Ionic Machina allows any developer to add high-value security to their application with a few lines of code. Implementations of its SDK are available in multiple programming languages running on popular platforms. This article describes the steps needed to provision a Raspberry Pi to use the Java SDK in Machina Tools.
Setting Up Your Raspberry Pi
The Raspberry Pi Foundation has a helpful site raspberrypi.org set up to guide first-time users in configuring a Pi for use. I’ll talk about how I followed their instructions. (I’ll make certain configuration decisions with the intent of remotely managing the Pi after setup, but this is not necessary.)
- a Raspberry Pi (I am using a Raspberry Pi 2)
- an unused Pi-compatible SD card like this one
- a power supply with a micro-USB adapter like this one
- an Ethernet cable, connected to the network you’ll be using
- a USB keyboard (for setup only)
- an HDMI monitor (for setup only)
After setup, the Pi need only be connected to its power supply and network. (Wifi setup is also described on the Raspberry Pi website.)
Apply the Raspberry Pi OS Image to the SD Card
The Raspberry Pi has no internal storage. It makes use of an SD card to hold its filesystem. The install operating system (OS) image is applied to the SD card from a computer that has an SD card port.
Since I’m using a Windows laptop, I use the Etcher tool. I’m using the Raspbian Buster Lite OS image, as I intend this Pi to run remotely after setup. The image file downloaded from this website is a ZIP, containing a single IMG file. Extract the IMG file from the ZIP, and select it in the Etcher tool as the image to apply.
CAUTION: THIS OPERATION WILL OVERWRITE ANY EXISTING DATA ON THE SD CARD, MAKING IT UNRECOVERABLE.
ALL EXISTING DATA WILL BE DISCARDED. BACK UP ANY SD CARD DATA YOU WISH TO RETAIN.
When the image has been successfully applied to the SD card, eject the SD card from the computer.
Connect the Raspberry Pi
Insert the SD card into the Pi. Connect the keyboard and monitor. I suggest that you do not yet connect the Ethernet cable.
Start up the Raspberry Pi
Connect the micro USB power supply. The Pi is designed to be “always on”, so this will trigger it to boot. You’ll see text scroll on the screen as the device boots. After about one minute, a login prompt will be shown:
Here, the default user name and password are
Finish the Raspberry Pi Setup
On login, type this command to configure the Pi:
1 - Change User Password. Select a new password, then confirm it.
5 - Interfacing Options. Select option
P2 - SSH. Enable remote command line access.
Type this command to log out of the Raspberry Pi.
Login (using your new login password).
Connect to Your Ethernet Network
Type the following command to check the network configuration for your Raspberry Pi
pi@raspberrypi:~ $ ifconfig eth0: flags=4099 mtu 1500 ... lo: flags=73 mtu 65536 ...
You should see an entry for
eth0 (the wired Ethernet port on the Pi).
Insert your Ethernet cable, wait a few seconds, and reenter the command. You should see that an IP address has been assigned to the Pi.
pi@raspberrypi:~ $ ifconfig eth0: flags=4163
mtu 1500 inet 192.168.1.100 netmask 255.255.255.0 broadcast 192.168.1.255 ... lo: flags=73 mtu 65536 ...
Type this command to verify Internet connectivity:
On a second machine, ssh into your newly imaged Pi.
Once you complete this step, you’ll no longer need the monitor and keyboard connected to your Pi; you may remove these now if you wish to remotely manage your Pi.
Update the Raspberry Pi
From the command line, use these commands to update your OS.
sudo apt-get update sudo apt-get upgrade
Provision the Raspberry Pi
Install the Java Development Kit.
pi@raspberrypi:~ $ sudo apt-get install default-jdk Reading package lists... Done ... pi@raspberrypi:~ $ java -version openjdk version "11.0.3" 2019-04-16 OpenJDK Runtime Environment (build 11.0.3+7-post-Raspbian-5) OpenJDK Server VM (build 11.0.3+7-post-Raspbian-5, mixed mode)
Install the Git source code management tool.
pi@raspberrypi:~ $ sudo apt-get install git Reading package lists... Done ... pi@raspberrypi:~ $ git --version git version 2.20.1
Install Maven project management tool.
pi@raspberrypi:~ $ sudo apt-get install maven Reading package lists... Done ... pi@raspberrypi:~ $ mvn -version Apache Maven 3.6.0 Maven home: /usr/share/maven Java version: 11.0.3, vendor: Raspbian, runtime: /usr/lib/jvm/java-11-openjdk-armhf Default locale: en_GB, platform encoding: UTF-8 OS name: "linux", version: "4.19.66-v7+", arch: "arm", family: "unix"
pi@raspberrypi:~ $ sudo apt-get install haveged Reading package lists... Done ...
Test the Java SDK from Machina Tools on the Raspberry Pi
pi@raspberrypi:~ $ mkdir github-IonicDev pi@raspberrypi:~ $ cd github-IonicDev pi@raspberrypi:~/github-IonicDev $
2. Clone this git repository onto the Raspberry Pi.
pi@raspberrypi:~/github-IonicDev $ git clone https://github.com/IonicDev/samples.git Cloning into 'samples'... ...
3. Navigate to the folder
4. Select a password to be used to protect your Ionic secure enrollment profile (SEP) data (see note below). Add it to the system environment of your command shell.
pi@raspberrypi:~/github-IonicDev/samples/java/create-profile-start-for-free $ export IONIC_PERSISTOR_PASSWORD=MyPassword
Note: The secure enrollment profile (SEP) is a data file on your Raspberry Pi filesystem. It contains configuration specifying the Ionic key server to use for key requests, as well as data to identify the client making the key requests. The password is used to generate an encryption key that protects the enrollment data at rest on the filesystem.
5. Follow the instructions below to run the
This will enroll your Raspberry Pi to the Machina key server you specify when you run the sample.
pi@raspberrypi:~/github-IonicDev/samples/java/create-profile-start-for-free $ mvn clean package [INFO] Scanning for projects... ... [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ ... [INFO] ------------------------------------------------------------------------ pi@raspberrypi:~/github-IonicDev/samples/java/create-profile-start-for-free $ java -jar target/create-profile-start-for-free.jar KEYSPACE: COJ2 ACCOUNT_NAME: firstname.lastname@example.org ACCOUNT_PASSWORD: **************** Device ID: COJ2.G.6d67e962-2732-4daf-518a-ca4480056525 Name : example Keyspace : COJ2 API URL : https://api.ionic.com pi@raspberrypi:~/github-IonicDev/samples/java/create-profile-start-for-free $
Note: The first time this application is run, it is expected that the application will take some time to perform the enrollment. The Ionic enrollment process involves the use, at the client, of a 3072-bit RSA key. For security reasons, the RSA key is generated when the enrollment is performed. This generation can be slow on the Raspberry Pi’s ARM processor.
6. Navigate to the folder
pi@raspberrypi:~/github-IonicDev/samples/java/create-profile-start-for-free $ cd ../ionic-helloworld/
7. Follow the instructions below to run the
This will perform a string encryption and decryption using an encryption key from your Ionic key server. A few more details are provided here.
The Raspberry Pi is a low-cost option that provides a hardware platform for embedded use cases. Its support for the Debian operating system helps it to serve as an easy on-ramp to embedded development, enabling new applications. Machina and its policy engine are right at home on this platform, allowing data protection to be seamlessly integrated into these applications, and making good data governance simple, expected, and universal.