I need to store sensitive data on Raspberry so that software running on Raspberry can use it, but nobody else cannot. I can set hard password, disable tty's and so on, but it's easy to remove SD card and examine in on a PC.

我需要在Raspberry上存储敏感数据，以便在Raspberry上运行的软件可以使用它，但没有其他人不能。我可以设置硬密码，禁用tty等，但是很容易删除SD卡并在PC上查看。

My first try is eCryptFS. It seems to be good, but there is a problem. How do I store passphrase and use it to mount encrypted fs? eCryptFS can read passphrase from file or take it as mount argument. Obviously, I cannot use file as it's stored insecurely. Also I can write a program which will feed a hard-coded (and obfuscated) passphrase to mount.ecryptfs either as cli parameter or from stdin. But in this case it's also possible to run this program and see whole command line with passphrase in a process list.

我的第一次尝试是eCryptFS。这似乎很好，但有一个问题。如何存储密码并使用它来挂载加密的fs？ eCryptFS可以从文件中读取密码或将其作为mount参数。显然，我不能使用文件，因为它存储不安全。此外，我可以编写一个程序，它将硬编码（和混淆）密码短语作为cli参数或stdin从mount.ecryptfs提供。但在这种情况下，也可以运行此程序，并在进程列表中查看带有密码的整个命令行。

Now I'm considering hard-coding my passphrase in ecryptfs itself (or even read it from protected eeprom) so it will work only on my device. Or I can use another encryption systems, but all of them have to take a key form somewhere. So the only way do do this as I see is eeprom or hard-coding.

现在我正在考虑在ecryptfs中对我的密码进行硬编码（甚至从受保护的eeprom中读取它），这样它才能在我的设备上运行。或者我可以使用其他加密系统，但所有加密系统都必须在某个地方采用密钥形式。因此，我所看到的唯一方法就是eeprom或硬编码。

Are there better ways to store sensitive data securely on Raspberry's SD card?

有没有更好的方法将敏感数据安全地存储在Raspberry的SD卡上？

2 个解决方案

~# cat /proc/cpuinfo 
[...]
Hardware    : BCM2709
Revision    : a01041
Serial      : 00000000407xxxxx

~# ID=$(cat /proc/cpuinfo | grep ^Serial | cut -d":" -f2)
~# echo $ID
00000000407xxxxx

#1

~# cat /proc/cpuinfo 
[...]
Hardware    : BCM2709
Revision    : a01041
Serial      : 00000000407xxxxx

~# ID=$(cat /proc/cpuinfo | grep ^Serial | cut -d":" -f2)
~# echo $ID
00000000407xxxxx

#2