Updated on GitHub 4 months ago (see history)

How to setup hardened Ubuntu environment on Raspberry Pi

Requirements

The following hardware is required.

• Raspberry Pi 4 (2GB min)
• Raspberry Pi 15W USB-C Power Supply
• Raspberry Pi keyboard and mouse (or equivalent)
• Raspberry Pi Micro HDMI to Standard HDMI (A/M) Cable (or equivalent)
• microSD card or USB flash drive (used to install Ubuntu for desktops, 16GB min)
• HDMI display (720p min)

Recommendations

Installing Ubuntu for desktops on datAshur PRO² USB flash drive is recommended to enforce access control, data persistence and tamper resistance hardening.

Bootable installer creation guide

Step 1: install Raspberry Pi Imager

macOS

Go to https://www.raspberrypi.com/software/, download and install Raspberry Pi Imager.

Ubuntu (or other Debian-based OS)

Heads-up: depends on Qt.

$ sudo add-apt-repository -y universe

$ sudo apt install -y rpi-imager

Step 2: disable Raspberry Pi Imager telemetry

macOS

$ defaults write org.raspberrypi.Imager.plist telemetry -bool NO

Ubuntu (or other Debian-based OS)

$ mkdir -p ~/.config/Raspberry\ Pi

$ cat << "EOF" > ~/.config/Raspberry\ Pi/Imager.conf
[General]
telemetry=false
EOF

Step 3: download Ubuntu for desktops

Heads-up: for additional security, verify Ubuntu for desktops download.

Go to https://ubuntu.com/download/raspberry-pi and download Ubuntu Desktop 22.04.1 LTS.

Step 4: copy Ubuntu for desktops to USB flash drive

Open “Raspberry Pi Imager”, click “CHOOSE OS”, then “Use custom”, select Ubuntu for desktops .img.xz, click “CHOOSE STORAGE”, select USB flash drive and, finally, click “WRITE”.

👍

Installation guide

Step 1: choose language and click “Continue”

Step 2: choose keyboard layout and click “Continue”

Step 3: choose timezone and click “Continue”

Step 4: choose credentials, select “Log in automatically” (optional) and click “Continue”

👍

Configuration guide

Step 1: disable telemetry

Step 2: run update-manager and click “Install Now”

Step 3: reboot

Step 4 (optional): center new windows

$ gsettings set org.gnome.mutter center-new-windows true

Step 5 (optional): enable dark mode

$ gsettings set org.gnome.desktop.interface color-scheme prefer-dark

$ gsettings set org.gnome.desktop.interface gtk-theme Yaru-dark

Step 6: disable auto-mount

$ gsettings set org.gnome.desktop.media-handling automount false

Step 7: add universe APT repository

$ sudo add-apt-repository -y universe

Step 8: install curl, libfuse2, overlayroot, zbar-tools and zlib1g-dev

$ sudo apt install -y curl libfuse2 overlayroot zbar-tools zlib1g-dev

Step 9 (if applicable): download Superbacked and allow executing superbacked.AppImage as program

Download Superbacked

Heads-up: replace ABCDEFGH with your license code.

Heads-up: for additional security, verify Superbacked download.

$ curl --fail --location --output ~/Desktop/superbacked.AppImage "https://superbacked.com/api/downloads/superbacked-std-arm64-latest.AppImage?license=ABCDEFGH"

Allow executing superbacked.AppImage as program

Right-click “superbacked.AppImage”, click “Properties”, click “Permissions” and, finally, select “Allow executing file as program”.

Step 10: disable Bluetooth and Wi-Fi

$ cat << "EOF" | sudo tee -a /boot/firmware/config.txt
dtoverlay=disable-bt
dtoverlay=disable-wifi
EOF

Step 11: set ext4 and vfat filesystems to read-only

$ sudo sed -i 's/discard,x-systemd.growfs/discard,noload,ro/g' /etc/fstab

$ sudo sed -i 's/defaults/defaults,ro/g' /etc/fstab

Step 12: disable fsck.repair

$ sudo sed -i 's/splash/splash fsck.repair=no/g' /boot/firmware/cmdline.txt

Step 13: set overlayroot to tmpfs

$ sudo sed -i 's/overlayroot=""/overlayroot="tmpfs"/g' /etc/overlayroot.conf

Step 14: clear Bash history

$ history -cw

Step 15: reboot

Heads-up: filesystem will be mounted as read-only following reboot.

$ sudo systemctl reboot

Step 16: shutdown

Heads-up: filesystem is ready for optional hardware read-only hardening.

$ sudo systemctl poweroff

Step 17 (optional): enable datAshur PRO² global read-only (see product documentation for instructions)

👍