Skip to content

Decryption of provisioned device #79

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
terra-yuri opened this issue Nov 13, 2024 · 6 comments · Fixed by #80
Closed

Decryption of provisioned device #79

terra-yuri opened this issue Nov 13, 2024 · 6 comments · Fixed by #80

Comments

@terra-yuri
Copy link

Hi,

If I use this provision a device, and then the device malfunctions and I want to investigate it by decrypting the data - what's the process to decrypt it?

Thank you!
@tdewey-rpi
Copy link
Collaborator

In order to decrypt in a RMA-style situation, you must record the device private key - and this can only be done as part of initial provisioning.

Automating this is on my roadmap. If you cannot wait for that release, add an additional fastboot command before setting the LED status:

rpi-sb-provisioner/service/rpi-sb-provisioner.sh

Line 872 in b8dfe15

announce_start "Set LED status"

Add something like:

fastboot getvar private-key > ${your_secure_key_material_storage}

Then, use that key as the LUKS passphrase when you mount the storage on a host. In practice, depending on the sort of failure involved, this may require you to dismount the eMMC and re-mount it on a media accessible by another machine.

As ever - this would have you capture sensitive key material - you must take precautions to prevent unauthorised and unnecessary accesses.

@terra-yuri
Copy link
Author

Thank you @tdewey-rpi - that's very helpful.

Is there any way to support such development to help accelerate delivery of such functionality?

@tdewey-rpi
Copy link
Collaborator

Thank you @tdewey-rpi - that's very helpful.

Is there any way to support such development to help accelerate delivery of such functionality?

Not directly, I'm afraid - but given your response I'm going to classify this issue as high priority, and apportion time accordingly.

@terra-yuri
Copy link
Author

If there's GitHub Sponsors / Open Collective / etc. setup for this project I'd be happy to sponsor some further development.

Either way, thank you for the information and all the work in creating this!

@tdewey-rpi
Copy link
Collaborator

If there's GitHub Sponsors / Open Collective / etc. setup for this project I'd be happy to sponsor some further development.

Either way, thank you for the information and all the work in creating this!

While I appreciate the thanks, I must point out that I'm a full-time employee of Raspberry Pi, and as such the knowledge that this will help our products better meet your needs is enough.

@tdewey-rpi tdewey-rpi mentioned this issue Nov 18, 2024
Merged
@roliver-rpi roliver-rpi mentioned this issue Nov 20, 2024
Closed
@terra-yuri
Copy link
Author

Thank you, will give it a try!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@tdewey-rpi @terra-yuri