My Raspberry Pi is set up as a PHP MySQL (Percona) server and I think that I have managed to make it quite resilient against online attacks but it is still very vulnerable against someone just taking out the SD card and reading all my data. I guess I could encrypt the important stuff in MySql but the encryption keys would still be in plain text PHP files and I guess that I could encrypt the PHP and/or MySQL folders but that would all just get complex and there would still be cache and logs etc. to worry about. Someone could probably also see the hashed password and use a rainbow table to crack them. Correct me if I am wrong but as I see it the simplest to manage and most secure solution would be to just encrypt the entire drive (excluding boot and kernel obviously).
Now the only problem is that I cannot really figure out how to do that. The best link I could find was this one https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_Entire_System but as far as I can determine this only explains what you should do for a fresh installation but unfortunately I have already installed a lot of packages and have made a lot of configurations which I would like to keep.
Could someone please explain to me (or provide a link I guess) in simple terms what exactly I should do to fully encrypt my existing Arch Linux installation.
PS. I can understand that for full encryption a key needs to be entered at boot but I could not determine if that requires a physical terminal (screen + keyboard) on the device (which I don't really have but I can get if needed) or if I will be able to do it over the network?
EDIT:
I have found a sort of tutorial for setting up this on Arch here https://gist.github.com/pezz/5310082. My only problem is that I cannot get the remote unlock to work. I have tried copying my public key into /etc/dropbear/root_key but when I try to ssh in with my private key I am still asked for the password of root and neither the actual password of root nor the password used to unlock the drive gets accepted. As mentioned by the tutorials for Debian in one of the answers here I tried copying the private key generated by Dropbear which in my case I think is /etc/dropbear/dropbear_rsa_host_key to my client but then when I try to ssh in with this key I am asked for a pass phrase for the key, any idea?
Best Answer
There are three separate issues involved in what you are trying to accomplish.
Encrypting an existing system. The correct way to do this would be to back up your exisiting install to another drive and start with a fresh install and
rsyncyour relevant system files across once you have set up your encrypted Pi. This way you would be sure that you would not lose any data and would have a genuinely encrypted Pi (using the method described on the Arch Wiki LUKS page).The problem with this approach is that the Archlinux ARM images are distributed as
.imgfiles and are intended to bedd'ed onto an SD Card, so—using the standard installation method—there is no opportunity to implement a more complex install, such as LUKS or LVM. One of the Archlinux ARM developers addressed this in a forum post and recommended using this script. This blog post has some specifics.The third issue you will face is unlocking the encrypted device remotely. The standard method for doing this is using busybox and dropbear, as described in this U&L answer. This blog post has the details for a Debian Pi, but it should work for the Arch version.