I've written a how-to guide for physical isolation of networking and workspace, using two Raspberry Pi 2 Model B v1.1 ARM-based microcomputers, running Raspbian wheezy. I would very much appreciate review, comments, criticisms, and so on. It's at http://lwcl5doqq2uzjmom.onion/Raspian-wheezy-VPN-Tor-Gateway-Workspace-r0.html (or at http://lwcl5doqq2uzjmom.onion.city/Raspian-wheezy-VPN-Tor-Gateway-Workspace-r0.html if you don't want to bother using Tor). Next steps will include adding apps to the workspace, and hardening. I'm looking at shielding both networking Pi and workspace Pi (perhaps in aluminum, or maybe monel) and embedding the boards in something like http://www.amazon.com/Arctic-Alumin.../B0009IQ1BU/ref=sr_1_1?ie=UTF8&qid=1426546059 . And of course testing for leaks, both networking and as discussed in https://www.wilderssecurity.com/thr...re-not-safe-from-side-channel-attacks.374227/
Extremely tasty, will look forward to salivating over the setup. I've long enjoyed the Pi, and baulked at the Whonix/hardening part. Does the 4 core make this more usable for general purpose computing? Are you using (and is it supplied on Rpi2), the hardware RNG?
I did attempt https://www.whonix.org/wiki/Dev/Build_Documentation/Physical_Isolation/8 but required packages seem to be missing in Raspbian wheezy. So I'm just locking down iptables. Plus the hardware isolation. And building the browser package for Tor Browser. I need to explore what else is possible in Raspbian wheezy. I find Pi 2 comparable to a VM on a decent multicore host with SSD. Performance with class 4 SDHC is noticeably worse than with class 10 SDHC. The best measure so far is that building the browser package for Tor Browser took 6-7 hours at 100% CPU. I don't know how many cores that used, but suspect that it was just one. I'll look into that. I'm rather a n00b with the Pi. Edit: I just found http://www.raspberrypi.org/forums/viewtopic.php?f=91&t=104384 Code: sudo sh -c "echo bcm2708-rng >> /etc/modules" sudo modprobe bcm2708-rng But I also see stuff online about the need to install rng-tools, and to put "HRNGDEVICE=/dev/hwrng" /etc/default/rng-tools.
Great that the performance is now decent. I'm inwardly seething at the glacial progress in desktop core count for a reasonable price that Intel deigns to give us, and I'm hoping that the quad and octacore mobile parts now available will start to rattle that cage. I've even recently been looking at resurrecting my beautiful Q6600 cpu, simply because the price/performance development of the desktop processors has been so slow. Looks like they've kept the hardware RNG in on the Rpi2? I'm really interested in using the Rpi as a kind of open crypto assistant to to other general purpose computers, so that it can store keys, operate KDF or general crypto, and generate randoms with less risk of subversion than the "main" system. There are even some little touchscreen extras which could allow for pin entry for example. On the SD card front, I tend to use UHS-I cards which have a better write speed in most cases.
Yes, but you need to activate it. From http://www.berthon.eu/2015/installing-linux-on-raspberry-pi-the-easy-way/ I get: Code: $ sudo modprobe bcm2708-rng $ sudo bash -c 'echo bcm2708_rng >> /etc/modules' $ sudo apt-get install rng-tools But he adds: "The implication of using such HW RNG is debatable and I will discuss it in the coming article." It's not there yet, but there is a discussion of randomness from TPM being debatable The terminology is confusing. I have some SanDisk cards that are "Ultra", "SDHC I" and class 10, but they claim just 48 MB/s. So are they "UHS-I"?
Could someone recommend a privacy friendly blog provider that does not use java script? I'm thinking about starting a blog, and want it to be anonymous.
Yes the terminology is rubbish. I tend to filter on UHS-I, then look at the actual performance data for the card on small random read-write, which is probably what the OS is doing. Some of the cards are optimised for video, and some are counterfeit! Here's the links I've looked at regarding the RNG. Looks like you have to get the random data as root (as well as installing the necessary libraries as you've found). http://scruss.com/blog/2013/06/07/w...spberry-pis-hardware-random-number-generator/ Dieharder random number tests http://www.phy.duke.edu/~rgb/General/dieharder.php A sample project http://cryptosense.com/building-a-raspberry-pi-hsm-for-rsa-2014/
I just found an unopened package, and see that it's "UHS-I" OK, thanks. I'll dig. I wonder how this affects the Tor client.
I just spotted this on BBC's website :- Build a Raspberry Pi powered VPN It looks like a very comprehensive step-by-step guide. I'd be interested to hear any comments on the viability of this. Can anyone foresee any potential problems ?
This guide explains how to setup an OpenVPN server in a Pi2. You might use this to access your LAN from your notebook, smartphone, etc. It doesn't cover using a Pi2 as a VPN-client router, for using VPN services.