Encrypted Root Partition on Raspberry Pi 3+
For a long time I have wanted to setup a Raspberry Pi to use as a development
machine. The first attempts I made a few years ago were not successful using a
Raspberry Pi B (the machine was barely able to run chromium, much less an
npm watch command and a web inspector). But these days, a Raspberry Pi 3+ is
serviceable as a daily use development machine.
Another huge consideration for using a Raspberry Pi as a “daily driver” is that the security of having unencrypted root and boot partitions on an easily removed sd card is “less than acceptable” since anyone with physical access to the Pi can modify your os and filesystem. Essentially, if the sd card is stolen, an attacker will have access to all files on it.
I don’t believe the Raspberry Pi is capable of having an encrypted boot partition or signed kernel at this point, which does not mitigate against evil maid attacks with kernel modifications, but it is possible to encrypt the root filesystem so that the system is encrypted at rest and if the sd card is lost or stolen, your data should be safe.
Another exciting feature of the Raspberry Pi 3’s is that they allow booting from usb, so one simple way of mitigating the chances of an evil maid attack is to keep a usb drive on a keychain, so any attacker will need to get ahold of the usb drive to perform an evil maid attack.
Please note that the following instructions of encrypting a usb storage device will not protect from evil maid attacks. If the usb device leaves the posession of the owner, it should be considered tainted, and should never be used to boot again (though encrypted data in the root partition may still be considered secure).
To begin with, the usb drive should be prepared on a running linux installation.
lsblk to find the usb drive, and make sure you find the right device; for
the following instructions we are using
/dev/sdX, and I hope that is not an
actual device on your system.
At the fdisk prompt, delete old partitions and create a new one:
o. This will clear out any partitions on the drive.
pto list partitions. There should be no partitions left.
1for the first partition on the drive, press
ENTERto accept the default first sector, then type
+512Mfor the last sector.
cto set the first partition to type W95 FAT32 (LBA).
2for the second partition on the drive, and then press
ENTERtwice to accept the default first and last sector.
- Write the partition table and exit by typing `w.
cryptsetup luksFormat /dev/sdX2 WARNING! ======== This will overwrite data on /dev/sdX2 irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase: Verify passphrase:
cryptsetup open /dev/sdX2 pi-root
mount /dev/mapper/pi-root /mnt mkdir -p /mnt/boot mount /dev/sdX1 /mnt/boot
wget http://os.archlinuxarm.org/os/ArchLinuxARM-rpi-2-latest.tar.gz bsdtar -xpf ArchLinuxARM-rpi-2-latest.tar.gz -C /mnt sync
bsdtar complaining about
Failed to set file flags in
the operation was successful.
Note: the following steps should be done in the qemu chroot!
This is a badass way to manage a Pi system; you can just insert the usb into a host system and boot into it as if you’re physically using a Pi
cd /mnt systemd-nspawn --bind /usr/bin/qemu-arm-static -b -D /mnt # exit when finished with 'poweroff'
rm /etc/resolv.conf echo "nameserver 184.108.40.206" > /etc/resolv.conf ## Not sure about this one, it worked for me
pacman-key --init pacman-key --populate archlinuxarm pacman -Suy
pacman -S lvm2 cryptsetup
HOOKS="base udev autodetect modconf block lvm2 encrypt filesystems keyboard fsck"
pacman -S linux
root=/dev/mapper/usb-drive cryptdevice=/dev/sda2:usb-drive rootfstype=ext4 to the command
# <file system> <dir> <type> <options> <dump> <pass> /dev/sda1 /boot vfat defaults 0 0
poweroff umount /mnt/boot umount /mnt sync
Remove the sd card from the raspberry pi, plug in the usb drive and a usb keyboard, and power it on.