Make a killswitch for your Raspberry Pi
Keep your data safe with a handy ‘nuke’ password to erase your home folder in case of emergency.
If you’re worried about the somewhat Orwellian notion of a forced disclosure of passwords, this coding project posits a rather radical solution to the dilemma: create a second password for your user account, which, instead of logging you in, will nuke your home folder using special tools.
As extreme as this sounds, it’s surprisingly simple to set up. A couple of disclaimers: make sure to back up your personal data to a safe place before going ahead with this project. Also bear in mind that it’s not an infallible method, as anyone with physical access to your machine may seize it before you have a chance to flip this killswitch.
CREATE YOUR NEW USER ACCOUNT
Although you most likely will already have a user account on the Pi, create a new one for this project by opening Terminal on your Pi or connecting via SSH and running the command sudo adduser name Add your new user as an Administrator with: sudo adduser name sudo Substitute “name” with your chosen username.
CREATE YOUR NUKE SCRIPT
You should stay logged into the ‘Pi’ user for now and run the following command: sudo nano /etc/security/ security.sh In the new window, paste the following: #!/bin/bash read password # If the username and password match...
if [ “$ PAM_ USER” = “name” ] && [ “$password” = “nukepassword” ] then #Begin Nuke Process echo “Nuke is starting.” #Securely erase the home folder srm -rvvv /home/name/ echo “Home folder has been erased.”
#Overwrite the /home folder with random data #sfill /home echo “Home folder has been overwritten” #Clean RAM memory #smem echo “RAM is clean” echo “User data has been nuked.” fi exit 0
MODIFY THE SCRIPT
In Line 5, substitute ‘name’ and ‘nukepassword’ for the username of
your new account and the desired nuke password. Make sure this is different to your current one. Change ‘srm -rvvv /home/name/’ to the path of your real home folder.
RUN NUKE SCRIPT ON LOGIN
Make your nuke script executable with the command: sudo chmod a+x security.sh Next, run... sudo nano /etc/pam.d/commonauth …to open the Pluggable Authentication Modules (PAM). Find the line starting ‘auth [success=1…’ and change this to ‘auth [success=2…’.
Immediately below this line, paste the following: auth optional pam_ exec.so expose_ authtok log=/tmp/pam.log /etc/ security/security. sh
INSTALL SECURE DELETE TOOLS
Run the command… sudo apt-get install securedelete
…to install the tools necessary to erase your home folder securely.
Substitute ‘name’ with your chosen username.
MIGRATE YOUR DATA (OPTIONAL)
If you previously had personal data in another user account, you should take this chance to move data across from that account to another from your backup drive. If you wish to delete the originals, do so using the new secure-delete tools, for instance: ’srm -r /home/bob/ Pictures’
TEST YOUR NEW ACCOUNT
Reboot your Pi and log into your new user account using the normal login password. Check that your files are where you need them.
TEST YOUR NUKE SWITCH
If your data is backed up, there’s no harm checking your nuke password works. Reboot the Pi once again. Select your new username and enter the nuke password. The system will hang while it removes your files.
CHECK NUKE LOGS
You can still connect to the Pi via SSH while the nuke script is running. Use the command… cat /tmp/pam.log
…to check the progress of the nuke. Any further attempts to log in will just take the user back to the login screen.
Type ‘man srm’ for more information on how securely your data is erased.
Use the log file detailed in the next step to track the progress of erasing filesyour data is erased.
Press Ctrl + X, then Y, then return to save and exit.
Secure-delete includes the tools to overwrite deleted data (sfill) and wipe your RAM (smem)
Use the ‘ls’ command inside the home folder to verify the home folder has been overwritten.
On login, use ‘sudo userdel’ to remove your former username, for example ‘sudo userdel bob’