From 3e1049d0ed0e2d38b261bec39bf10c6074d65f84 Mon Sep 17 00:00:00 2001 From: Sun Knudsen Date: Wed, 3 Mar 2021 15:10:07 -0500 Subject: [PATCH] Made filesystem read-only --- .../README.md | 123 +++++++++++++++++- .../qr-backup.sh | 11 +- .../qr-backup.sh.sig | Bin 566 -> 566 bytes 3 files changed, 118 insertions(+), 16 deletions(-) diff --git a/how-to-create-encrypted-paper-backup/README.md b/how-to-create-encrypted-paper-backup/README.md index 69e0cf5..07d426c 100644 --- a/how-to-create-encrypted-paper-backup/README.md +++ b/how-to-create-encrypted-paper-backup/README.md @@ -2,7 +2,7 @@ Title: How to create encrypted paper backup Description: Learn how to create encrypted paper backup. Author: Sun Knudsen -Contributors: Sun Knudsen , Alex Anderson +Contributors: Sun Knudsen , Alex Anderson , Nico Kaiser Reviewers: Publication date: 2021-02-23T21:53:38.495Z Listed: true @@ -54,6 +54,10 @@ $ git clone https://github.com/adafruit/Raspberry-Pi-Installer-Scripts.git $ cd Raspberry-Pi-Installer-Scripts $ sudo python3 adafruit-pitft.py --display=28c --rotation=90 --install-type=console + +$ cd ~ + +$ rm -fr Raspberry-Pi-Installer-Scripts ``` #### Disable console auto login @@ -87,9 +91,7 @@ $ sudo apt install -y fim imagemagick zbar-tools $ pip3 install pillow qrcode --user -$ echo "export GPG_TTY=\"\$(tty)\"" >> ~/.bashrc - -$ echo "export PATH=\$PATH:/home/pi/.local/bin" >> ~/.bashrc +$ echo -e "export GPG_TTY=\"\$(tty)\"\nexport PATH=\$PATH:/home/pi/.local/bin" >> ~/.bashrc $ source ~/.bashrc ``` @@ -128,20 +130,127 @@ sudo curl -o /usr/local/sbin/secure-erase.sh https://sunknudsen.com/static/media sudo chmod +x /usr/local/sbin/secure-erase.sh ``` -### Step 10: disable Wi-Fi (if not using ethernet) or disconnect ethernet cable +### Step 10: make filesystem read-only -> WARNING: DO NOT CONNECT RASPBERRY PI TO NETWORK EVER AGAIN WITHOUT REINSTALLING RASPBERRY PI OS FIRST (DEVICE IS NOW “COLD”). +> Heads-up: shout-out to Nico Kaiser for his amazing [guide](https://gist.github.com/nicokaiser/08aa5b7b3958f171cf61549b70e8a34b) on how to configure a read-only Raspberry Pi. + +#### Disable swap + +```shell +sudo dphys-swapfile swapoff +sudo dphys-swapfile uninstall +sudo systemctl disable dphys-swapfile.service +``` + +#### Remove `dphys-swapfile` `fake-hwclock` and `logrotate` + +```shell +sudo apt remove -y --purge dphys-swapfile fake-hwclock logrotate +``` + +#### Link `/etc/console-setup` to `/tmp/console-setup` + +```shell +sudo mv /etc/console-setup /tmp/console-setup +sudo ln -s /tmp/console-setup /etc/console-setup +``` + +#### Link `/etc/resolv.conf` to `/tmp/resolv.conf` + +```shell +sudo mv /etc/resolv.conf /tmp/resolv.conf +sudo ln -s /tmp/resolv.conf /etc/resolv.conf +``` + +#### Link `/home/pi/.gnupg` to `/tmp/pi/.gnupg` + +```shell +mkdir -m 700 /tmp/pi +mv /home/pi/.gnupg /tmp/pi/.gnupg +ln -s /tmp/pi/.gnupg /home/pi/.gnupg +``` + +#### Enable `tmp.mount` + +```shell +echo -e "D /tmp 1777 root root -\nD /tmp/console-setup 1700 root root -\nD /tmp/pi 1700 pi pi -\nD /tmp/pi/.gnupg 1700 pi pi -\nD /var/tmp 1777 root root -" | sudo tee /etc/tmpfiles.d/tmp.conf +sudo cp /usr/share/systemd/tmp.mount /etc/systemd/system/ +sudo systemctl enable tmp.mount +``` + +#### Edit `/boot/cmdline.txt` + +```shell +sudo cp /boot/cmdline.txt /boot/cmdline.txt.backup +sudo sed -i 's/fsck.repair=yes/fsck.repair=skip/' /boot/cmdline.txt +sudo sed -i '$ s/$/ noswap ro systemd.volatile=state/' /boot/cmdline.txt +``` + +#### Edit `/etc/fstab` + +```shell +sudo cp /etc/fstab /etc/fstab.backup +sudo sed -i -e 's/vfat\s*defaults\s/vfat defaults,ro/' /etc/fstab +sudo sed -i -e 's/ext4\s*defaults,noatime\s/ext4 defaults,noatime,ro,noload/' /etc/fstab +``` + +#### Disable `/boot` macOS `fseventsd` logging and Spotlight indexing + +```shell +sudo touch /boot/.metadata_never_index +sudo mkdir -p /boot/.fseventsd +sudo touch /boot/.fseventsd/no_log +``` + +### Step 11: disable Wi-Fi (if not using ethernet) or disconnect ethernet cable ```shell echo "dtoverlay=disable-wifi" | sudo tee -a /boot/config.txt ``` -### Step 11: reboot +### Step 12: reboot ```shell sudo systemctl reboot ``` +> WARNING: DO NOT CONNECT RASPBERRY PI TO NETWORK EVER AGAIN WITHOUT REINSTALLING RASPBERRY PI OS FIRST (DEVICE IS NOW "READ-ONLY" AND “COLD”). + +### Step 13 (optional): compute SHA512 hash of SD card and store in password manager (on macOS) + +Run `diskutil list` to find disk ID of SD card with “Raspberry Pi OS Lite” installed (`disk2` in the following example). + +```console +$ diskutil list +/dev/disk0 (internal, physical): + #: TYPE NAME SIZE IDENTIFIER + 0: GUID_partition_scheme *500.3 GB disk0 + 1: EFI EFI 209.7 MB disk0s1 + 2: Apple_APFS Container disk1 500.1 GB disk0s2 + +/dev/disk1 (synthesized): + #: TYPE NAME SIZE IDENTIFIER + 0: APFS Container Scheme - +500.1 GB disk1 + Physical Store disk0s2 + 1: APFS Volume Macintosh HD - Data 340.9 GB disk1s1 + 2: APFS Volume Preboot 85.9 MB disk1s2 + 3: APFS Volume Recovery 529.0 MB disk1s3 + 4: APFS Volume VM 3.2 GB disk1s4 + 5: APFS Volume Macintosh HD 11.3 GB disk1s5 + +/dev/disk2 (internal, physical): + #: TYPE NAME SIZE IDENTIFIER + 0: FDisk_partition_scheme *15.9 GB disk2 + 1: Windows_FAT_32 boot 268.4 MB disk2s1 + 2: Linux 15.7 GB disk2s2 + +$ sudo diskutil unmountDisk /dev/diskn (if previous step fails) +Unmount of all volumes on disk2 was successful + +$ sudo openssl dgst -sha512 /dev/rdisk2 +SHA512(/dev/rdisk3)= 353af7e9bd78d7d98875f0e2a58da3d7cdfc494f2ab5474b2ab4a8fd212ac6a37c996d54f6c650838adb61e4b30801bcf1150081f6dbb51998cf33a74fa7f0fe +``` + 👍 --- diff --git a/how-to-create-encrypted-paper-backup/qr-backup.sh b/how-to-create-encrypted-paper-backup/qr-backup.sh index 7feacb2..5620f33 100755 --- a/how-to-create-encrypted-paper-backup/qr-backup.sh +++ b/how-to-create-encrypted-paper-backup/qr-backup.sh @@ -35,8 +35,8 @@ normal=$(tput sgr0) basedir=$(dirname "$0") dev="/dev/sda1" -tmp="/home/pi/tmp" -usb="/home/pi/usb" +tmp="/tmp/pi" +usb="/tmp/usb" tput reset @@ -60,11 +60,6 @@ if [ "$answer" = "y" ]; then sudo mkfs -t vfat $dev fi -sudo mkdir -p $tmp -if ! mount | grep $tmp > /dev/null; then - sudo mount -t tmpfs -o size=100m tmp $tmp -fi - sudo mkdir -p $usb if ! mount | grep $usb > /dev/null; then sudo mount $dev $usb -o uid=pi,gid=pi @@ -131,8 +126,6 @@ if [ "$answer" = "y" ]; then sudo fim --autozoom --quiet --vt 1 "$tmp/secret-hash.png" fi -sudo umount $tmp - sudo umount $usb printf "%s\n" "Done" diff --git a/how-to-create-encrypted-paper-backup/qr-backup.sh.sig b/how-to-create-encrypted-paper-backup/qr-backup.sh.sig index 27f32a4bbfcf3c87c560429730282911737c2834..ac72ccb0c629c6f1e4d50e8ab9f9ff3c64053391 100644 GIT binary patch delta 542 zcmV+(0^$9(1hxc_BY!{J=>Q4|5Fe*!hAX`j1w*9|{whh7_s4)P&WE0~jk5@5#4$o& zza2DmrQ&xdc&|n)#six2@sX?a)vY-`RZN(g>P>sz!xn2t5~1{swhud`@cBz}l*D(Y zUi|DKI!LI+{$A`h9e>NyDJqp73B1@sy2kbtdT|)){_aZdv43+KO<}GOlaL_Rq&+$6 zbH%Pt6Gwckr${;)8COVY`Y(Q_&rXbj6D3o14j4` zx(>-b2%I%RTubd1X&9%MFmxGYyzin^I10mM31tB6#q%?-dqUHs4U}~;Q1V!g< zrl@QaI5^-2c8ns-5iYb&CMX+TX+0rHBc_B&jUv;+j@|D2x~eJ!8bNLdunW5rmodX@ zxn|EG(zc|@>iuQY+g{ClF(C*g##~PG@V>}_N$U;4wSU`={iXK_YpauUU6~Pa(vl!L z21XxY%u0~XI5ljp_(bM!_T*=9;80yr9(jPU@d8L-yQkwo1NK$Fo~ZkFIdBl};VrG! zX#6;{IZREAl_=n>FE+g2kW(9HrT|{zR%{`)d|s&g=?t87!qYDfm)>72c#z1McC`}* g)$diQj8K;{X5v delta 542 zcmV+(0^$9(1hxc_BY!@p{{RXJ5Fe*!hAX`j1$&$j0HZSu_+ypQ$D9fh1%RESwE#^3 zWw8P9k=jXzC&kehzTXyGP^f~EVr`uO9D=8>lHQ{}aEtIB*0&zVT>8RfId&m?x#s0e z$Qb#l8E|pZ{n}`)In&Hbk^ZOC8G$8OJ-3P9q?nFIZShGVPJenv^5)$D0{xTJbANsG zy@(V4o;M?mTQ4h$P@_W_4P~vxu%M{s=-d%&7WZiG3(`|HdYSr=Ev}cC49P)((TGSE zXAJE2=bs}wik{>nD-*L66-i@U6|Im(tSGCJotw7QT*b(0dRiNjD_$13adLC&2+bpt zd<;$IEI=#bOMfY$^<(_oliu!t;*A9cx%gbubTy48v#d$fJkM^mnE8Lt;jj$MxB;MqIRa=}VVHn5T+}qvk$THq-lbQMGN_{6F)|RiX32DDnk3 z&n=?(*