Make a kill­switch for your Rasp­berry Pi

Keep your data safe with a handy ‘nuke’ pass­word to erase your home folder in case of emer­gency.

APC Australia - - Contents -

If you’re wor­ried about the some­what Or­wellian no­tion of a forced dis­clo­sure of pass­words, this cod­ing project posits a rather rad­i­cal so­lu­tion to the dilemma: cre­ate a sec­ond pass­word for your user ac­count, which, in­stead of log­ging you in, will nuke your home folder us­ing spe­cial tools.

As ex­treme as this sounds, it’s sur­pris­ingly sim­ple to set up. A cou­ple of dis­claimers: make sure to back up your per­sonal data to a safe place be­fore go­ing ahead with this project. Also bear in mind that it’s not an in­fal­li­ble method, as any­one with phys­i­cal ac­cess to your ma­chine may seize it be­fore you have a chance to flip this kill­switch.

CRE­ATE YOUR NEW USER AC­COUNT

Although you most likely will al­ready have a user ac­count on the Pi, cre­ate a new one for this project by open­ing Ter­mi­nal on your Pi or con­nect­ing via SSH and run­ning the com­mand sudo ad­duser name Add your new user as an Ad­min­is­tra­tor with: sudo ad­duser name sudo Sub­sti­tute “name” with your cho­sen user­name.

CRE­ATE YOUR NUKE SCRIPT

You should stay logged into the ‘Pi’ user for now and run the fol­low­ing com­mand: sudo nano /etc/se­cu­rity/ se­cu­rity.sh In the new win­dow, paste the fol­low­ing: #!/bin/bash read pass­word # If the user­name and pass­word match...

if [ “$ PAM_ USER” = “name” ] && [ “$pass­word” = “nukepass­word” ] then #Be­gin Nuke Process echo “Nuke is start­ing.” #Se­curely erase the home folder srm -rvvv /home/name/ echo “Home folder has been erased.”

#Over­write the /home folder with ran­dom data #sfill /home echo “Home folder has been over­writ­ten” #Clean RAM mem­ory #smem echo “RAM is clean” echo “User data has been nuked.” fi exit 0

MOD­IFY THE SCRIPT

In Line 5, sub­sti­tute ‘name’ and ‘nukepass­word’ for the user­name of

your new ac­count and the de­sired nuke pass­word. Make sure this is dif­fer­ent to your cur­rent one. Change ‘srm -rvvv /home/name/’ to the path of your real home folder.

RUN NUKE SCRIPT ON LO­GIN

Make your nuke script ex­e­cutable with the com­mand: sudo chmod a+x se­cu­rity.sh Next, run... sudo nano /etc/pam.d/com­mo­nauth …to open the Plug­gable Au­then­ti­ca­tion Mod­ules (PAM). Find the line start­ing ‘auth [suc­cess=1…’ and change this to ‘auth [suc­cess=2…’.

Im­me­di­ately be­low this line, paste the fol­low­ing: auth op­tional pam_ exec.so ex­pose_ au­th­tok log=/tmp/pam.log /etc/ se­cu­rity/se­cu­rity. sh

IN­STALL SE­CURE DELETE TOOLS

Run the com­mand… sudo apt-get in­stall se­cure­delete

…to in­stall the tools nec­es­sary to erase your home folder se­curely.

Sub­sti­tute ‘name’ with your cho­sen user­name.

MI­GRATE YOUR DATA (OP­TIONAL)

If you pre­vi­ously had per­sonal data in an­other user ac­count, you should take this chance to move data across from that ac­count to an­other from your backup drive. If you wish to delete the orig­i­nals, do so us­ing the new se­cure-delete tools, for in­stance: ’srm -r /home/bob/ Pic­tures’

TEST YOUR NEW AC­COUNT

Re­boot your Pi and log into your new user ac­count us­ing the nor­mal lo­gin pass­word. Check that your files are where you need them.

TEST YOUR NUKE SWITCH

If your data is backed up, there’s no harm check­ing your nuke pass­word works. Re­boot the Pi once again. Se­lect your new user­name and en­ter the nuke pass­word. The sys­tem will hang while it re­moves your files.

CHECK NUKE LOGS

You can still con­nect to the Pi via SSH while the nuke script is run­ning. Use the com­mand… cat /tmp/pam.log

…to check the progress of the nuke. Any fur­ther at­tempts to log in will just take the user back to the lo­gin screen.

Type ‘man srm’ for more in­for­ma­tion on how se­curely your data is erased.

Use the log file de­tailed in the next step to track the progress of eras­ing filesy­our data is erased.

Press Ctrl + X, then Y, then re­turn to save and exit.

Se­cure-delete in­cludes the tools to over­write deleted data (sfill) and wipe your RAM (smem)

Use the ‘ls’ com­mand in­side the home folder to ver­ify the home folder has been over­writ­ten.

On lo­gin, use ‘sudo userdel’ to re­move your for­mer user­name, for ex­am­ple ‘sudo userdel bob’

Newspapers in English

Newspapers from Australia

© PressReader. All rights reserved.