Raspberry Pi's data is stored in the operating system partition of a microSD card or HDD/SSD. During installation of the OS, there is no option to set up encrypted partitions (in any of the popular Pi operating systems). If the Pi’s media is lost or stolen, it can be connected to a different computer and all data can be read, irrespective of a strong login password or the state of auto-login (turned off or on).
The compromised data can include sensitive information such as "Firefox Profile Data", which contains login credentials (saved usernames and passwords for various websites). This sensitive data falling into wrong hands can lead to ID theft. This article is a step-by-step guide to protect the data with the use of encryption. It is a one-time configuration accomplished using GUI tools for simplicity.
Risk of Losing Media on a Raspberry Pi
Compared to a desktop or laptop computer, the Pi has neither screws nor any physical lock for its media. While this flexibility makes it convenient to switch operating systems, by swapping out the microSD card, it's not good for security. All it takes is a second for a bad actor to remove its media. Besides, microSD cards are so tiny that tracing them will be impossible.
Also, there is no clip for the microSD card slot on the Raspberry Pi. When you carry the Pi around, if the card slips off somewhere, there is just as good a possibility of someone going through its contents.
Different Ways of Securing Personal Data on the Pi
A few Pi users understand the risk and proactively encrypt individual files. Setting a master password for browsers is also a common practice. But, this additional effort needs to be put in every time.
Considering these factors, it is wise to set up encryption for the whole disk. The disk will remain unreadable by others unless they have the encryption passphrase, which of course they do not know and cannot ask you. Brute-forcing with a password dictionary will not break it either, because you will set a password that's good enough to resist such attacks.
Using the Existing Disk vs. Setting It Up on a New Disk
The idea is to make an encrypted partition and set it to work as the home directory. Since all personal data is usually in the home directory, data security will remain intact.
There are two different ways to do it:
- Make space for the encrypted partition on the disk that is currently used for the OS.
- Use a new SSD or hard disk, connect it to the Pi with a USB to SATA adapter (if needed), and use it as the encrypted partition.
There are certain advantages with both configurations:
- The first configuration uses the existing microSD card or SSD and does not need any additional hardware. Being a single disk, it keeps things compact and is good for portability.
- The second configuration is good for longer disk life because of the lower number of writes. It is also slightly faster since the reads/writes are distributed between two disks.
The first configuration is discussed here since it has a few more steps. The second configuration is a part of the first and the steps to exclude are easy to understand.
Installation here shows the process on Raspberry Pi OS; the same process can be replicated for Ubuntu Desktop OS and its flavors such as MATE.
Prepare the Disk for Encryption
Since the encrypted partition will be on the OS disk itself, the required space must be carved out of the root partition. This cannot be done on a booted Pi since the root partition is mounted already. So, use another computer that can run gnome-disk-utility, such as a Linux PC.
Alternatively, you can also dual-boot a Raspberry Pi or run a temporary OS with media connected using USB.
Connect your Pi’s OS disk to the other computer and install the tool to manage the disk:
sudo apt update
sudo apt install gnome-disk-utility
Open Disks from the menu or with the command:
gnome-disks
An optional step at this point is to back up the disk, particularly if there is important data on it. The Disks tool has a built-in feature to save the entire disk as an image. If needed, this image can be restored back to the media.
Carve out space needed for the encrypted disk. Select the root partition, click the Gear control, and select Resize
If using a microSD card or drive with 32GB or greater capacity, allot 15GB for the root partition and leave the rest for the partition to be encrypted.
Click Resize and the Free Space will be created.
When done, eject the media from this computer. Connect it to your Raspberry Pi and boot it up.
Install the Tools Required for Encryption
Open the terminal and install the Disks tool on the Pi:
sudo apt install gnome-disk-utility -y
Since encryption is needed, install the following crypto plug-in:
sudo apt install libblockdev-crypto2 -y
Restart the Disks service:
sudo systemctl restart udisks2.service
Set Up Encryption Using GUI: The Easy Way
Open the Disks tool from the menu or with the command:
gnome-disks
Select Free Space and click the + symbol to create the partition.
Leave the partition size at its default of maximum and click Next.
Give a Volume Name; for example, Encrypted. Select EXT4 and check Password protect volume (LUKS).
Give a passphrase, a strong one. While it is advised to use a mix of numbers and special characters, just the sheer length of the password will make it impossible to hack via brute-forcing. For example, a 17-character password will take a few million years to brute-force into using today’s fastest computers. So you can use a really long sentence after truncating the spaces.
Click Create, and the encrypted partition should be ready.
If you encounter an error with the /etc/crypttab entry, create a blank file using:
sudo touch /etc/crypttab
And then repeat the process of creating the partition using the + symbol.
The partition is now LUKS encrypted, but it must be unlocked at boot. An entry needs to be created in the /etc/crypttab file. Select the partition, click the gear control, and choose Edit Encryption Options.
Toggle User Session Defaults, check Unlock at system startup, provide the Passphrase, and click OK.
Now select the Encrypted partition and mount it using the play icon. Copy the mount point.
Move the Home Directory to the Encrypted Drive
For safety, clone the home directory now and delete the source directory later, after the process is successful (replace "arjunandvishnu" with your username).
sudo rsync -av /home/* /media/arjunandvishnu/Encrypted/
Give ownership of the copied files to the correct user:
sudo chown -Rv arjunandvishnu:arjunandvishnu /media/arjunandvishnu/Encrypted/arjunandvishnu
If there is more than one user, repeat:
sudo chown -Rv pi:pi /media/arjunandvishnu/Encrypted/pi
Mount the Disk Automatically
This encrypted partition must be automatically mounted at boot. Select the Encrypted disk, click the gear control, and select Edit Mount Options.
Toggle User Session Defaults and set the Mount Point to /home. This will add an entry to the /etc/fstab file.
Restart the Pi and log in. Firstly, the home directory must have 755 permissions:
sudo chmod 755 /home
To check that the Encrypted partition is being used for /home, create a blank folder on the desktop and verify by navigating to it through the Encrypted directory.
Note than on Raspberry Pi OS, the default file manager (pcmanfm) does allow deletions to the Recycle Bin on removable drives. To enable deletion to the Recycle Bin, uncheck the setting in Preferences.
Remove the Saved Encryption Passphrase
Earlier, while configuring encryption, the passphrase was saved. This configuration was created in the /etc/crypttab file.
Your luks-key file is stored unencrypted and opening it will reveal the password. This is a security risk and must be addressed. It is no good leaving the lock and the key together.
Delete your luks-key file and remove its reference from /etc/crypttab.
sudo rm /etc/luks-keys/YOUR-KEY
Now, every time you boot, the Pi will ask for the encryption passphrase at the start. This is the expected behavior.
If a blank screen is presented, use the Up/Down Arrow key for the login screen to show up. Use Backspace to clear any characters and key in your encryption passphrase. It will unlock the encrypted partition.
Delete the Old Home Directory
Earlier, instead of moving, you copied the home directory. The contents of the old directory are still unencrypted and must be deleted if the information is sensitive. To do this easily, mount the media on another computer. Navigate to the OLD home directory in the root partition of the mounted external drive and delete it (be careful).
Encryption Is Easy on Raspberry Pi
Securing your data is a subject that will often make you walk the extra mile at the start, but will pay off well later. A lot of ifs and buts about encryption are covered here. But at the core, the instructions are simple and implementation is easy. There is no reason to be intimidated about encryption; recovering data is easy too, so long as you don’t forget the encryption passphrase.
If this encryption is set up along with RAID-1 data mirroring, it will offer security as well as safety for your data from physical drive failures and will complete the perfect setup.