In a series of postings I’ve covered parts of this process. This is going to be a ‘summary to date’ of what I think is, so far, the ‘best practice’ to get close to a Tails like experience with a Raspberry Pi.
IMHO it is “good enough” as a first cut for most of the things I would ever do, or need. It isn’t enough, however, if the folks after you are Three Letter Agencies. Bet your life on Tails, bet your reputation on Tor with a Tor Browser, and bet your embarrassment level on this solution; nothing more…
With that caveat, it’s pretty darned secure.
The basic layout is a BerryBoot install of Debian onto an encrypted chip (using LUKS) with a TOR router and IceWeasel browser with a “private” window. When finished with a session (that by choosing the private browser window is not saving history anyway) you can further choose to ‘reset’ the system back to the starting point, erasing all changes.
1) The “reset” is at the Berryboot level. This has a squashfs file system with a ‘write layer’ over it that is saved back to the mini-SD card. Doing a ‘reset’ releases that ‘write layer’ but does not necessarily scrub it. Over time, the SD card will do wear leveling and scramble those bits, plus the next use will reuse some of those blocks making things more obscure; however: IN THEORY, someone of NSA level skills could get into the card and extract those blocks. The encryption is all that stands in their way; so you need to be comfortable that LUKS is strong enough. I think it is, but we’re off in the land of black ops here and it is always less than proven just what state of the art is for Agency limits.
2) Encryption is via a pass phrase to LUKS. There might be ways to scan your keyboard and pick it up. In particular, I’m using a Bluetooth keyboard. An NSA van with scanner can track my keystrokes. So I’m not betting my life on this. But the neighbor or your local police are less likely to be going to that extent and much more likely to be doing the “warrant and grab” and then extort the passphrase out of you with legal threats. Give someone that phrase, then it’s down to just that wear leveling and recycle of blocks on the SD card and are they skilled enough to suck out those ‘deleted’ blocks and put them back together.
4) If YOU are not careful, YOU can leak. Use this to login to a site with your login name and password, on an unencrypted link, and you give away identity information. See the TOR website for a list of behavioural things you need to accept for real secrecy and anonymity.
5) As this is a mildly unique combination of settings, and folks can customize more, the system “profile” is to some extent a ‘finger print’. The WiFi dongle can find ‘who is near’ and if that is pulled out via a virus or malware, give a general location. This is mitigated somewhat by the ‘reset’. Visit a porn site ‘honey pot’ that puts malware on the system and they may install a beacon saying “this box and this place”, but it gets erased at the reset to baseline. Don’t erase, you take your chances. If it is a drug deal, stick with Tails or pure TOR and TOR Browser. If it’s just ‘posing’ as a sockpuppet on some website, this is fine. And remember to do the ‘reset’ after visiting anywhere ‘questionable’…
The acutal ‘reset’ is done in Berryboot via a click of the ‘edit’ button at the top level, then choosing the ‘restore’ button after you highlight which operating system to ‘restore’ to the baseline image.
6) The OS has NOT been “locked down”. There’s a lot of stuff in here that likely ought to be removed and/or tightened.
OK, What Is It?
To make one of these, follow these directions. (Yes, I’m using it now, logged into my site, and violating one of the rules of staying anonymous with it.)
First, get the Berryboot bootloader for the Raspberry Pi. It has the two features of an encrypted install and ability to reset to baseline squashfs state. It also very nicely lets you save an image on external media via a ‘backup’ command so you can make several ‘checkpoint’ copies if you like. The ability to merge changes in with the baseline squashfs and make a new squashfs later is exploited here to make a comfortable build to work with, then reset it to that baseline as needed.
The “zip” files to download are here:
Unzip it and follow their directions. Basically you put their collection of bootloader files onto a FAT32 formatted mini-SD card (for the Pi Model 2, or regular SD for the original Pi, but the original Pi is too slow for decent TOR browsing experience, or even straight IceWeasel IMHO)
Stick the chip in your Pi and boot it up. You will be presented with a “select destination drive” menu. At this point you could choose an external USB stick, or drive, but realize it will want to format the whole thing. In one test on one PNY stick, it didn’t want to encrypt it. So I’d stick with the mini-SD card. Select it and check the ‘encrypt’ box.
Type “YES” when it asks if you really want to do this. Then you give it your pass phrase three times. One to set it, one to verify you didn’t type it wrong, and one to open it again after the encryption is done.
From here on, at every boot, you must give that passphrase to get the chip to boot.
It then asks you what OS to install. I always put “Puppy” on as it is only 129 MB, takes all of 7 minutes on my wire, and gives me a 2nd operating system I can boot in an emergency to look over the other system if I have a problem. For best security it ought to be removed later ( Berryboot lets you do that with one click). Then I installed the latest Debian (Jessie). That took closer to an hour and a bit. Sometimes up to 2 hours if things are slow. I set it to ‘default’ by selecting it to highlight it then clicking the ‘default’ button.
Exit, and boot again. Enter the pass phrase
At this point I stick in a USB stick or drive with my build script on it and some model files for things like /etc/fstab just so I don’t have to do a lot of typing. My present build script would be cut way back for a ‘secure minimal browsing’ system, but I like having a lot of tools and options available. This one takes a full hour to run, so prune out things you won’t use. Like that “btfs and xfs” file system set and maybe the torrent server…
Here’s the result of the run notes:
And that's the end of my present install build process. real 60m2.526s user 7m17.920s sys 4m55.160s There was no build target for IceApe or Chromium present in Jessie
Yeah, it took an hour to run, but not much CPU at all. It is network limited.
I have install lines for both IceApe (as it is in the Wheezy release of Debian) and Chromium (as it was in this release, but buggy, and will likely come back when fixed). Neither worked tonight; but I like IceWeasel better anyway ;-)
Here is the present status of the build script.
pi@Ra2PiM2 /home/pi $ cat BuildIt_2Nov2015 echo " " echo "Do the BerryBoot install: " echo " " echo " https://www.berryterminal.com/doku.php/berryboot " echo " " echo "and choose the option of having disk encryption along with formatting the SD card" echo "along with the Raspbian installation. Then copy this script from an external SD" echo "card or USB drive into your working directory (home directory or /media/pi/CardName" echo " " # # In general, I'm encapsulating what all I did in these two postings as a script: # # https://chiefio.wordpress.com/2015/07/18/raspberry-pi-m2-unboxing-and-setup/ # # https://chiefio.wordpress.com/2015/07/22/raspberry-pi-software-setup/ # # If you didn't already change the password while running at first set up, change it # When done, log in as 'pi' password 'raspberry'. Change the password. # passwd # and respond with the new one when prompted. echo "Also, to change the name of your machine, edit /etc/hostname and make it" echo "what you like. " echo "Here, I'm going to just set mine by brute force write to the file." echo " " echo "echo 'Ra2PiM2' > /etc/hostname " echo " " echo "Ra2PiM2"> /etc/hostname echo " " echo "Next, do the 'usual' update upgrade that brings you up to the present" echo "repository status (need a network connection from here on out)" echo " " echo "You can either put 'sudo' in front of each of these commands, or just " echo "'become root' which is what I usually do." echo " " echo "sudo bash" echo " " echo "then run this script with ./BuildIt (assuming you didn't change the name" echo "and that you are 'in' the directory where it is located.)" echo " " echo "apt-get update" echo "apt-get upgrade" echo " " apt-get update apt-get upgrade echo " " echo "Start doing useful operational 'packages'. " echo " " # This gets the useful tools like "nslookup" for looking at Domain Names echo " " echo apt-get install dnsutils echo " " apt-get install dnsutils echo " " echo " VNC is a nice way to get a remote desktop. It takes some configuring later." echo " " echo " " echo apt-get install tightvncserver echo " " apt-get install tightvncserver echo " " echo "I like wicd for an easier way to manage wireless devices and networks." echo " " echo " " echo apt-get install wicd echo " " apt-get install wicd echo " " echo "Scrot is a tool for taking screen shots by saying 'scrot' in a terminal" echo " " echo " " echo apt-get install scrot echo " " apt-get install scrot # Normally I would install "build-essential" to get things like C compiler # and some language tools, but they were already installed on the R.PiM2. apt-get install build-essential echo " " echo "Some 'user land' useful things like browser options and Office / Mail tools." echo " " echo "Chromium is the 'chrome' browser from Google but in Linux land" echo " " echo " " echo apt-get install chromium echo " " apt-get install chromium # IceApe is a "more free" version of IceWeasel that is a "more free" version of # Firefox that is a rebranded Mozilla that is... IceDove is the matching # Thunderbird replacement minus the trademarks, non-free bits, etc. echo " " echo "Doing IceApe browser and IceDove mail reader" echo " " echo " " echo apt-get install iceape echo apt-get install iceweasel echo apt-get install icedove echo " " apt-get install iceape apt-get install iceweasel apt-get install icedove echo " " echo "GIMP is the photo editor ( 'photoshop Free'...) " echo " " echo " " echo apt-get install gimp echo " " apt-get install gimp echo " " echo "Don't forget Libreoffice - Microsoft? We don't need no steenking MicroSoft..." echo " " echo " " echo apt-get install libreoffice echo " " apt-get install libreoffice # As I also wanted one of these to be a bittorrent server, I sometimes add # the "transmission" bittorent code. echo " " echo "Adding the 'transmission' bit torrent server" echo " " echo " " echo apt-get install transmission transmission-daemon echo " " apt-get install transmission transmission-daemon echo " " echo "To get NTFS disks (like USB or an NTSB formatted SD card in adapter) to " echo "work 'read write' instead of just 'read only', you need ntfs-3g" echo " " echo " " echo apt-get install ntfs-3g echo " " apt-get install ntfs-3g # In Theory, this installed 2 VNC "viewers" so the R.Pi could use VNC to # get to other machines. In practice, I found that one of them locked up # my console when launched against my own machine as target (might be a # PIBKAC problem - Problem Is Between Keyboard And Chair - as the R.Pi # isn't really expecting to drive 2 video sessions at once (the real one # and the VNC one inside the real one...) so maybe all is fine and I just # need to RTFM (Read The, er, "Friendly" Manual) before using software... echo " " echo "Some VNC Viewers for being the client instead of the server" echo "I've not used either of these yet so have no clue about them in practice" echo " " echo " " echo apt-get install xtightvncviewer echo apt-get install ssvnc echo " " apt-get install xtightvncviewer apt-get install ssvnc echo " " echo "Want an NFS (Network File System) server so you can share disks with" echo "your internal network? This will install the code, then you get to" echo "configure things like /etc/exports" echo " " echo " " echo apt-get install nfs-kernel-server echo " " apt-get install nfs-kernel-server # prior to first use. Or reboot. # In your /etc/exports file, put something like: # /etc/exports: the access control list for filesystems which may be exported # to NFS clients. See exports(5). # # Example for NFSv2 and NFSv3: # /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check) # # Example for NFSv4: # /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check) # /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check) # # /YourFileSystem *(rw,sync,fsid=0,no_root_squash) # But without the # in front of YourFileSystem... and with your file system... echo " " echo "IF you has a partition named /media/data: " echo "This adds it to the /etc/exports file so it is NFS mountable elsewhere" echo " " echo "echo '/media/data *(rw,sync,fsid=0,no_root_squash,no_subtree_check)' >> /etc/exports" echo " " #echo "/media/data *(rw,sync,fsid=0,no_root_squash,no_subtree_check)" >> /etc/exports # Remember to do a echo " " echo "Restarting the appropriate services so NFS will work" echo " " echo " " echo service rpcbind restart echo service nfs-kernel-server restart echo " " service rpcbind restart service nfs-kernel-server restart # I did NOT make this box a static IP number. You will need to # make this your own server name and IP numbers, if you choose to do that. # # Here's my std /etc/network/interfaces file with leading # to make it comments. # echo " " echo "Remember to make your /etc/network/interfaces file have a static IP#" echo "If you are going to be using PXE boot and such" echo " " #auto lo #iface lo inet loopback #auto eth0 #allow-hotplug eth0 #iface eth0 inet static #address 172.16.16.253 #netmask 255.255.255.0 #gateway 172.16.16.254 #dns-domain chiefio.home #dns-nameservers 172.16.16.254 192.168.1.253 chose that 'add a 512 MB partition option' at build time192.168.1.1 # #auto wlan0 #allow-hotplug wlan0 #iface wlan0 inet manual #wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf # #auto wlan1 #allow-hotplug wlan1 #iface wlan1 inet manual #wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf # Don't forget to do a # ifdown eth0 # wait a minute for it to quiet down # ifup eth0 # As I want this to be a DNS server, DHCP server, and PXE server (uses a # tftp or "Trivial File Transfer Protocol" server, all of those can come in # one package with dnsmasq. echo " " echo "Installing a light weight but effective DNS, DHCP and TFTP service" echo " " echo " " echo apt-get install dnsmasq echo " " apt-get install dnsmasq echo " " echo "Yes, it takes configuring. See the file at" echo " /etc/dnsmasq.conf" echo " " # Then I installed the Apache web server : # http://www.raspipress.com/2012/09/tutorial-install-apache-php-and-mysql-on-raspberry-pi/ echo " " echo "Instlling the Apache Web Servier and related stuff" echo " " echo " " echo "apt-get install apache2 apache2-utils apache2-doc" echo " " apt-get install apache2 apache2-utils apache2-doc # and yes, it takes some configuring and even web page building. # See files in places like /etc/apache2/sites-available and more. echo " " echo "apt-get install libapache2-mod-php5 php5 php-pear php5-xcache" echo " " apt-get install libapache2-mod-php5 php5 php-pear php5-xcache # From here on down are things I added over time from the last script. # they are not yet well commented here. # Mysql database: echo " " echo "apt-get install php5-mysql" echo " " apt-get install php5-mysql echo " " echo "apt-get install mysql-server mysql-client" echo " " apt-get install mysql-server mysql-client # TOR The Onion Router, and a monitor program that I'm not using yet. echo " " echo "apt-get install tor monit" echo " " apt-get install tor monit # The squid caching proxy echo " " echo "apt-get install squid" echo " " apt-get install squid # Some sound tools echo " " echo "apt-get install alsa-utils" echo " " apt-get install alsa-utils echo "Use amixer cset numid=3 2 to put sound on the HDMI output" #amixer cset numid=3 2 amixer cset numid=3 1 modprobe snd_bcm2835 # Cryptographic bits, the logical volume manager, and a forensics tool. echo " " echo "apt-get install cryptsetup lvm2 dcfldd" echo " " apt-get install cryptsetup lvm2 dcfldd # Now we're going to install some totally optional file system types as I like to play with file sytems: echo " " echo "apt-get install btrfs-tools xfsprogs hfsutils gparted" echo " " apt-get install btrfs-tools xfsprogs hfsutils gparted echo " " echo "apt-get install squashfs-tools unionfs-fuse " echo " " apt-get install squashfs-tools unionfs-fuse echo " " echo "The f2fs file systems didn't build last time. How about this time?" echo " " #echo apt-get install ft2f # echo " " echo "And that's the end of my present install build process." echo " " # # There are several files to edit and configure. Eventually I'll add a # "here script" to dump them from this script to where they belong, or # I'll just save a copy and have a 'save / restore' copy process. # # Once I get everything configured ;-) pi@Ra2PiM2 /home/pi $
At the end of this script, reboot. That lets the various delayed install triggers do their thing. Then reboot again.
On this second reboot, choose the ‘edit’ option of Berry Boot and save a ‘backup’ copy of this finished system off to an external USB device. That’s the second button that saves it all with changes. Now you can install it as desired without going through all those steps. (Hold down the ‘add OS’ button and it gives you a choice of ‘from external media’).
Also, you can ‘clone’ it in place. If you have the space on your card, do that. If not, repeat the Berryboot install but this time suck in the saved copy as your ‘base’ state. Now when you click ‘restore’ button up there next to backup, it will reset to this fully installed state and not to the raw unconfigured Debian.
To configure your browser to use TOR, click on the horizontal lines icon at the far right of IceWeaswel and pick “preferences”. In the network tab, click ‘settings’. Click the ‘manual proxy’ radio button. Then put 127.0.0.1 in the “SOCKS host” box and put 9050 in port number. Do not put any entries in the other proxy lines (HTTP, SSL, FTP). Do click the SOCKS v5 radio button.
That ought to do it. Test that you are getting to the TOR router here:
I know I glossed over the Berryboot options some, but they explain them pretty well. The basic notion is just to make a base system configured the way you like it, then save that off and make a clone of it that you use. When done with a session, reset to this base state with the restore button / feature in Berryboot.
Using TOR gives some degree of anonymity, and using a generic box adds more. Make it a portable pi via add on screen and / or in the Dongle Pi mode and you can use it with WiFi at a variety of hot spots to further disconnect folks from your identity (i.e. IP is not yours).
While this isn’t a full on TAILS, and while I still need to find the TOR Browser source to try a build of it, this does go a long ways toward both privacy and anonymity. It will also be more resilient to attack as it gets reset to the “base state” after any given session. (As long as you choose to do that… with the ‘restore’ button)
It is relatively secure even if the chip is captured, as it is encrypted. The micro-SD card is also small enough to easily hide just about anywhere. A ‘dd’ image of the card is also full of encrypted blocks, so can be put ‘in the cloud’ with some security. Though note that the Berryboot ‘backup’ button image is not encrypted so if you have sensitive stuff on it, encrypt it separately before cloud storage. The way I will use it has just a basic install with ‘my data’ on a removable USB device that will be encrypted in a different manner. You have choices here.
In short, it is pretty good anonymity, pretty good security, and fairly good at being amnesiac when you ask it to do so. Yet flexible enough to let you chose your levels of those things and / or save things off on USB sticks and drives.