Security

Secure Cold-Storage Vault with Banana Pi: Encryption and Backups

Published: 4 February 2026 12 min read By LeMaker Team
Secure cold storage vault setup with Banana Pi single-board computer and encryption

Why Build a Cold-Storage Vault on a Banana Pi?

Private keys, cryptocurrency wallets, and sensitive documents need stronger isolation than a laptop folder or cloud drive can provide. A dedicated offline device - a cold-storage vault - removes network-facing attack surface entirely. If the device is powered off and disconnected, remote compromise is not possible.

The Banana Pi fits this role well. It draws under 5W, connects directly to a SATA drive for encrypted volumes, and costs little enough to dedicate permanently to one job. When the vault is not in use, you unplug it and put it in a drawer.

This guide covers the full build: verified OS installation, SSH hardening, LUKS encryption on SATA, backup procedures, and the ongoing maintenance that keeps the vault trustworthy over time.

Security Warning: This guide covers security practices for educational purposes. Always verify procedures independently and understand the implications before storing valuable assets. Never store more than you can afford to lose while learning.

Prerequisites and Hardware Preparation

Before we begin, gather the following hardware:

The Banana Pi's SATA II interface and dual USB 2.0 ports provide flexible storage options. As documented in the Banana Pi specifications, the board supports both microSD storage and SATA drives, making it ideal for encrypted volume deployment. The BPI-M5 variant includes the same SATA capability with a faster S905X3 processor, which speeds up LUKS encryption operations noticeably.

Pro Tip: For cold storage, prefer SATA SSDs over microSD cards. SSDs offer better reliability and longevity for encrypted volumes that see periodic write operations.

Secure OS Installation

A secure vault begins with a verified operating system image. Follow these steps carefully:

Step 1: Download and Verify the OS Image

Download your preferred Linux distribution from the official LeMaker resources. As emphasized in the Banana Pi Quick Start Guide, always verify image integrity before flashing:

# Download the image and its checksum file
wget https://www.lemaker.org/downloads/raspbian-bananapi-latest.img.xz
wget https://www.lemaker.org/downloads/raspbian-bananapi-latest.img.xz.sha256

# Verify the SHA-256 checksum
sha256sum -c raspbian-bananapi-latest.img.xz.sha256

The output should confirm OK. If verification fails, re-download the image—never use an unverified image for a security-critical system.

Step 2: Flash the Image

Use a reliable flashing tool. On Linux:

# Decompress the image
xz -d raspbian-bananapi-latest.img.xz

# Identify your microSD card (be very careful here!)
lsblk

# Flash the image (replace /dev/sdX with your actual device)
sudo dd if=raspbian-bananapi-latest.img of=/dev/sdX bs=4M status=progress conv=fsync

# Sync to ensure all data is written
sync

Step 3: First Boot and Initial Updates

Connect Ethernet, insert the microSD card, and apply power. After boot, immediately apply security updates:

# Update package lists and upgrade all packages
sudo apt update && sudo apt upgrade -y

# Reboot to apply kernel updates if any
sudo reboot

SSH Key Authentication Setup

Password-based authentication is vulnerable to brute-force attacks. Following the security best practices for ARM Linux, we'll configure SSH key authentication and disable password logins entirely.

Generate SSH Keys (on your client machine)

# Generate a strong Ed25519 key pair
ssh-keygen -t ed25519 -a 100 -C "cold-storage-vault"

# The key will be saved to ~/.ssh/id_ed25519 by default

Copy the Public Key to the Banana Pi

# Copy your public key to the Banana Pi
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@banana-pi-ip

# Test key-based login
ssh -i ~/.ssh/id_ed25519 user@banana-pi-ip

Disable Password Authentication

Once key-based login works, disable passwords:

# Edit SSH daemon configuration
sudo nano /etc/ssh/sshd_config

# Set these options:
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
PermitRootLogin no

# Restart SSH service
sudo systemctl restart sshd
Important: Before closing your current session, open a new terminal and verify you can still log in with your key. Losing SSH access requires physical console access to recover.

Setting Up Encrypted Containers with LUKS

LUKS (Linux Unified Key Setup) provides robust, audited encryption for Linux systems. We'll create an encrypted container on the SATA drive for storing sensitive data.

Install Required Packages

sudo apt install cryptsetup

Prepare the SATA Drive

First, identify your SATA drive:

# List block devices
lsblk

# You should see your SATA drive (typically /dev/sda)

Create the Encrypted Container

# Initialize LUKS encryption on the drive
# WARNING: This will destroy all data on the drive!
sudo cryptsetup luksFormat --type luks2 --cipher aes-xts-plain64 \
    --key-size 512 --hash sha512 --iter-time 5000 /dev/sda

# You'll be prompted to type YES (uppercase) and enter your passphrase
# Use a STRONG passphrase - at least 20 characters with mixed case, numbers, symbols
Passphrase Guidance: Your encryption is only as strong as your passphrase. Consider using a passphrase of 6+ random words (diceware method) or a 20+ character random string stored securely offline.

Open and Format the Encrypted Volume

# Open the encrypted container
sudo cryptsetup open /dev/sda vault

# Create a filesystem
sudo mkfs.ext4 -L "SecureVault" /dev/mapper/vault

# Create a mount point and mount the volume
sudo mkdir -p /mnt/vault
sudo mount /dev/mapper/vault /mnt/vault

# Set ownership
sudo chown $USER:$USER /mnt/vault

Using the Encrypted Volume

After each boot, you'll need to manually unlock and mount the volume:

# Unlock and mount
sudo cryptsetup open /dev/sda vault
sudo mount /dev/mapper/vault /mnt/vault

# When finished, unmount and lock
sudo umount /mnt/vault
sudo cryptsetup close vault

Add a Backup Key Slot

LUKS supports multiple key slots. Add a backup passphrase in case you forget the primary:

# Add a second passphrase (you'll need the current passphrase)
sudo cryptsetup luksAddKey /dev/sda

# View key slots
sudo cryptsetup luksDump /dev/sda | grep "Key Slot"

Alternative: VeraCrypt for Cross-Platform Compatibility

If you need to access your encrypted volumes from Windows or macOS, VeraCrypt offers cross-platform compatibility:

# Install VeraCrypt (download from official site)
wget https://launchpad.net/veracrypt/trunk/1.26.7/+download/veracrypt-1.26.7-setup.tar.bz2
tar xjf veracrypt-1.26.7-setup.tar.bz2
sudo ./veracrypt-1.26.7-setup-console-arm

# Create an encrypted file container
veracrypt -c /mnt/usb/secure-container.vc

# Mount the container
veracrypt /mnt/usb/secure-container.vc /mnt/vault

Backup Strategies and Off-Device Storage

As emphasized in LeMaker's documentation, backups should be taken before major changes. For a cold-storage vault, proper backups are critical—losing your only copy of encrypted keys means permanent loss.

The 3-2-1 Backup Rule

Creating Encrypted Backups

Use the Banana Pi's USB ports for backup drives. As noted in the specifications, the board provides dual USB 2.0 ports suitable for backup media:

# Create an encrypted backup of your vault contents
# Using gpg for file-level encryption
tar -czf - /mnt/vault/ | gpg --symmetric --cipher-algo AES256 \
    -o /mnt/usb-backup/vault-backup-$(date +%Y%m%d).tar.gz.gpg

# Verify the backup can be decrypted
gpg -d /mnt/usb-backup/vault-backup-*.tar.gz.gpg | tar -tzf -

LUKS Header Backup

The LUKS header contains encryption metadata. If it's corrupted, your data is unrecoverable. Always backup the header:

# Backup LUKS header (store this VERY securely!)
sudo cryptsetup luksHeaderBackup /dev/sda \
    --header-backup-file /mnt/usb-backup/luks-header-backup.img

# Encrypt the header backup
gpg --symmetric --cipher-algo AES256 \
    /mnt/usb-backup/luks-header-backup.img
Critical: Store LUKS header backups separately from your encrypted drive. Anyone with the header backup and your passphrase can decrypt your data.

DEX Safety and Crypto Security Considerations

If you're using this vault to store cryptocurrency wallet keys or seed phrases, additional considerations apply.

If you interact with decentralised exchanges, understanding token approval risks, Permit2 behaviour, and bridge attack vectors matters before you store anything of value. The vault protects keys at rest - but operational security when signing transactions is a separate concern.

Best Practices for Crypto Key Storage

Storing Wallet Files Securely

# Create a dedicated directory structure
mkdir -p /mnt/vault/crypto/{wallets,seeds,configs}

# Set restrictive permissions
chmod 700 /mnt/vault/crypto
chmod 600 /mnt/vault/crypto/*

# After storing files, create integrity checksums
find /mnt/vault/crypto -type f -exec sha256sum {} \; > /mnt/vault/crypto/checksums.sha256

Ongoing Maintenance and Security Hygiene

A secure vault requires ongoing maintenance:

Regular Security Checks

# Check for failed services
systemctl --failed

# Review authentication logs
sudo journalctl -u sshd --since "1 week ago" | grep -i "failed\|invalid"

# Verify no unexpected network listeners
sudo ss -tulpn

# Check disk health
sudo smartctl -a /dev/sda

Periodic Tasks

Physical Security

What Matters Most After the Build

The vault itself is the easy part. The harder discipline is maintaining it: verifying backups actually restore, keeping the OS patched during the brief windows you bring it online, and resisting the temptation to leave it network-connected "just for convenience."

Test your recovery procedure within the first week. Decrypt a backup on a separate card, confirm the files are intact, then wipe the test. If you skip this step, you are trusting a process you have never validated - and that is not security, it is hope.

For more on hardening ARM boards for network-facing roles, see the LeMaker security hardening guide.

Related Articles

More security and self-hosting guides coming soon. Browse all articles →