Run HA on a fully encrypted Raspberry PI

flp58vdv38q · October 3, 2023, 5:23am

I was wondering if anybody has successfully achieved running HA on a fully encrypted Raspberry PI. Why would somebody want this? Same reasons as for why somebody would want to encrypt their computer hard drives, to protect your data in case somebody steals your device.

As described in Please include dm-crypt for luks encryption in HassOS kernel, Home Assistant OS does not seem to contain the required kernel modules. It is also not sufficient to have the kernel modules available in a container, as used to open external luks devices (forum thread “My solution to rsync to a luks encrypted drive in Hass OS” / only two links allowed) since we want to encrypt the disk running HA, too.

Hence, to me the only option seems to be running Debian on the PI and setup a supervised installation. If standard Debian encryption does not work, maybe some tips from LUKS on Raspberry Pi | LUKS-on-Raspberry-Pi for fully encrypting Raspberry PI OS could apply.

Has anybody done that before? Do you know other options to achieve the desired result?

ACiDGRiM · October 4, 2023, 1:09pm

Just install the supervisor on rpi os. You control the encryption and unlocking mechanism, such as clevis/ tang of you can get that to work over the network

flp58vdv38q · October 5, 2023, 5:15am

Thanks for mentioning clevis / tang. Didn’t know those and they sound super helpful.

Regarding the setup, if I understand https://github.com/home-assistant/architecture/blob/b85484512dd8f27338c6ae2ff28e9a7cf78abb2f/adr/0014-home-assistant-supervised.md correctly, installing the supervisor requires vanilla Debian (no derivatives). Have you tested installing the supervisor on Raspberry PI OS?

ACiDGRiM · November 14, 2023, 7:47am

Thats if you want to open a supported bug on the fithub project. But it will run on most debian based os. Rpios is just debian with rpi specific packages, it’s not a complete firm like ubuntu
I ran it inside an LXC debian container on an ARM64 OpenWrt router for a few months. It will just complain on bootup that it’s an unsupported installation.

You might have more success making a luks partition on the rpi and scripting on boot to unlock it with clevis since I’m sure encrypting the whole os on rasbian isnt easy without a gui install.
Then modify the docker daemon and ha agent paths to use that mounted partition for storage.
The readme’s for them detail how to specify custom path like /mnt/sata/docker and homeassistant (they should be separate)

flp58vdv38q · November 30, 2023, 6:19am

I ended up running HA OS inside a virtual machine. That way, the physical device can use standard luks encryption without interfering with HA OS.