Hi, Henry. My understanding: you would like a non-networked raspberry pi that can get its runtime data from its sdcard, but the sdcard would be useless to anyone else (encrypted). Also, if someone were to log on to the device using usb gadgets, they could not see, copy nor modify any of the sdcard data.
In the following, I make no attempt to make this setup compatible with non-linux systems (e.g. partitioning the sdcard, non-fat fs, etc.). I am not at my usual workstation, so these are guidelines, not a howto recipe. My suggestion: partition the sdcard (sda) into a / root fs (sda1) and sda2 for /data, the data of interest. Use cryptsetup to format sda2 as a LUKS partition with a convenient (for you) password (password #1) and put your favorite filesystem on the encrypted device. If you don't need the bulk of the sdcard encrypted, you can tailor the proportions of OS (/) to data (/data) to your liking. Now here's the neat thing about LUKS that you can exploit when booting unattended: the LUKS partition can be decrypted by any of up to 8 passwords. So password #1 could be human-understandable. Password #2 could be a string that uniquely identifies your raspberry pi, such as its MAC address or some other random-looking serial number unique to your device, preferably hard to guess without having the device in your hands. In your boot scripts, read the MAC address (or something unique) as a password (#2) to mount the /data partition without user interaction. Unless someone knows the human-readable password or the machine-specific string (i.e. using it in the same device), that data partition is unusable. Coupling a device to its data card used to be called "marrying". The data card only works properly on that one device. And as for someone logging on with USB devices on a console and looking at the /data, here is a tip: disable logins without a password. Networked? Same deal with ssh. Software of interest: LUKS, cryptsetup, cryptmount Let us know how your project goes! Best regards, Stephen Benoit [email protected] >> On 13-09-28 02:40 PM, Henry Olders wrote: >> Hello, all, >> >> I want to run my raspi as a device for digital signage, the idea being >> to display images fullscreen in a slideshow, without any user >> intervention. I've got that running very well, using the raspbian >> distro, openbox window manager, and either qiv or feh as the image >> viewer. The slideshow starts automatically on boot, and runs forever, >> which is what I want. >> >> Here is the problem: my client wants to prevent his images from being >> copied, including being copied off of the SD card when physically >> removed from the raspi. Encryption would accomplish this, so I'm looking >> at getting truecrypt running on the raspi. >> >> The difficulty I foresee is that if someone plugs a keyboard and mouse >> into the raspi when it's running, they can access a terminal emulator >> which is already logged in as user pi, and (I think) copy the image >> files out of the truecrypt container into an unencrypted directory. >> >> There may also be other security issues that people with more experience >> know about. >> >> Any ideas or suggestions much appreciated! >> >> Henry _______________________________________________ mlug mailing list [email protected] https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
