Fli
01-16-2020, 09:11 AM
How to encrypt data on the Raspberry Pi with Raspbian?
Good way is to possibly encrypt the root partition. THis RPi OS installer claims to allow LUKS encryption: https://www.berryterminal.com/doku.php/berryboot
Other method is to create encrypted container using Veracrypt. It means that if someone want to read this container data, he have to know the password into running, logged in system with the container mounted (decrypted). If yi powercycle RPi, remove SD card, i see only big file with random (encrypted giberish).
Here is how to install VeraCrypt and create new container and use it:
apt install makeself openssl libfuse2 libwxbase3.0-0v5 -y;
wget -L -O veracrypt-1.21-raspbian-setup.tar.bz2 https://launchpad.net/veracrypt/trunk/1.21/+download/veracrypt-1.21-raspbian-setup.tar.bz2
tar -vxjf ./veracrypt-1.21-raspbian-setup.tar.bz2;chmod +x veracrypt-1.21-setup-*;./veracrypt-1.21-setup-console-armv7
type "1" and hit enter
hit enter
hold spacebar until scrolled down
type "yes" and hit enter
enter key again
rm -rf veracrypt-*;openssl rand -base64 1024 > random
A) create Windows/Linux compatible encrypted container with minimal prompts:
cd
veracrypt enc --text --create --verbose --pim=0 --keyfiles= --volume-type=normal --filesystem=ntfs --encryption=AES --hash=SHA-512 --random-source=random
B) create container, but let me choose all parameters:
veracrypt enc --text --create -v --random-source=random
example answers:
1
/home/you/tc
123G
1
1
6 (NTFS for compatibility with Windows?)
secure non disctionary password
Enter (empty input on PIM)
Enter (no keyfile)
rm random;mkdir dec
Mount volume:
veracrypt --pim=0 --keyfiles= --protect-hidden=no -m nokernelcrypto enc dec
List volumes:
df -h;veracrypt -l
Dismount all volumes:
veracrypt -d
Veracrypt parameters:
veracrypt -h|head
Regarding "nokernelcrypto" mount parameter, i selected it, because it gives impression that it allows better performance handling many tiny files:
commands used:
sudo dd if=/dev/zero of=/home/me/dec/testfile bs=1G count=1 oflag=dsync
sudo dd if=/dev/zero of=/home/me/dec/testfile bs=512 count=1000 oflag=dsync
Speed when mounted using Veracrypt "-m nokernelcrypto" parameter:
AES, SHA512, bs=1G count=1, nokernelcrypto -> 19.5MB/s
AES, SHA512, bs=512 count=1000, nokernelcrypto -> 675kB/s
Speed when mounted without that parameter:
AES, SHA512, bs=1G count=1 -> 27.9MB/s
AES, SHA512, bs=512 count=1000 -> 250kB/s
source: https://www.maffert.net/linux-veracrypt-installieren-und-nutzen/
Good way is to possibly encrypt the root partition. THis RPi OS installer claims to allow LUKS encryption: https://www.berryterminal.com/doku.php/berryboot
Other method is to create encrypted container using Veracrypt. It means that if someone want to read this container data, he have to know the password into running, logged in system with the container mounted (decrypted). If yi powercycle RPi, remove SD card, i see only big file with random (encrypted giberish).
Here is how to install VeraCrypt and create new container and use it:
apt install makeself openssl libfuse2 libwxbase3.0-0v5 -y;
wget -L -O veracrypt-1.21-raspbian-setup.tar.bz2 https://launchpad.net/veracrypt/trunk/1.21/+download/veracrypt-1.21-raspbian-setup.tar.bz2
tar -vxjf ./veracrypt-1.21-raspbian-setup.tar.bz2;chmod +x veracrypt-1.21-setup-*;./veracrypt-1.21-setup-console-armv7
type "1" and hit enter
hit enter
hold spacebar until scrolled down
type "yes" and hit enter
enter key again
rm -rf veracrypt-*;openssl rand -base64 1024 > random
A) create Windows/Linux compatible encrypted container with minimal prompts:
cd
veracrypt enc --text --create --verbose --pim=0 --keyfiles= --volume-type=normal --filesystem=ntfs --encryption=AES --hash=SHA-512 --random-source=random
B) create container, but let me choose all parameters:
veracrypt enc --text --create -v --random-source=random
example answers:
1
/home/you/tc
123G
1
1
6 (NTFS for compatibility with Windows?)
secure non disctionary password
Enter (empty input on PIM)
Enter (no keyfile)
rm random;mkdir dec
Mount volume:
veracrypt --pim=0 --keyfiles= --protect-hidden=no -m nokernelcrypto enc dec
List volumes:
df -h;veracrypt -l
Dismount all volumes:
veracrypt -d
Veracrypt parameters:
veracrypt -h|head
Regarding "nokernelcrypto" mount parameter, i selected it, because it gives impression that it allows better performance handling many tiny files:
commands used:
sudo dd if=/dev/zero of=/home/me/dec/testfile bs=1G count=1 oflag=dsync
sudo dd if=/dev/zero of=/home/me/dec/testfile bs=512 count=1000 oflag=dsync
Speed when mounted using Veracrypt "-m nokernelcrypto" parameter:
AES, SHA512, bs=1G count=1, nokernelcrypto -> 19.5MB/s
AES, SHA512, bs=512 count=1000, nokernelcrypto -> 675kB/s
Speed when mounted without that parameter:
AES, SHA512, bs=1G count=1 -> 27.9MB/s
AES, SHA512, bs=512 count=1000 -> 250kB/s
source: https://www.maffert.net/linux-veracrypt-installieren-und-nutzen/