EpisodesPrivacy guidesStories
Don’t lose your

Updated on GitHub 4 months ago (see history)

How to setup hardened Ubuntu environment on Raspberry Pi


The following hardware is required.


Installing Ubuntu for desktops on datAshur PRO² USB flash drive is recommended to enforce access control, data persistence and tamper resistance hardening.

Bootable installer creation guide

Step 1: install Raspberry Pi Imager


Go to, download and install Raspberry Pi Imager.

Ubuntu (or other Debian-based OS)

Heads-up: depends on Qt.

$ sudo add-apt-repository -y universe
$ sudo apt install -y rpi-imager

Step 2: disable Raspberry Pi Imager telemetry


$ defaults write org.raspberrypi.Imager.plist telemetry -bool NO

Ubuntu (or other Debian-based OS)

$ mkdir -p ~/.config/Raspberry\ Pi
$ cat << "EOF" > ~/.config/Raspberry\ Pi/Imager.conf

Step 3: download Ubuntu for desktops

Heads-up: for additional security, verify Ubuntu for desktops download.

Go to and download Ubuntu Desktop 22.04.1 LTS.

Step 4: copy Ubuntu for desktops to USB flash drive

Open “Raspberry Pi Imager”, click “CHOOSE OS”, then “Use custom”, select Ubuntu for desktops .img.xz, click “CHOOSE STORAGE”, select USB flash drive and, finally, click “WRITE”.

Raspberry Pi Imager


Installation guide

Step 1: choose language and click “Continue”


Step 2: choose keyboard layout and click “Continue”

Keyboard layout

Step 3: choose timezone and click “Continue”

Where are you

Step 4: choose credentials, select “Log in automatically” (optional) and click “Continue”

Who are you


Configuration guide

Step 1: disable telemetry

Help improve Ubuntu

Step 2: run update-manager and click “Install Now”

Software Updater

Step 3: reboot

Step 4 (optional): center new windows

$ gsettings set org.gnome.mutter center-new-windows true

Step 5 (optional): enable dark mode

$ gsettings set org.gnome.desktop.interface color-scheme prefer-dark
$ gsettings set org.gnome.desktop.interface gtk-theme Yaru-dark

Step 6: disable auto-mount

$ gsettings set automount false

Step 7: add universe APT repository

$ sudo add-apt-repository -y universe

Step 8: install curl, libfuse2, overlayroot, zbar-tools and zlib1g-dev

$ sudo apt install -y curl libfuse2 overlayroot zbar-tools zlib1g-dev

Step 9 (if applicable): download Superbacked and allow executing superbacked.AppImage as program

Download Superbacked

Heads-up: replace ABCDEFGH with your license code.

Heads-up: for additional security, verify Superbacked download.

$ curl --fail --location --output ~/Desktop/superbacked.AppImage ""

Allow executing superbacked.AppImage as program

Right-click “superbacked.AppImage”, click “Properties”, click “Permissions” and, finally, select “Allow executing file as program”.

Allow executing file as program

Step 10: disable Bluetooth and Wi-Fi

$ cat << "EOF" | sudo tee -a /boot/firmware/config.txt

Step 11: set ext4 and vfat filesystems to read-only

$ sudo sed -i 's/discard,x-systemd.growfs/discard,noload,ro/g' /etc/fstab
$ sudo sed -i 's/defaults/defaults,ro/g' /etc/fstab

Step 12: disable

$ sudo sed -i 's/splash/splash' /boot/firmware/cmdline.txt

Step 13: set overlayroot to tmpfs

$ sudo sed -i 's/overlayroot=""/overlayroot="tmpfs"/g' /etc/overlayroot.conf

Step 14: clear Bash history

$ history -cw

Step 15: reboot

Heads-up: filesystem will be mounted as read-only following reboot.

$ sudo systemctl reboot

Step 16: shutdown

Heads-up: filesystem is ready for optional hardware read-only hardening.

$ sudo systemctl poweroff

Step 17 (optional): enable datAshur PRO² global read-only (see product documentation for instructions)


Contributors: Sun KnudsenSun Knudsen
Wish to contribute or need help? Read the docs.
Copyright (c) Sun Knudsen
Get in touch