Protect sensitive data stored on a Raspberry Pi - Ionic Machina Developers blog

Using the Java SDK in Machina Tools on a Raspberry Pi

Ionic Machina allows any developer to add high-value security to their application with a few lines of code. Implementations of its SDK are available in multiple programming languages running on popular platforms. This article describes the steps needed to provision a Raspberry Pi to use the Java SDK in Machina Tools.

Setting Up Your Raspberry Pi

The Raspberry Pi Foundation has a helpful site raspberrypi.org set up to guide first-time users in configuring a Pi for use. I’ll talk about how I followed their instructions. (I’ll make certain configuration decisions with the intent of remotely managing the Pi after setup, but this is not necessary.)

Items Needed

  1. a Raspberry Pi (I am using a Raspberry Pi 2)
  2. an unused Pi-compatible SD card like this one
  3. a power supply with a micro-USB adapter like this one
  4. an Ethernet cable, connected to the network you’ll be using
  5. a USB keyboard (for setup only)
  6. an HDMI monitor (for setup only)

After setup, the Pi need only be connected to its power supply and network. (Wifi setup is also described on the Raspberry Pi website.)

Apply the Raspberry Pi OS Image to the SD Card

The Raspberry Pi has no internal storage. It makes use of an SD card to hold its filesystem. The install operating system (OS) image is applied to the SD card from a computer that has an SD card port.

Since I’m using a Windows laptop, I use the Etcher tool. I’m using the Raspbian Buster Lite OS image, as I intend this Pi to run remotely after setup. The image file downloaded from this website is a ZIP, containing a single IMG file. Extract the IMG file from the ZIP, and select it in the Etcher tool as the image to apply.

CAUTION: THIS OPERATION WILL OVERWRITE ANY EXISTING DATA ON THE SD CARD, MAKING IT UNRECOVERABLE.
ALL EXISTING DATA WILL BE DISCARDED. BACK UP ANY SD CARD DATA YOU WISH TO RETAIN.

When the image has been successfully applied to the SD card, eject the SD card from the computer.

More Information

Connect the Raspberry Pi

Insert the SD card into the Pi. Connect the keyboard and monitor. I suggest that you do not yet connect the Ethernet cable.

More Information

Start up the Raspberry Pi

Connect the micro USB power supply. The Pi is designed to be “always on”, so this will trigger it to boot. You’ll see text scroll on the screen as the device boots. After about one minute, a login prompt will be shown:

raspberrypi login:

Here, the default user name and password are pi and raspberry.

More Information

Finish the Raspberry Pi Setup

On login, type this command to configure the Pi:

sudo raspi-config

Select option 1 - Change User Password. Select a new password, then confirm it.

Select option 5 - Interfacing Options. Select option P2 - SSH. Enable remote command line access.

Select Finish.

Type this command to log out of the Raspberry Pi.

logout

Login (using your new login password).

More Information

Connect to Your Ethernet Network

Type the following command to check the network configuration for your Raspberry Pi

ifconfig
 [email protected]:~ $ ifconfig
 eth0: flags=4099  mtu 1500
 ...
 
 lo: flags=73  mtu 65536
 ... 

You should see an entry for eth0 (the wired Ethernet port on the Pi).

Insert your Ethernet cable, wait a few seconds, and reenter the command. You should see that an IP address has been assigned to the Pi.

 [email protected]:~ $ ifconfig
 eth0: flags=4163  mtu 1500
         inet 192.168.1.100  netmask 255.255.255.0  broadcast 192.168.1.255
 ...
 
 lo: flags=73  mtu 65536
 ... 

Type this command to verify Internet connectivity:

ping 8.8.8.8

On a second machine, ssh into your newly imaged Pi.

ssh [email protected][your-IP-address]

Once you complete this step, you’ll no longer need the monitor and keyboard connected to your Pi; you may remove these now if you wish to remotely manage your Pi.

Update the Raspberry Pi

From the command line, use these commands to update your OS.

 sudo apt-get update
 sudo apt-get upgrade

Provision the Raspberry Pi

Install the Java Development Kit.

 [email protected]:~ $ sudo apt-get install default-jdk
 Reading package lists... Done
 ...
 
 [email protected]:~ $ java -version
 openjdk version "11.0.3" 2019-04-16
 OpenJDK Runtime Environment (build 11.0.3+7-post-Raspbian-5)
 OpenJDK Server VM (build 11.0.3+7-post-Raspbian-5, mixed mode) 

Install the Git source code management tool.

 [email protected]:~ $ sudo apt-get install git
 Reading package lists... Done
 ...
 
 [email protected]:~ $ git --version
 git version 2.20.1 

Install Maven project management tool.

 [email protected]:~ $ sudo apt-get install maven
 Reading package lists... Done
 ...
 
 [email protected]:~ $ mvn -version
 Apache Maven 3.6.0
 Maven home: /usr/share/maven
 Java version: 11.0.3, vendor: Raspbian, runtime: /usr/lib/jvm/java-11-openjdk-armhf
 Default locale: en_GB, platform encoding: UTF-8
 OS name: "linux", version: "4.19.66-v7+", arch: "arm", family: "unix" 

Install the haveged random number generator.

 [email protected]:~ $ sudo apt-get install haveged
 Reading package lists... Done
 ... 

Test the Java SDK from Machina Tools on the Raspberry Pi

1. Make an empty directory for the IonicDev samples git repository. Navigate to that directory.

 [email protected]:~ $ mkdir github-IonicDev
 [email protected]:~ $ cd github-IonicDev
 [email protected]:~/github-IonicDev $ 

2. Clone this git repository onto the Raspberry Pi.

 [email protected]:~/github-IonicDev $ git clone https://github.com/IonicDev/samples.git
 Cloning into 'samples'...
 ... 

3. Navigate to the folder samples/java/create-profile-start-for-free/.

4. Select a password to be used to protect your Ionic secure enrollment profile (SEP) data (see note below). Add it to the system environment of your command shell.

 [email protected]:~/github-IonicDev/samples/java/create-profile-start-for-free $ export IONIC_PERSISTOR_PASSWORD=MyPassword 

Note: The secure enrollment profile (SEP) is a data file on your Raspberry Pi filesystem. It contains configuration specifying the Ionic key server to use for key requests, as well as data to identify the client making the key requests. The password is used to generate an encryption key that protects the enrollment data at rest on the filesystem.

5. Follow the instructions below to run the create-profile-start-for-free sample.

This will enroll your Raspberry Pi to the Machina key server you specify when you run the sample.

[email protected]:~/github-IonicDev/samples/java/create-profile-start-for-free $ mvn clean package
[INFO] Scanning for projects...
...
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
...
[INFO] ------------------------------------------------------------------------

[email protected]:~/github-IonicDev/samples/java/create-profile-start-for-free $ java -jar target/create-profile-start-for-free.jar

KEYSPACE:
COJ2

ACCOUNT_NAME:
[email protected]

ACCOUNT_PASSWORD:
****************

Device ID: COJ2.G.6d67e962-2732-4daf-518a-ca4480056525
Name     : example
Keyspace : COJ2
API URL  : https://api.ionic.com

[email protected]:~/github-IonicDev/samples/java/create-profile-start-for-free $

Note: The first time this application is run, it is expected that the application will take some time to perform the enrollment. The Ionic enrollment process involves the use, at the client, of a 3072-bit RSA key. For security reasons, the RSA key is generated when the enrollment is performed. This generation can be slow on the Raspberry Pi’s ARM processor.

6. Navigate to the folder samples/java/ionic-helloworld.

[email protected]:~/github-IonicDev/samples/java/create-profile-start-for-free $ cd ../ionic-helloworld/
[email protected]:~/github-IonicDev/samples/java/ionic-helloworld $

7. Follow the instructions below to run the ionic-helloworld sample.

This will perform a string encryption and decryption using an encryption key from your Ionic key server. A few more details are provided here.

Conclusion

The Raspberry Pi is a low-cost option that provides a hardware platform for embedded use cases. Its support for the Debian operating system helps it to serve as an easy on-ramp to embedded development, enabling new applications. Machina and its policy engine are right at home on this platform, allowing data protection to be seamlessly integrated into these applications, and making good data governance simple, expected, and universal.


Resources