keyboardman
Posts: 149
Joined: Tue Nov 21, 2023 6:48 pm

Add Encryption Option to Raspberry Pi Imager

Sat Dec 09, 2023 4:35 pm

It would be cool. You could just tick "encrypt" and enter your password.

User avatar
neilgl
Posts: 7452
Joined: Sun Jan 26, 2014 8:36 pm
Location: Near The National Museum of Computing

Re: Add Encryption Option to Raspberry Pi Imager

Sat Dec 09, 2023 4:39 pm

What is being encrypted?

keyboardman
Posts: 149
Joined: Tue Nov 21, 2023 6:48 pm

Re: Add Encryption Option to Raspberry Pi Imager

Sat Dec 09, 2023 4:59 pm

neilgl wrote:
Sat Dec 09, 2023 4:39 pm
What is being encrypted?
The disk. Full Disk luks encryption.

ejolson
Posts: 12154
Joined: Tue Mar 18, 2014 11:47 am

Re: Add Encryption Option to Raspberry Pi Imager

Sat Dec 09, 2023 5:31 pm

keyboardman wrote:
Sat Dec 09, 2023 4:59 pm
neilgl wrote:
Sat Dec 09, 2023 4:39 pm
What is being encrypted?
The disk. Full Disk luks encryption.
Although super cool, that might require porting LUKS and maybe LVM2 to every operating system Raspberry Pi imager runs on.

As I can't imagine that happening, for SD cards larger than 32GB an alternative might place an unencrypted root filesystem at the end of the SD card and at first boot create an encrypted partition in the usual place, copy the root there and then delete the unencrypted root. After that one could extend the encrypted partition to the rest of the card.

This only requires the imager to understand SD card partitions well enough to create a partition at the end of the card when writing the image. I can't see that happening either.

More likely someone on this forum could create an unreliable shell script that shrinks an existing root partition enough to create a new partition at the end of the SD card. Copy the root filesystem there, reboot into the new root and then continue as already mentioned.

Note that I'm not volunteering to write such a script. I tried LUKS a long time ago and after some time had to restore all the data from backups because something went wrong. In my opinion it's already difficult enough to avoid losing data. Encryption only introduces one more point of failure that results in data loss.

redvli
Posts: 1735
Joined: Thu Sep 03, 2020 8:09 am

Re: Add Encryption Option to Raspberry Pi Imager

Sat Dec 09, 2023 6:27 pm

keyboardman wrote:
Sat Dec 09, 2023 4:35 pm
It would be cool. You could just tick "encrypt" and enter your password.
Imager should be Installer (a modfied-for-raspi Debian installer) that runs on the Pi itself. Like what is more or less possible with the HTTP net installer if no storage is inserted at powerup.

bls
Posts: 3570
Joined: Mon Oct 22, 2018 11:25 pm
Location: Seattle, WA

Re: Add Encryption Option to Raspberry Pi Imager

Sat Dec 09, 2023 6:44 pm

While it would be great to see rpi-imager add encryption, it seems to me that a) it's not of interest to most Pi users, and b) could be difficult to do in rpi-imager running on non-Linux platforms (this is a total SWAG after a quick read through how to do LUKS). I have nothing to do with rpi-imager development...comments based on observation and experience.

That said, it also strikes me that sdm might be able to support this as a new sdm plugin. I've added a note to investigate this to the ever-growing list of sdm TODOs. Speaking from first-hand knowledge here :lol:.
Pi tools:
Quickly and easily build customized exactly as-you-want SSDs/SD Cards: https://github.com/gitbls/sdm
Easily run and manage your network's DHCP/DNS servers on a Pi: https://github.com/gitbls/ndm
Easy and secure IPSEC/IKEV2 VPN installer/manager: https://github.com/gitbls/pistrong
Lightweight Virtual VNC Config: https://github.com/gitbls/RPiVNCHowTo

trejan
Posts: 7082
Joined: Tue Jul 02, 2019 2:28 pm

Re: Add Encryption Option to Raspberry Pi Imager

Sat Dec 09, 2023 6:59 pm

bls wrote:
Sat Dec 09, 2023 6:44 pm
could be difficult to do in rpi-imager running on non-Linux platforms
Imager could pass it off to the initrd to do the reencrypt but it'd be an exceptionally long wait at first boot even with small cards.

bls
Posts: 3570
Joined: Mon Oct 22, 2018 11:25 pm
Location: Seattle, WA

Re: Add Encryption Option to Raspberry Pi Imager

Sat Dec 09, 2023 7:02 pm

trejan wrote:
Sat Dec 09, 2023 6:59 pm
bls wrote:
Sat Dec 09, 2023 6:44 pm
could be difficult to do in rpi-imager running on non-Linux platforms
Imager could pass it off to the initrd to do the reencrypt but it'd be an exceptionally long wait at first boot even with small cards.
Agree. I said "difficult", and in my book doing it during first boot would classify it as "difficult", whereas tending to it on the newly-burned disk on an already-running system seems like it would be "less difficult".
Pi tools:
Quickly and easily build customized exactly as-you-want SSDs/SD Cards: https://github.com/gitbls/sdm
Easily run and manage your network's DHCP/DNS servers on a Pi: https://github.com/gitbls/ndm
Easy and secure IPSEC/IKEV2 VPN installer/manager: https://github.com/gitbls/pistrong
Lightweight Virtual VNC Config: https://github.com/gitbls/RPiVNCHowTo

User avatar
neilgl
Posts: 7452
Joined: Sun Jan 26, 2014 8:36 pm
Location: Near The National Museum of Computing

Re: Add Encryption Option to Raspberry Pi Imager

Sat Dec 09, 2023 11:52 pm

What bls said "a) it's not of interest to most Pi users" ?

redvli
Posts: 1735
Joined: Thu Sep 03, 2020 8:09 am

Re: Add Encryption Option to Raspberry Pi Imager

Sun Dec 10, 2023 7:33 am

neilgl wrote:
Sat Dec 09, 2023 11:52 pm
What bls said "a) it's not of interest to most Pi users" ?
Until Pis become so much mainstream, that like laptops and smartphones, they also get stolen. Or if the thief is mainly interested in your data or wifi access psk, just takes the SD card.

Alternative is to netboot a Pi, so the whole bootfs and rootfs can be on NAS or so. Of course no solution when standalone.

incognitum
Posts: 1426
Joined: Tue Oct 30, 2018 3:34 pm

Re: Add Encryption Option to Raspberry Pi Imager

Sun Dec 10, 2023 8:48 am

bls wrote:
Sat Dec 09, 2023 6:44 pm
While it would be great to see rpi-imager add encryption, it seems to me that a) it's not of interest to most Pi users
Correct.
Did support LUKS full card encryption in Berryboot, but was never popular.

User avatar
HermannSW
Posts: 6244
Joined: Fri Jul 22, 2016 9:09 pm
Location: Eberbach, Germany

Re: Add Encryption Option to Raspberry Pi Imager

Sun Dec 10, 2023 9:29 am

Years ago in my department of IBM Böblingen/Germany lab there were some Raspberry Pi3s.
There was a special image that allowed to connect the Pi3 to the IBM network.
One essential feature I remember was, that the whole drive was LUKS encrypted ...
https://github.com/Hermann-SW/RSA_numbers_factored
https://stamm-wilbrandt.de/GS_cam_1152x192@304fps
https://hermann-sw.github.io/planar_graph_playground
https://github.com/Hermann-SW/Raspberry_v1_camera_global_external_shutter
https://stamm-wilbrandt.de/

User avatar
neilgl
Posts: 7452
Joined: Sun Jan 26, 2014 8:36 pm
Location: Near The National Museum of Computing

Re: Add Encryption Option to Raspberry Pi Imager

Sun Dec 10, 2023 7:11 pm

Yes, ....connect to the IBM network .. if we have an enterprise network with commercial sensitivity we would encrypt.

Return to “Raspberry Pi OS”