Source

I need to store sensitive data on Raspberry so that software running on Raspberry can use it, but nobody else cannot. I can set hard password, disable tty's and so on, but it's easy to remove SD card and examine in on a PC.

My first try is eCryptFS. It seems to be good, but there is a problem. How do I store passphrase and use it to mount encrypted fs? eCryptFS can read passphrase from file or take it as mount argument. Obviously, I cannot use file as it's stored insecurely. Also I can write a program which will feed a hard-coded (and obfuscated) passphrase to mount.ecryptfs either as cli parameter or from stdin. But in this case it's also possible to run this program and see whole command line with passphrase in a process list.

Now I'm considering hard-coding my passphrase in ecryptfs itself (or even read it from protected eeprom) so it will work only on my device. Or I can use another encryption systems, but all of them have to take a key form somewhere. So the only way do do this as I see is eeprom or hard-coding.

Are there better ways to store sensitive data securely on Raspberry's SD card?

Answer

Marcolino picture Marcolino · Apr 26, 2015

You could use the RaspberryPi unique Serial Number.

You can retrieve it from /proc/cpuinfo

~# cat /proc/cpuinfo 
[...]
Hardware    : BCM2709
Revision    : a01041
Serial      : 00000000407xxxxx

Direct bash command:

~# ID=$(cat /proc/cpuinfo | grep ^Serial | cut -d":" -f2)
~# echo $ID
00000000407xxxxx

If you need to periodically change the encryption password, use the Rpi serial number as a decryption key for a static file that returns the ecryptfs encryption password. OpenSSL is your friend :D

Hope it helps.