3

I have a Raspberry Pi 4 (4GB) running Nextcloud on it. Because all my data and backups are saved on external USB drives I will encrypt them with a VeraCrypt container. Mounting and dismounting the container with VeraCrypt is working fine.

I would like to mount my VeraCrypt container after booting. In my opinion there are two ways to do that:

  • Manually mount the Container after every boot via commandline and manually enter the container password, PIM, etc.
  • Automatically mount the container via script

I would prefer the second solution but then I have to provide the password somehow. I could run the command

veracrypt /media/backup/test.hc /media/backup/test/ --password=test --pim=20 -k "" --protect-hidden=no

at startup but the password would be visible in the autostart file... (you could remove the sd card from the raspberry and just read out the password from the command above)

So my question is: Is there a reasonably safe way to automount my VeraCrypt container without making the decryption password visible and without manually typing the password?

Florian
  • 31
  • 1
  • 2
  • There is not. You could only store the password securely by encrypting it, which leads to the original problem again: having to enter a passphrase to decrypt. – Panki Oct 28 '19 at 13:18
  • What if I use the unique ID of my Raspberry Pi to decrypt via VeraCrypt? – Florian Nov 02 '19 at 20:06
  • This is a chicken and egg problem. What 'unique id' do you mean? How do you protect your Pi, so noone can access your 'unique id'? – Panki Nov 04 '19 at 08:12
  • The ID is the CPU ID which is set in /sys/block/mmcblk0/device/cid. But that was not safe enough, because everyone can read out that string or a hardcoded password from the execute file. I decided to manually decrypt my drives on bootup by simply typing in the password. – Florian Nov 05 '19 at 12:14
  • Don't tie decryption to a hardware identity unless you can guarantee to be able to replace that hardware identity exactly, like for like, if (when) your original system dies or is otherwise unavailable to you – roaima Feb 16 '21 at 13:57
  • Possibly crypttab would help: https://delightlylinux.wordpress.com/2021/05/20/automount-veracrypt-with-crypttab/ – Ray Woodcock Nov 21 '21 at 02:19

1 Answers1

4

I had a remotely similar problem: I put a server in the garage so that external backups are stored in a location remote from the house. (Should the house burn down, a backup would be in the remote garage.) The volumes on the backup server were encrypted with VeraCrypt. The password was stored on the main server in the house. When the backup server booted, it connected to the main server, fetched the password (into RAM) and unlocked the VeraCrypt volumes with that. If the server from the garage was stolen and booted, the password (on the main server) would not be available and the VeraCrypt volumes remained locked. So a thief could only access the data when fiddling with the backup server while it was still connected to the LAN - an unlikely thing in my case.

So - if you store the password elsewhere on your LAN and outside of the Pi, you should be ok when a thief steals the Pi, the boot-SD or the attached drives.

Thomas
  • 141
  • 3