Hardware Reference
In-Depth Information
Erasing the Pi should it fall into the
wrong hands
No secret agent device worth its name would be complete without a self-destruct
mechanism. While we can't quite make the Pi disappear in a puff of smoke, we can
rig a sneaky booby trap that will eliminate all traces of our secret agent setup if the Pi
were to get caught behind enemy lines.
First we are going to encrypt our entire home directory. Since we've been doing all of
our pranks and projects inside the
pi
user's home directory, if someone were to read
the SD card on another computer, they wouldn't be able to get any valuable data
from the card except for a pretty standard Raspbian installation.
Then we'll add an optional wipe trigger mechanism, which can be initiated either
locally from a USB keyboard or remotely via SSH, that will erase our encrypted home
directory and replace it with an empty, innocent-looking, and original home directory.
Encrypting your home with eCryptfs
eCryptfs is a stacked cryptographic file system. Unlike the cryptsetup/LUKS
encryption system that we saw in the previous section, it is layered on top of an
existing file system and encrypts/decrypts individual files on the fly (as they are
read and written).
1.
Let's install the necessary tools:
pi@raspberrypi ~ $ sudo apt-get install ecryptfs-utils lsof
cryptsetup
2.
Next, we need to load the
ecryptfs
kernel module:
pi@raspberrypi ~ $ sudo modprobe ecryptfs
3.
To help us migrate to an encrypted home directory,
ecryptfs
provides a
handy script that will make some initial safety checks and then guide us
through the whole process. The script will ensure that no running process is
reading or writing files to our home directory. We'll need to move out of the
way before staring the script:
pi@raspberrypi ~ $ cd /
4.
Now we can try running the
ecryptfs
home directory migration script:
pi@raspberrypi / $ sudo ecryptfs-migrate-home -u pi
