I wrote a quick guide to run a peercoin full node on raspberry pi to support the network, here.
In order to mint with a peace of mind, there are a few more steps that should be put in place. First of all minting node should not listen to port 9901 as the full node, and ppcoind should be compiled by yourself from github. Here we go:
Goal
- to config a raspberry pi for secure minting peercoin through ssh (well, if you don’t trust your computer, you would need to find usb keyboard / hmdi display to config the pi directly )
- the encrypted wallet file is to reside on an encrypted folder to make it harder to access
- rpcpassword is removed after ppcoind starts to prevent intruder to talk with the daemon
- control ppcoind thru rpc over ssh tunnel from secure computer
Requirement
- a secure computer to config the pi
- no need for physical keyboard / hmdi display or mouse, everything will be done over ssh
- need network cable, or some kinds of network device
- need to have a working dhcp, of course
- need ppcoind on the secure computer to talk with the ppcoind on the pi
Step 1
- Download the Debian Wheezy from http://www.raspberrypi.org/downloads/
- Burn it to your sdcard (preferably class 10, 8G or more)
- Fire it up
Step 2
- Look for the ip of your pi. You may use nmap if available ( for example: nmap -sP 192.168.1.1/24 ), or look it up on your router control panel.
- ssh pi@your_pi_ip
Step3
- change password with “passwd”
- and run the followings
rm .bash_history
ln -s /dev/null .bash_history
sudo update-rc.d lightdm disable 2
sudo /usr/bin/raspi-config --expand-rootfs
sudo rm -f /etc/profile.d/raspi-config.sh
sudo apt-get -y --purge remove midori netsurf-common netsurf-gtk penguinspuzzle python-pygame scratch timidity wolfram-engine squeak-vm squeak-plugins-scratch dillo idle idle3 idle-python2.7 idle-python3.2 python-numpy python-support
sudo apt-get -y update
sudo apt-get -y install encfs
sudo adduser pi fuse
sudo shutdown -r now
*note that you may put them on a text file and execute it with
. yourscript
Step 4
- build ppcoind using the followings
[code]sudo apt-get -y upgrade
sudo apt-get -y install ntpdate ufw build-essential libboost-dev libboost-system-dev libboost-filesystem-dev libboost-program-options-dev libboost-thread-dev libssl-dev libdb+±dev libminiupnpc-dev git g++ g+±4.6
sudo dd if=/dev/zero of=/swapfile bs=64M count=16
sudo mkswap /swapfile
sudo swapon /swapfile
cd /home/pi
git clone https://github.com/ppcoin/ppcoin.git
cd ppcoin/src
make -f makefile.unix ppcoind USE_UPNP=
mv ppcoind ~/
cd ~/
sudo swapoff /swapfile
sudo rm -f /swapfile[/code]
Step 5
-enable firewall and allow only ssh access
sudo ufw allow 22
sudo ufw --force enable
sudo ufw status
Step 6
-make encrypted folder for wallet.dat
[code]mkdir -p ~/.ppcoin
#you may use paranoid mode for encfs
encfs ~/.data ~/data
ln -s ~/data/wallet.dat ~/.ppcoin/wallet.dat
[/code]
Step 7
-set up rpc password
nano ~/.ppcoin/ppcoin.conf
to add the followings to the file
rpcuser=xxx
rpcpassword=yourpassword
Step 8
-on your secure computer, transfer wallet.dat to the encrypted folder
scp wallet.dat pi@your_pi_ip:~/data
Step 9
#start ppcoind
~/ppcoind -listen=0 -daemon -server
#remove credential to deter intruder from talking to it
rm ~/.ppcoin/ppcoin.conf
Step 10
-on the secure computer, open another session
ssh -L 127.0.0.1:9902:127.0.01:9902 pi@your_pi_ip
-now the tunnel is establish, open another bash session on the secure computer to unlock wallet for minting
but first add rpcuser/rpcpassword to the ~/.ppcoind/ppcoin.conf of the secure computer and run the followings (on the secure computer as well)
./ppcoind walletpassphrase <secretpasswordtoyourwallet> 999999999 true
./ppcoind getinfo
Step 11
-you may turn off access to ssh, but you won’t be able to control it until the next reboot
sudo service ssh stop
[hr]
:pbjt:
if the pi is rebooted, you will have to decrypt the encrypted folder with “encfs ~/.data ~/data”, set rpcpassword on ppcoin.conf, start ppcoind daemon, and tunnel to unlock wallet for minting
How safe its this ?
- if you turn ssh service off after unlocking wallet, there should be no way to attack it remotely
- but ssh is nice to have for controlling the pi, it might not be a big of risk leaving it on
- in case a physical intruder shutdowns the pi and takes the SD card, he should not be able to get to the wallet.dat as it’s in the encrypted folder
- if for god knows how, an intruder able to get in the pi while it’s minting, what he could do might be tapping on rpc trying to eavesdrop rpcpassword, or dumping the memory for private keys of the wallet, which is not an easy task for average hacker I guess, let’s hope for the best