On 24.10.2016 09:53, Petrusko wrote:
Any suggestions and master's thoughts are welcome :)
:-)
Yes, why not use a full disk encryption? You could encrypt the root partition. I know, it's harder to do this on a running system and Raspbian doesn't offer you encryption within setup. The best thing would be an ssh shell on initrd to start the system.
Why not also encrypt the swap partition, if there is one? Raspbian uses a swapfile afaik.
http://resources.infosecinstitute.com/luks-swap-root-boot-partitions/
The passphrase to use the encrypted partitions is stored in RAM. If some of the contents of the RAM are kept in the swapfile, you could easily read this. It should be better to encrypt the swap file, too. Swapfile's previous contents remain transparent over reboots. But anyway, the swapfile in Raspbian is located in /var.
https://wiki.archlinux.org/index.php/Dm-crypt/Swap_encryption#Using_a_swap_f...
You shouldn't encrypt the boot partition unless you know what you are doing. Having a backup of your partitions LUKS headers is important. If a LUKS key slot or the header itself becomes damaged and you don't have a good copy to restore to the encrypted partition, the partition becomes unusable. You can use a key file to automatically decrypt e.g. /home on boot. Store the key files on encrypted partitions.
The performance of the SD card could be very slow:
https://raspberrypi.stackexchange.com/questions/42100/performance-with-an-en...
Regards,