This describes how I installed and configured my Raspberry Pi model B (512MB).
The Pi is mainly used as SSH jump host, IRC client, Git server, backup fileserver, etc. It doesn't need stellar performance, it just has to be cheap, low in power usage, and secure.
Raspbian (Wheezy) is installed on an encrypted root filesystem (everything except /boot
and swap), located on an 16GB SanDisk Extreme SDHC class 10 memory card. Unfortunately, this cannot be done directly from the Raspbian installer and takes some more effort.
First a base installation was prepared using Raspbian installer, where I replaced bootcode.bin
and start.elf
from the Raspberry Pi firmware master branch, because it would not boot otherwise.
Then I mostly followed this guide: Using an Encrypted Root Partition with Raspbian
Note that after every kernel update (e.g., by updating the raspberrypi-bootloader
package or by running rpi-update
), we have to run mkinitramfs -o /boot/initramfs.gz <version>
where <version>
is the new kernel version (mkinitramfs
defaults to the running kernel).
This is my first Raspberry Pi and I never did anything else with it, so I cannot speak for the performance degradation due to the encrypted filesystem. All I can say is performance is adequate for my needs.
(Note: It might be a good idea to take a complete snapshot of the memory card every now and then, since this all can take a while.)
Attached is a 3TB USB2 disk (with external power supply, since the Pi's USB ports will not power a spinning disk). The filesystem is encrypted (again, with a cipher and key size the Pi's version of cryptsetup can handle) and automatically opened on boot.
Create a keyfile for opening the disk and store it on the encrypted root filesystem:
sudo cryptsetup luksAddKey /dev/sdc1 /root/elements.key
Add this line to /etc/fstab
:
/dev/mapper/elements /data ext4 noatime,defaults 0 2
Add this line to /etc/crypttab
:
elements UUID=1d2c3454-13b2-432c-96b8-xxxxxxxxxxxxx /root/elements.key luks
For some packages, I need (or want) versions that are not available in current Wheezy, but are in Wheezy Backports. This repository is not ported to Raspbian and it is recommended to build packages from external sources yourself, either on the Pi itself, or on a faster machine by cross building.
The easiest way to build a package from Wheezy backports on the Pi is as follows. Add the source repository to /etc/apt/sources.list
:
deb-src http://ftp.debian.org/debian/ wheezy-backports main
And add the backports public key:
gpg --keyserver pgpkeys.mit.edu --recv-key 8B48AD6246925553
gpg -a --export 8B48AD6246925553 | sudo apt-key add -
Let's say we need package $PACKAGE
version $VERSION
(an easy way to see what's available in which release is to go to http://packages.debian.org/$PACKAGE
). First install the build dependencies:
apt-get build-dep "$PACKAGE=$VERSION"
Then get the package source and compile it:
apt-get source "$PACKAGE=$VERSION"
cd $PACKAGE*
dpkg-buildpackage
Install the package:
dpkg -i $PACKAGE*.deb
(If any of the dependencies are also unavailable in Raspbian, you might have to recursively repeat this process a number of times.)
I used the above approach to build git-annex from Wheezy backports, but this initially failed due to insufficient memory on the Pi. This can be worked around by instructing GHC to use less optimizations and separate the compile and link phases. Change the $(CABAL) build
line in the Makefile
to the following before running dpkg-buildpackage
:
$(CABAL) build --ghc-options="-O0 -c" && $(CABAL) build --ghc-options="-O0 -optl -O0"
One of the things I use the Pi for is as an IRC client using irssi and irssi-otr. Generating a key for OTR can take a very long time since the Pi has almost no sources of entropy for /dev/random
.
Fortunately, it has a hardware random number generator. Then it still took me a very long time, so it might also help to temporarily attach a USB mouse and move it around a bit.
For my own reference, this is a random list of some packages I usually install on a new machine:
screen
subversion
git
git-annex
bash-completion
denyhosts
apticron
ufw
emacs
emacs-goodies-el