The default Raspberry Pi OS image provided by the Raspberry Pi Foundation is based on age-old Debian GNU/Linux traditions. These, however, are often neither secure nor good-looking. This guide shows you how to beautify and secure your setup.
The guide is divided into three sections: Steps for the desktop version of Raspberry Pi OS, Steps for Raspberry Pi OS Lite and Steps for both versions of Raspberry Pi OS. All instructions refer to the latest version of Raspberry Pi OS (stable). Currently, this version is called Bullseye, while the legacy version (oldstable) is called Buster.
While Raspberry Pi OS has the Recommended Software tool and in older versions the Add/Remove Programs utility, they are not very good. Recommended Software only has a few programs that are preinstalled on the full image anyway and Add/Remove Programs' UI is so terrible, that I'm not even listing it as an option to install software.
If you have previously used Ubuntu or any derivative, you might know the Software application (known as snap-store internally). But did you know, that it is a fork of GNOME Software, an application you can actually install on Raspberry Pi OS? GNOME Software was also used in versions of Ubuntu prior to 20.04 LTS, but was replaced by snap-store in that version to push people into using Canonical's proprietary snap format. GNOME Software is also based on the same PackageKit framework as Add/Remove Programs, but is based on GTK+3 and libadwaita, giving it a much cleaner look.
To install GNOME Software, run this command in a terminal window:
sudo apt install gnome-softwareIf you installed alternative package managers like Flatpak and Snap, you might also want the appropriate plugins:
sudo apt install gnome-software-plugin-flatpak
sudo apt install gnome-software-plugin-snapAnother graphical package manager I use is Botspot's Pi-Apps.
Pi-Apps is more of a collection of installation scripts than a real package manager, but is useful to install apps that either only provide binary files (like Oh My Posh) or use a custom APT server (like nodejs).
Install Pi-Apps using the official install script:
wget -qO- https://raw.githubusercontent.com/Botspot/pi-apps/master/install | bashMost of the tools on this list can be installed through Pi-Apps.
LibreOffice is a set of programs much like Microsoft Office. It has a word processor, spreadsheet program, presentation creator and others.
LibreOffice is available from APT, GNOME Software, Raspberry Pi Recommended Software and Pi-Apps.
To install with apt:
sudo apt install libreofficeIf you plan on editing text files, Microsoft's Visual Studio Code is a must. Raspberry Pi OS's included Mousepad and Geany editors aren't fit for editing large codebases or using programs like Git.
Visual Studio Code is available on APT, Pi-Apps and Recommended Software. While it also shows up on GNOME Software if you have Flatpak installed, that version is not official and has many limitations, such as not being able to communicate with other programs. There is also a .deb archive available for download on its website. Some people prefer VSCodium, a version built from source, meaning it doesn't contain tracking etc., which has more complicated installation steps: https://vscodium.com/#install-on-debian-ubuntu-deb-package
(actually, these are the same steps as for code, just with a different repository, but those are already done on Pi OS)
sudo apt install codeThe default web browser application that comes with Raspberry Pi OS is Chromium, a stripped-down, open-source version of Google Chrome. It takes forever to start up and pressures you into using a Google Account. While your favorite web browser might offer a Linux download (no, Microsoft Edge (Chromium) fans, you don't even need to ask), a good choice is Mozilla Firefox.
Firefox ESR is available on APT, while Rapid Release versions, which update every six weeks, are not. These can be installed using Pi-Apps. It is also available from Flatpak, and, by extension (great pun), GNOME Software.
Raspberry Pi OS (full) comes with the Claws Mail client. Another great mail client is Mozilla Thunderbird, which also supports GnuPG (see "Encrypt your email")
As a Debian GNU/Linux system, the Raspberry Pi is the perfect starting point for GnuPG email encryption. The Free Software Foundation provides an excellent beginner's guide.
When right-clicking any part of the launch bar at the top of the screen, a menu containing the elements "<element> Settings" and "Add/Remove bar elements" appears. The settings for the app launch bar are especially relevant, as they allow you to add custom programs to it.
The Bookshelf application allows you to download and read PDFs of Raspberry Pi magazines and books completely for free. You can find it preinstalled in the start menu: Help → Bookshelf. A good first read is the latest Raspberry Pi beginners guide (5th edition as of the time of writing).
All start menu entries are simple .desktop files saved in specific locations (/usr/share/applications/, /usr/local/share/applications/ and ~/.local/applications/ specifically), which you can edit and remove, or add new ones if you wish. There are many graphical generators for these files online.
Such as with the desktop version of Raspberry Pi OS, there are many great pieces of software for Raspberry Pi OS Lite.
While you will need to install most of these using the command line, a command line extension for Pi-Apps exists, which you will need to install manually.
There is also a TUI (terminal user interface) client for APT called aptitude, which you can use on both versions of Raspberry Pi OS, but because Desktop users can use GNOME Software, I'm only listing it here.
While the command line extension to Pi-Apps is available on Pi-Apps itself, you cannot use the GUI and have to install it yourself:
cd
wget -qO- https://raw.githubusercontent.com/Botspot/pi-apps/master/install | bash
wget https://raw.githubusercontent.com/Itai-Nelken/PiApps-terminal_bash-edition/main/pi-apps-terminal-bash-edition.sh
ln -s ~/pi-apps-terminal-bash-edition.sh ~/bin/pi-appssudo apt install aptitudeLynx is one of the oldest, still maintained browsers, and runs fully in your terminal.
Install with APT:
sudo apt install lynxFlatpak is a package manager that installs all software in separate sandboxes. While this sometimes leads to limitations, like with VSCode (see above), it makes your system way more secure.
To install Flatpak, run these commands:
sudo apt install flatpak
flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepoIf you installed GNOME Software, you probably want to install the Flatpak plugin too:
sudo apt install gnome-software-plugin-flatpakMost Linux and Unix users should be familiar with man: a database of the manuals for almost all installed programs, configuration files and more.
TLDR takes a different approach. Instead of documenting everything a program has to offer, tldr pages show only the most common commands, and are similar to most programs' --help output (but readable).
The official tldr client is installed with npm, but another client, tealdeer, is available on Pi-Apps.
The default shell preinstalled on Raspberry Pi OS is bash. Bash is a very old shell, directly based on the original Unix sh, and should be replaced with a more modern shell like zsh, fish or PowerShell. Installation instructions can be found on the respective shell's website, and PowerShell is available on Pi-Apps.
After installing the shell, use this command to make it your default shell:
chsh -s $(which zsh)replacing zsh with your new shell. Note that you need to transfer any changes to ~/.bashrc, ~/.bash_profile and /etc/bash_completion.d/ to your new shell's profile.
While SSH can be a security problem, especially with weak passwords, it can be a useful tool, especially on systems running Pi OS Lite. This problem can also be eliminated by using key authentication (see man ssh-keygen on your client computer).
To enable the SSH server, activate option I2 (Interface → SSH) in raspi-config.
The default configuration of Raspberry Pi OS is very insecure. This includes problems like
- public home directories
- the OOBE user not needing a password for sudo
- autologin
These can thankfully be changes easily:
To disable Autologin, simply open the Raspberry Pi Configuration (raspi-config) tool and go to System Options → Boot / Autologin. Disable this option.
This is also a simple change: you simply need to remove the file /etc/sudoers.d/010_pi-nopasswd as root.
This change is not as simple, but still easy.
To make the home directory of new users private, edit /etc/login.defs as root (for example, using sudo geany /etc/login.defs) and replace the line
UMASK 022
with
UMASK 077
To make existing user's home directories private, run
sudo chmod 700 /home/*If you have a Pi 4 with its case, it may be worth checking out the official case fan (after you have drilled holes into the lid to help ventilation).
You can configure it with raspi-config (option P4). This requires a reboot.
This isn't necessary on Pi 5, as a fan plugged into the FAN connector works out-of-the-box.
According to the European Directive 2006/123/EC and the German DL-InfoV, sites do not need a legal notice if they provide non-economic services of general interest
.
rpi-best-practices by libewa is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Some links on this page link to external pages. These pages contained useful information at the time of writing, but may or may not have changed drastically since I last checked. I can and do not take any responsiblity for the content of those pages.
I am also not responsible for any negative effects the actions described in this guide may have on your system.
Open an Issue (account required)