Don’t lose your

Published to GitHub a month ago

How to setup hardened Ubuntu environment on Raspberry Pi


The following hardware is required.


Installing Ubuntu for desktops on datAshur PRO² USB flash drive is recommended to enforce access control, data persistence and tamper resistance hardening.

Bootable installer creation guide

Step 1: install Raspberry Pi Imager


Go to, download and install Raspberry Pi Imager.

Ubuntu (or other Debian-based OS)

Heads-up: depends on Qt.

$ sudo add-apt-repository -y universe

$ sudo apt install -y rpi-imager

Step 2: disable Raspberry Pi Imager telemetry


$ defaults write org.raspberrypi.Imager.plist telemetry -bool NO

Ubuntu (or other Debian-based OS)

$ mkdir -p ~/.config/Raspberry\ Pi

$ cat << "EOF" > ~/.config/Raspberry\ Pi/Imager.conf

Step 3: download Ubuntu for desktops

Heads-up: for additional security, verify Ubuntu for desktops download.

Go to and download Ubuntu Desktop 22.04.1 LTS.

Step 4: copy Ubuntu for desktops to USB flash drive

Open “Raspberry Pi Imager”, click “CHOOSE OS”, then “Use custom”, select Ubuntu for desktops .img.xz, click “CHOOSE STORAGE”, select USB flash drive and, finally, click “WRITE”.


Installation guide

Step 1: choose language and click “Continue”

Step 2: choose keyboard layout and click “Continue”

Step 3: choose timezone and click “Continue”

Step 4: choose credentials, select “Log in automatically” (optional) and click “Continue”


Configuration guide

Step 1: disable telemetry

Step 2: run update-manager and click “Install Now”

Step 3: reboot

Step 4 (optional): center new windows

$ gsettings set org.gnome.mutter center-new-windows true

Step 5 (optional): enable dark mode

$ gsettings set org.gnome.desktop.interface color-scheme prefer-dark

$ gsettings set org.gnome.desktop.interface gtk-theme Yaru-dark

Step 6: disable auto-mount

$ gsettings set automount false

Step 7: add universe APT repository

$ sudo add-apt-repository -y universe

Step 8: install curl, libfuse2, overlayroot, zbar-tools and zlib1g-dev

$ sudo apt install -y curl libfuse2 overlayroot zbar-tools zlib1g-dev

Step 9 (if applicable): download Superbacked and allow executing superbacked.AppImage as program

Download Superbacked

Heads-up: replace ABCDEFGH with your license code.

Heads-up: for additional security, verify Superbacked download.

$ curl --fail --location --output ~/Desktop/superbacked.AppImage ""

Allow executing superbacked.AppImage as program

Right-click “superbacked.AppImage”, click “Properties”, click “Permissions” and, finally, select “Allow executing file as program”.

Step 10: disable Bluetooth and Wi-Fi

$ cat << "EOF" | sudo tee -a /boot/firmware/config.txt

Step 11: set ext4 and vfat filesystems to read-only

$ sudo sed -i 's/discard,x-systemd.growfs/discard,noload,ro/g' /etc/fstab

$ sudo sed -i 's/defaults/defaults,ro/g' /etc/fstab

Step 12: disable

$ sudo sed -i 's/splash/splash' /boot/firmware/cmdline.txt

Step 13: set overlayroot to tmpfs

$ sudo sed -i 's/overlayroot=""/overlayroot="tmpfs"/g' /etc/overlayroot.conf

Step 14: clear Bash history

$ history -cw

Step 15: reboot

Heads-up: filesystem will be mounted as read-only following reboot.

$ sudo systemctl reboot

Step 16: shutdown

Heads-up: filesystem is ready for optional hardware read-only hardening.

$ sudo systemctl poweroff

Step 17 (optional): enable datAshur PRO² global read-only (see product documentation for instructions)


Contributors:Sun KnudsenSun Knudsen

Wish to contribute or need help? Read the docs.
This website is not tracking you. PGP public key fingerprint: E786 274B C92B 47C2 3C1C  F44B 8C9C A674 C47C A060