search

raspberrypi / rpi-sb-provisioner

A minimal-input automatic secure boot provisioning system for Raspberry Pi devices.
Apache License 2.0
18 stars 6 forks source link

Decryption of provisioned device #79

Open terra-yuri opened 6 days ago

terra-yuri commented 6 days ago

Hi,

If I use this provision a device, and then the device malfunctions and I want to investigate it by decrypting the data - what's the process to decrypt it?

Thank you!

tdewey-rpi commented 5 days ago

In order to decrypt in a RMA-style situation, you must record the device private key - and this can only be done as part of initial provisioning.

Automating this is on my roadmap. If you cannot wait for that release, add an additional fastboot command before setting the LED status: https://github.com/raspberrypi/rpi-sb-provisioner/blob/b8dfe1550e06f85aabddfb3ed59c4a81cd0e3ef2/service/rpi-sb-provisioner.sh#L872

Add something like:

fastboot getvar private-key > ${your_secure_key_material_storage}

Then, use that key as the LUKS passphrase when you mount the storage on a host. In practice, depending on the sort of failure involved, this may require you to dismount the eMMC and re-mount it on a media accessible by another machine.

As ever - this would have you capture sensitive key material - you must take precautions to prevent unauthorised and unnecessary accesses.

terra-yuri commented 5 days ago

Thank you @tdewey-rpi - that's very helpful.

Is there any way to support such development to help accelerate delivery of such functionality?

tdewey-rpi commented 5 days ago

Thank you @tdewey-rpi - that's very helpful.

Is there any way to support such development to help accelerate delivery of such functionality?

Not directly, I'm afraid - but given your response I'm going to classify this issue as high priority, and apportion time accordingly.

terra-yuri commented 5 days ago

If there's GitHub Sponsors / Open Collective / etc. setup for this project I'd be happy to sponsor some further development.

Either way, thank you for the information and all the work in creating this!

tdewey-rpi commented 5 days ago

If there's GitHub Sponsors / Open Collective / etc. setup for this project I'd be happy to sponsor some further development.

Either way, thank you for the information and all the work in creating this!

While I appreciate the thanks, I must point out that I'm a full-time employee of Raspberry Pi, and as such the knowledge that this will help our products better meet your needs is enough.