Building A Nearly Tails Raspbian Pi

In a series of postings I’ve covered parts of this process. This is going to be a ‘summary to date’ of what I think is, so far, the ‘best practice’ to get close to a Tails like experience with a Raspberry Pi.

IMHO it is “good enough” as a first cut for most of the things I would ever do, or need. It isn’t enough, however, if the folks after you are Three Letter Agencies. Bet your life on Tails, bet your reputation on Tor with a Tor Browser, and bet your embarrassment level on this solution; nothing more…

With that caveat, it’s pretty darned secure.

The basic layout is a BerryBoot install of Debian onto an encrypted chip (using LUKS) with a TOR router and IceWeasel browser with a “private” window. When finished with a session (that by choosing the private browser window is not saving history anyway) you can further choose to ‘reset’ the system back to the starting point, erasing all changes.

The limitations:

1) The “reset” is at the Berryboot level. This has a squashfs file system with a ‘write layer’ over it that is saved back to the mini-SD card. Doing a ‘reset’ releases that ‘write layer’ but does not necessarily scrub it. Over time, the SD card will do wear leveling and scramble those bits, plus the next use will reuse some of those blocks making things more obscure; however: IN THEORY, someone of NSA level skills could get into the card and extract those blocks. The encryption is all that stands in their way; so you need to be comfortable that LUKS is strong enough. I think it is, but we’re off in the land of black ops here and it is always less than proven just what state of the art is for Agency limits.

2) Encryption is via a pass phrase to LUKS. There might be ways to scan your keyboard and pick it up. In particular, I’m using a Bluetooth keyboard. An NSA van with scanner can track my keystrokes. So I’m not betting my life on this. But the neighbor or your local police are less likely to be going to that extent and much more likely to be doing the “warrant and grab” and then extort the passphrase out of you with legal threats. Give someone that phrase, then it’s down to just that wear leveling and recycle of blocks on the SD card and are they skilled enough to suck out those ‘deleted’ blocks and put them back together.

3) It isn’t a TOR Browser. Private Session is pretty good and not keeping a lot of stray info around, but it isn’t as locked down as the TOR browser. You can, for example, watch YouTube videos and visit non-encrypted sites, put in passwords and account names, and generally leak information about who you are by being less than careful or running FLASH or Javascript that sucks identity information out of the browser. Now as long as you ARE a bit careful, they will just get that it is a Raspberry Pi with Debian at address or whatever… and the TOR exit relay on the other end. Again, TLAs (Three Letter Agencies) and folks “with large staff” can find ways to inject code to do things that the TOR browser will prevent. I was able to compile the “Tor Bundle” only to find out it was just The Onion Router and not the browser. I’ve still not found where the TOR browser source is available (for 32 bit Linux). That’s a ‘dig here’ for anyone wanting to pitch in. Find the link for the source and I’ll attempt the compile / port. It wasn’t under the ‘source’ tab at the TOR site, near as I can tell.

4) If YOU are not careful, YOU can leak. Use this to login to a site with your login name and password, on an unencrypted link, and you give away identity information. See the TOR website for a list of behavioural things you need to accept for real secrecy and anonymity.

5) As this is a mildly unique combination of settings, and folks can customize more, the system “profile” is to some extent a ‘finger print’. The WiFi dongle can find ‘who is near’ and if that is pulled out via a virus or malware, give a general location. This is mitigated somewhat by the ‘reset’. Visit a porn site ‘honey pot’ that puts malware on the system and they may install a beacon saying “this box and this place”, but it gets erased at the reset to baseline. Don’t erase, you take your chances. If it is a drug deal, stick with Tails or pure TOR and TOR Browser. If it’s just ‘posing’ as a sockpuppet on some website, this is fine. And remember to do the ‘reset’ after visiting anywhere ‘questionable’…

The acutal ‘reset’ is done in Berryboot via a click of the ‘edit’ button at the top level, then choosing the ‘restore’ button after you highlight which operating system to ‘restore’ to the baseline image.

6) The OS has NOT been “locked down”. There’s a lot of stuff in here that likely ought to be removed and/or tightened.

OK, What Is It?

To make one of these, follow these directions. (Yes, I’m using it now, logged into my site, and violating one of the rules of staying anonymous with it.)

First, get the Berryboot bootloader for the Raspberry Pi. It has the two features of an encrypted install and ability to reset to baseline squashfs state. It also very nicely lets you save an image on external media via a ‘backup’ command so you can make several ‘checkpoint’ copies if you like. The ability to merge changes in with the baseline squashfs and make a new squashfs later is exploited here to make a comfortable build to work with, then reset it to that baseline as needed.

The “zip” files to download are here:

Unzip it and follow their directions. Basically you put their collection of bootloader files onto a FAT32 formatted mini-SD card (for the Pi Model 2, or regular SD for the original Pi, but the original Pi is too slow for decent TOR browsing experience, or even straight IceWeasel IMHO)

Stick the chip in your Pi and boot it up. You will be presented with a “select destination drive” menu. At this point you could choose an external USB stick, or drive, but realize it will want to format the whole thing. In one test on one PNY stick, it didn’t want to encrypt it. So I’d stick with the mini-SD card. Select it and check the ‘encrypt’ box.

Type “YES” when it asks if you really want to do this. Then you give it your pass phrase three times. One to set it, one to verify you didn’t type it wrong, and one to open it again after the encryption is done.

From here on, at every boot, you must give that passphrase to get the chip to boot.

It then asks you what OS to install. I always put “Puppy” on as it is only 129 MB, takes all of 7 minutes on my wire, and gives me a 2nd operating system I can boot in an emergency to look over the other system if I have a problem. For best security it ought to be removed later ( Berryboot lets you do that with one click). Then I installed the latest Debian (Jessie). That took closer to an hour and a bit. Sometimes up to 2 hours if things are slow. I set it to ‘default’ by selecting it to highlight it then clicking the ‘default’ button.

Exit, and boot again. Enter the pass phrase

At this point I stick in a USB stick or drive with my build script on it and some model files for things like /etc/fstab just so I don’t have to do a lot of typing. My present build script would be cut way back for a ‘secure minimal browsing’ system, but I like having a lot of tools and options available. This one takes a full hour to run, so prune out things you won’t use. Like that “btfs and xfs” file system set and maybe the torrent server…

Here’s the result of the run notes:

And that's the end of my present install build process.

real	60m2.526s
user	7m17.920s
sys	4m55.160s

There was no build target for IceApe or Chromium present in Jessie

Yeah, it took an hour to run, but not much CPU at all. It is network limited.

I have install lines for both IceApe (as it is in the Wheezy release of Debian) and Chromium (as it was in this release, but buggy, and will likely come back when fixed). Neither worked tonight; but I like IceWeasel better anyway ;-)

Here is the present status of the build script.

pi@Ra2PiM2 /home/pi $ cat BuildIt_2Nov2015 
echo " "
echo "Do the BerryBoot install: "
echo " "
echo " "
echo " "
echo "and choose the option of having disk encryption along with formatting the SD card"
echo "along with the Raspbian installation.  Then copy this script from an external SD"
echo "card or USB drive into your working directory (home directory or /media/pi/CardName"
echo " "
# In general, I'm encapsulating what all I did in these two postings as a script:
# If you didn't already change the password while running at first set up, change it
# When done, log in as 'pi' password 'raspberry'.  Change the password.
# passwd
# and respond with the new one when prompted.

echo "Also, to change the name of your machine, edit /etc/hostname and make it"
echo "what you like.  "
echo "Here, I'm going to just set mine by brute force write to the file."
echo " "
echo "echo 'Ra2PiM2' > /etc/hostname "
echo " "

echo "Ra2PiM2"> /etc/hostname 

echo " "
echo "Next, do the 'usual' update upgrade that brings you up to the present"
echo "repository status (need a network connection from here on out)"
echo " "
echo "You can either put 'sudo' in front of each of these commands, or just "
echo "'become root' which is what I usually do."
echo " "
echo "sudo bash"
echo " "
echo "then run this script with ./BuildIt (assuming you didn't change the name"
echo "and that you are 'in' the directory where it is located.)"
echo " "
echo "apt-get update"
echo "apt-get upgrade"
echo " "

apt-get update
apt-get upgrade

echo " "
echo "Start doing useful operational 'packages'. "
echo " "

# This gets the useful tools like "nslookup" for looking at Domain Names

echo " "
echo apt-get install dnsutils
echo " "

apt-get install dnsutils

echo " "
echo " VNC is a nice way to get a remote desktop.  It takes some configuring later."
echo " "

echo " " 
echo apt-get install tightvncserver
echo " "

apt-get install tightvncserver

echo " "
echo "I like wicd for an easier way to manage wireless devices and networks."
echo " "

echo " " 
echo apt-get install wicd
echo " "

apt-get install wicd

echo " "
echo "Scrot is a tool for taking screen shots by saying 'scrot' in a terminal"
echo " "

echo " " 
echo apt-get install scrot
echo " "

apt-get install scrot

# Normally I would install "build-essential" to get things like C compiler
# and some language tools, but they were already installed on the R.PiM2.

apt-get install build-essential

echo " "
echo "Some 'user land' useful things like browser options and Office / Mail tools."
echo " "
echo "Chromium is the 'chrome' browser from Google but in Linux land"
echo " "

echo " " 
echo apt-get install chromium
echo " "

apt-get install chromium

# IceApe is a "more free" version of IceWeasel that is a "more free" version of
# Firefox that is a rebranded Mozilla that is...   IceDove is the matching
# Thunderbird replacement minus the trademarks, non-free bits, etc.

echo " "
echo "Doing IceApe browser and IceDove mail reader"
echo " "

echo " " 
echo apt-get install iceape
echo apt-get install iceweasel
echo apt-get install icedove
echo " "

apt-get install iceape
apt-get install iceweasel
apt-get install icedove

echo " "
echo "GIMP is the photo editor ( 'photoshop Free'...) "
echo " "

echo " " 
echo apt-get install gimp
echo " "

apt-get install gimp

echo " "
echo "Don't forget Libreoffice - Microsoft?  We don't need no steenking MicroSoft..." 
echo " "

echo " " 
echo apt-get install libreoffice
echo " "

apt-get install libreoffice

# As I also wanted one of these to be a bittorrent server, I sometimes add
# the "transmission" bittorent code.

echo " "
echo "Adding the 'transmission' bit torrent server"
echo " "

echo " " 
echo apt-get install transmission transmission-daemon
echo " "

apt-get install transmission transmission-daemon

echo " "
echo "To get NTFS disks (like USB or an NTSB formatted SD card in adapter) to "
echo "work 'read write' instead of just 'read only', you need ntfs-3g"
echo " "

echo " " 
echo apt-get install ntfs-3g
echo " "

apt-get install ntfs-3g

# In Theory, this installed 2 VNC "viewers" so the R.Pi could use VNC to 
# get to other machines.  In practice, I found that one of them locked up
# my console when launched against my own machine as target (might be a 
# PIBKAC problem - Problem Is Between Keyboard And Chair - as the R.Pi
# isn't really expecting to drive 2 video sessions at once (the real one
# and the VNC one inside the real one...) so maybe all is fine and I just
# need to RTFM (Read The, er, "Friendly" Manual) before using software...

echo " "
echo "Some VNC Viewers for being the client instead of the server"
echo "I've not used either of these yet so have no clue about them in practice"
echo " "

echo " " 
echo apt-get install xtightvncviewer
echo apt-get install ssvnc
echo " "

apt-get install xtightvncviewer
apt-get install ssvnc

echo " "
echo "Want an NFS (Network File System) server so you can share disks with" 
echo "your internal network?  This will install the code, then you get to" 
echo "configure things like /etc/exports"
echo " "

echo " " 
echo apt-get install nfs-kernel-server
echo " "

apt-get install nfs-kernel-server

# prior to first use.  Or reboot.

# In your /etc/exports file, put something like:

# /etc/exports: the access control list for filesystems which may be exported
#		to NFS clients.  See exports(5).
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)

# /YourFileSystem  *(rw,sync,fsid=0,no_root_squash)
# But without the # in front of YourFileSystem... and with your file system...

echo " "
echo "IF you has a partition named /media/data: "
echo "This adds it to the /etc/exports file so it is NFS mountable elsewhere"
echo " "
echo "echo '/media/data   *(rw,sync,fsid=0,no_root_squash,no_subtree_check)' >> /etc/exports"
echo " "

#echo "/media/data   *(rw,sync,fsid=0,no_root_squash,no_subtree_check)" >> /etc/exports

# Remember to do a 

echo " "
echo "Restarting the appropriate services so NFS will work"
echo " "
echo " " 
echo service rpcbind restart
echo service nfs-kernel-server restart
echo " "

service rpcbind restart
service nfs-kernel-server restart

# I did NOT make this box a static IP number.  You will need to
# make this your own server name and IP numbers, if you choose to do that.
# Here's my std /etc/network/interfaces file with leading # to make it comments.

echo " "
echo "Remember to make your /etc/network/interfaces file have a static IP#"
echo "If you are going to be using PXE boot and such"
echo " "

#auto lo
#iface lo inet loopback

#auto eth0
#allow-hotplug eth0
#iface eth0 inet static
#dns-domain chiefio.home
#dns-nameservers chose that 'add a 512 MB partition option' at build time192.168.1.1
#auto wlan0
#allow-hotplug wlan0
#iface wlan0 inet manual
#wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
#auto wlan1
#allow-hotplug wlan1
#iface wlan1 inet manual
#wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

# Don't forget to do a
# ifdown eth0
# wait a minute for it to quiet down
# ifup eth0

# As I want this to be a DNS server, DHCP server, and PXE server (uses a 
# tftp or "Trivial File Transfer Protocol" server, all of those can come in
# one package with dnsmasq.

echo " "
echo "Installing a light weight but effective DNS, DHCP and TFTP service"
echo " "

echo " " 
echo apt-get install dnsmasq 
echo " "

apt-get install dnsmasq 

echo " "
echo "Yes, it takes configuring.  See the file at"
echo " /etc/dnsmasq.conf"
echo " "

# Then I installed the Apache web server :


echo " " 
echo "Instlling the Apache Web Servier and related stuff"
echo " "

echo " " 
echo "apt-get install apache2 apache2-utils apache2-doc"
echo " "

apt-get install apache2 apache2-utils apache2-doc

# and yes, it takes some configuring and even web page building.
# See files in places like /etc/apache2/sites-available and more.

echo " " 
echo "apt-get install libapache2-mod-php5 php5 php-pear php5-xcache"
echo " "

apt-get install libapache2-mod-php5 php5 php-pear php5-xcache

#  From here on down are things I added over time from the last script.
# they are not yet well commented here.

#  Mysql database:

echo " " 
echo "apt-get install php5-mysql"
echo " "

apt-get install php5-mysql

echo " " 
echo "apt-get install mysql-server mysql-client"
echo " "

apt-get install mysql-server mysql-client

# TOR The Onion Router, and a monitor program that I'm not using yet.

echo " " 
echo "apt-get install tor monit"
echo " "

apt-get install tor monit

# The squid caching proxy

echo " " 
echo "apt-get install squid"
echo " "

apt-get install squid

# Some sound tools

echo " " 
echo "apt-get install alsa-utils"
echo " "

apt-get install alsa-utils

echo "Use amixer cset numid=3 2 to put sound on the HDMI output"
#amixer cset numid=3 2
amixer cset numid=3 1

modprobe snd_bcm2835

# Cryptographic bits, the logical volume manager, and a forensics tool.

echo " " 
echo "apt-get install cryptsetup lvm2 dcfldd"
echo " "

apt-get install cryptsetup lvm2 dcfldd

# Now we're going to install some totally optional file system types as I like to play with file sytems:

echo " " 
echo "apt-get install btrfs-tools xfsprogs hfsutils gparted"
echo " "

apt-get install btrfs-tools xfsprogs hfsutils gparted

echo " "
echo "apt-get install squashfs-tools unionfs-fuse "
echo " "

apt-get install squashfs-tools unionfs-fuse

echo " "
echo "The f2fs file systems didn't build last time.  How about this time?"
echo " "

#echo apt-get install ft2f

echo " "
echo "And that's the end of my present install build process."
echo " "
# There are several files to edit and configure.  Eventually I'll add a 
# "here script" to dump them from this script to where they belong, or 
# I'll just save a copy and have a 'save / restore' copy process.
# Once I get everything configured ;-)
pi@Ra2PiM2 /home/pi $ 

At the end of this script, reboot. That lets the various delayed install triggers do their thing. Then reboot again.

On this second reboot, choose the ‘edit’ option of Berry Boot and save a ‘backup’ copy of this finished system off to an external USB device. That’s the second button that saves it all with changes. Now you can install it as desired without going through all those steps. (Hold down the ‘add OS’ button and it gives you a choice of ‘from external media’).

Also, you can ‘clone’ it in place. If you have the space on your card, do that. If not, repeat the Berryboot install but this time suck in the saved copy as your ‘base’ state. Now when you click ‘restore’ button up there next to backup, it will reset to this fully installed state and not to the raw unconfigured Debian.

To configure your browser to use TOR, click on the horizontal lines icon at the far right of IceWeaswel and pick “preferences”. In the network tab, click ‘settings’. Click the ‘manual proxy’ radio button. Then put in the “SOCKS host” box and put 9050 in port number. Do not put any entries in the other proxy lines (HTTP, SSL, FTP). Do click the SOCKS v5 radio button.

That ought to do it. Test that you are getting to the TOR router here:

In Conclusion

I know I glossed over the Berryboot options some, but they explain them pretty well. The basic notion is just to make a base system configured the way you like it, then save that off and make a clone of it that you use. When done with a session, reset to this base state with the restore button / feature in Berryboot.

Using TOR gives some degree of anonymity, and using a generic box adds more. Make it a portable pi via add on screen and / or in the Dongle Pi mode and you can use it with WiFi at a variety of hot spots to further disconnect folks from your identity (i.e. IP is not yours).

While this isn’t a full on TAILS, and while I still need to find the TOR Browser source to try a build of it, this does go a long ways toward both privacy and anonymity. It will also be more resilient to attack as it gets reset to the “base state” after any given session. (As long as you choose to do that… with the ‘restore’ button)

It is relatively secure even if the chip is captured, as it is encrypted. The micro-SD card is also small enough to easily hide just about anywhere. A ‘dd’ image of the card is also full of encrypted blocks, so can be put ‘in the cloud’ with some security. Though note that the Berryboot ‘backup’ button image is not encrypted so if you have sensitive stuff on it, encrypt it separately before cloud storage. The way I will use it has just a basic install with ‘my data’ on a removable USB device that will be encrypted in a different manner. You have choices here.

In short, it is pretty good anonymity, pretty good security, and fairly good at being amnesiac when you ask it to do so. Yet flexible enough to let you chose your levels of those things and / or save things off on USB sticks and drives.

Subscribe to feed

About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Tech Bits and tagged , , , , . Bookmark the permalink.

8 Responses to Building A Nearly Tails Raspbian Pi

  1. E.M.Smith says:

    I decided to do some tests to see where there were weaknesses. While this first testing site has some things flagged, only one really bothers me.


    Your IP (Tor)
    Your location
    Czech Republic Zlinsky kraj, Zlin
    Your net provider

    WARNING: Your browser sends data that may allow web sites to track your computer easily!

    Attribute Value Rating
    Cookies Third party sites get your cookies and may track you bad
    Authentication Your unique ID is: 532173604 bad
    HTTP session 10 minutes (until your Tor identity is changed) medium
    Referer Original: Websites may see from which other website you come from! medium
    Signature 8ab3a24c55ad99f4e3a6e5c03cad9446 (Firefox) medium
    User-Agent Mozilla Linux ARMv7 Firefox IceWeasel […] bad
    SSL_session_id [left out as it’s just a long jumble] neutral
    Language en-US,en;q=0.5 good
    Content types text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 good
    Encoding gzip, deflate good
    Do-Not-Track protected medium

    My Evaluation:

    That “Authentication” unique ID is a bit of a worry. I’ll need to do some research on that one.

    Cookies I don’t care about as the ‘reset’ or ‘recover’ resets all of them
    I’m fine with an HTTP session of 10 minutes
    I’m OK with a referrer getting credit as I’m tending to boot and then do just a few things and exit
    I don’t mind that the browser is tagged as Firefox and that the User-Agent further fingers me as, basically, one of the millions of ARMv7 boards, tablets, et. al. in the world.

    While it would be nice to be able to reset the User-Agent and Unique ID, I don’t see those as too horrid for a ‘first cut’ of a reset the chip system. I’ll need to find out if the Unique ID is really unique to my browser, and if it changes with a ‘reinstall’ or not.

    I’d really like to find the source of the TOR Browser and just see if it compiles, or if not, compare it to IceWeasel on Raspbian and make the port…

    Well, back after another test.

  2. E.M.Smith says:

    Ah, this site has some clue about how to change the FFox settings (and Ice* ) and also a more generic (not about:config but a config defaults file) method:

        Hi DasFox,
        The difference between, e.g. TAILS (which uses Tor in the Firefox Debian derivative named IceWeasel and Firefox) is in the prefs.js file which exists in the Firefox profile directory. For Linux, the profile directory is in /home//.mozilla in the subdirectory:
        For Windows or Mac OS X, you will have to consult the Firefox Knowledge database for information at: to find its location.
        -- Tom

    So looks like “play with the default settings file” is the next step.

  3. E.M.Smith says:

    Hmmm…. These folks score some of the above as ‘green’… which is OK with me as I’m OK with some of them too… but has other things it didn’t like:

    They present the results as a .png image, so while I’ve saved it, I can’t just paste it in here. Essentially they rate as ‘green’ all the above items including referrer and cookies claiming my browser does not store cookies… Both tests were done in a “private” window, so maybe this one didn’t just ask the browser but asked the window? Who knows…

    It does complain about some Javascript things (normally I’d shut off Javascript for anything private). In particular:

    Medium: Javascript is active
    Medium: There are two pages in my ‘tab’ history
    Medium: It can see my screen size as 1440 x 900 pixels 24 bit color
    Bad: It can see my browser window is 1440 x 879 pixels, or 1440 x 767 (inner size)
    Medium: System: Wed Feb 16 2011 14:41:18 GMT+0100 (CET)
    Bad: Fonts – 49 installed fonts have been found

    Things like window name, browser bars, local storage, browser type and browser history all scorred good.

    As the fonts installed are the standard one on all Raspbians, that would rapidly not be worth much if people started using it. The System date / time is a strange one. I don’t know if that is what they think the clock says (if so, it is wrong) or some date stamp inside the OS or when the Chip was fabbed or what… Frankly, it looks like a loony value to me… It’s also very unclear to me how my Browser Window size can leak much info. The claim is that the constellation of settings can be a kind of fingerprint. I suspect it isn’t all that useful…

    These folks also claim to have a clean browser, source available, so I may give it a try…

  4. Pingback: Happy Guy Faweks Day | Musings from the Chiefio

  5. Pingback: A Very Strange Thing – Yahoo Sometimes Blocks Tallbloke Links | Musings from the Chiefio

  6. BobN says:

    Below is a link about a company doing specialized Pi development.

    @E.M.Smith – You should bundle some of your software and sell through these guys.

    [Reply: Note that I trimmed some tracking junk out of the link so it is just the URL to the page. It looks like they are doing HW customizing. Not sure they are interested in SW only. Worth a look though. -E.M.Smith ]

  7. E.M.Smith says:


    Looks like it… but when I click on the ‘clone’ link nothing happens… I think I need to try a different box / browser / settings. I may have too tight a security set on this one… (not allowing cookies, for example. And it identifies as an ARM chipset and TOR is not ARM friendly so that might be related…)

    Good digging! I’ll boot the WinTel box later and see what it does.

Comments are closed.