JoaoCostaIFG/pizhid

My password manager

PizHid

This is the code used on my personal secrets manager. As it basically was the platform where I started learning concepts about Raspberry pi's (and friends), it has had several iterations. Nowadays, it uses VaultWarden, a lighter-weight BitWarden implementation, so it can be interacted with using the many BitWarden clients/frontends.

Previously, it was based on pass. It had a minimal web interface (mainly for use with Windows devices) and an API (which powered a small Linux application). To see more about this older version, checkout the pass git tag/release.

Usage and functionality details

It runs VaultWarden. The device offers both wired (USB ethernet) and wireless (access point) connection to access the web interface.

A connection is automatically established when connecting the device to another device and an IP is leased. On Linux, the IP of PizHid is 10.77.77.77, on Windows it is 10.77.78.77, and on the Access Point it is 10.77.79.77. If the client OS support AVAHI, the PizHid can be reached at pizhid.local.

Physical buttons

There are 2 physical buttons present on the device. One powers the device on/off, and the other toggles the access point.

Initial setup

• Set hostname to pizhid;
• Enable SSH;
• Enable SSH public-key authentication;
• Change default user to pizhid
• Enable network;
• Set locale to Europe/Lisbon/pt;
• Skip first-run wizard.

Network

The web server is available in 3 interfaces: usb0 (Linux wired), usb1 (Windows wired), uap0 (Wireless). IPs are automatically attributed to clients via a DHCP server.

• usb0 - pizhid resides at 10.77.77.77/24 and serves IPs in the range [10.77.77.80, 10.77.77.99];
• usb1 - pizhid resides at 10.77.78.77/24 and serves IPs in the range [10.77.78.80, 10.77.78.99].
• uap0 - pizhid resides at 10.77.79.77/24 and serves IPs in the range [10.77.79.80, 10.77.79.99].

Note: pizhid is also available as pizhid.local with AVAHI.

Access Point

The Access Point uses hostapd. The device only has 1 wlan interface. As such, it creates a virtual interface for the Access Point added to the wlan0 physical device (see RasAP Docs AP-STA mode).

These 2 are bridged, so clients connected to the Access Point can access the Internet through IPv4 forwarding by PizHid. Clients can only access the Internet through PizHid when connected to the Access Point, because usually devices can only connected to 1 wireless device at a time, so it is not necessary/deterimental for wired connections.

SD card wear

Swap

• Swap is disabled for faster boot times and SD card preservation. There were no benefits since the device memory usage is extremely low:

Disable swap

Log2Ram

• Logging to the sd card causes useless wear;
• Log2Ram is used to reduce this wear;
• Install:

Install log2ram

• Copy the config file at /etc/log2ram.conf.

/tmp is a tmpfs

An entry in fstab was added for /tmp to be a tmpfs (40MB).

Tmp in tmpfs

More memory with zram

Just read this post (it is great): How to Squeeze 50% More Memory Out of Your Raspberry Pi with zram.

Web server

The server runs nginx to serve the SSL certificate and reverse proxy to VaultWarden. The certificate resides in the /etc/ssl/certs directory and the key on the /etc/ssl/private directory. Set these according to your needs.

Important notes on using this

• There is Ansible notebook, but it shouldn't be used:
  • I didn't test it
  • I didn't build it in a way that could be used more than once on the same device (idempotency)
  • It is just a way for me to organize the steps
• BitWarden clients need HTTPS, so you need SSL certificates:
  • These can be self-signed, but they are harder to use in some clients
• The hostapd config contains the Access Point's password in plaintext
  • Just set a password for your device
• The boot/cmdline.txt file contains a partition UUID and stuff like that needs to be changed when applied to other devices
• There are probably better/lighter-weight alternatives to nginx for this use case
• VaultWarden needs an admin token:
  • Generate it using openssl rand -base64 48
  • Don't forget to pass it when starting the docker container
• VaultWarden data is stored using a bind-mount at /bw-data

Thanks

Cool software

Software that made this possible.

• Log2Ram - /var/log in a tmpfs
• Zram-swap config
• DHCPCD5
• ISC DHCP
• hostapd
• Nginx
• VaultWarden

Cool websites and posts

• Composite USB Gadgets on the Raspberry Pi Zero
• Arch wiki tmpfs
• Linux USB gadget configured through configfs
• Dynamic MOTD on Debian/Ubuntu
• Raspberry Pi Docs
• Building a WiFi Enabled USB Rubber Ducky with a Raspberry Pi 0 w
• Extend The Lifespan of Your Raspberry Pi's SD Card with log2ram
• How to Squeeze 50% More Memory Out of Your Raspberry Pi with zram
• Libcomposite USB gadget example
• Post-Config of a RaspberryPi Zero W as an OTG-USB Gadget for off-device computing
• RasAP Docs AP-STA mode
• Creating Wireless Router using Raspberry Pi Zero W
• Hostapd config file
• BYOPM – Bring Your Own Password Manager

License

I don't know. I don't care. I'm not responsible for anything.