We use some essential cookies to make our website work.

We use optional cookies, as detailed in our cookie policy, to remember your settings and understand how you use our website.

How to use a Raspberry Pi in kiosk mode

All tutorials

Kiosks are designed to offer users specific information or experiences while preventing access to any other activities on the device. They are often found in airports, shops, hospitals, cafes, and museums — any location where people need easy access to information or services like timetables, waiting times, product information, directions, self check-in machines, and so on. Kiosk mode on a Raspberry Pi allows you to boot straight into a full‑screen web page or an application without using the desktop environment. It’s the foundation for many different projects that display information for a dedicated interaction with a user. To demonstrate kiosk mode, we are going to set up a Raspberry Pi to boot automatically to a full‑screen raspberrypi.com web page, then alternate this with the time.is/London web page.

Supplies

For the initial SD card setup, you will need:

  • Another computer connected to your network; we’ll refer to this as your usual computer to distinguish it from the Raspberry Pi computer you are setting up as the web kiosk

  • An adapter to connect your microSD card to your usual computer (alternatively, newer models of Raspberry Pi allow you to install an operating system directly from the internet)

Choose the right Raspberry Pi

Kiosk mode relies on you running a graphical web browser, and this in turn requires a Raspberry Pi 3 or newer with at least 1 GB of RAM (as both Chromium and Firefox will refuse to run on anything older). This tutorial also assumes that you’re using a Raspberry Pi with built-in Wi-Fi®, but it should be easy to adapt these instructions for wired Ethernet.

Configure your Raspberry Pi

To begin, follow the 'Getting started' documentation to set up your Raspberry Pi. For your operating system, choose Raspberry Pi OS (64-bit).

In this tutorial, we’re going to run the Raspberry Pi without a mouse or keyboard, so during Raspberry Pi Imager’s OS customisation stage, edit the settings as follows:

  • Enter a hostname of your choice (we suggest pi-kiosk for this tutorial)

  • Enter a username and password; you’ll need these later to authenticate

  • Check the box next to Configure wireless LAN so that your Raspberry Pi can automatically connect to Wi-Fi

    • Enter your network SSID (name) and password; you can find these in your network settings or on a sticker on your router

  • On the Services tab, check the box next to Enable SSH so that we can connect to the Raspberry Pi without a mouse or keyboard

Remotely connect to your Raspberry Pi

SSH allows you to wirelessly connect to your Raspberry Pi, eliminating the need for a keyboard or mouse. It’s perfect if your Raspberry Pi is located in a hard-to-reach location, like the back of your television.

note

To SSH into the Raspberry Pi, you’ll use the hostname you set in Imager. If you have issues connecting using this method, you may want to use the Raspberry Pi’s IP address instead.

For more information about finding your IP address and remotely accessing your Raspberry Pi, see the remote access documentation.

Connect via SSH

Open a terminal session on your usual computer. To access your Raspberry Pi via SSH, run the following command, replacing <username> with the username you chose in Imager:

$ ssh <username>@pi-kiosk.local
The authenticity of host 'pi-kiosk.local (fd81:b8a1:261d:1:acd4:610c:b069:ac16)' can't be established.
ED25519 key fingerprint is SHA256:s6aWAEe8xrbPmJzhctei7/gEQitO9mj2ilXigelBm04.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'pi-kiosk.local' (ED25519) to the list of known hosts.

<username>@pi-kiosk.local's password:
Linux pi-kiosk 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr  3 17:24:16 BST 2023 aarch64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Oct 24 09:41:00 2023
<username>@pi-kiosk:~ $

When asked for your password, use the password you created in Raspberry Pi Imager.

As the kiosk will be left unattended and/or displayed in a public place, it’s always a good idea to make sure that your software is up to date.

Run this command to refresh the list of available updates:

$ sudo apt update

Then run this command to install those updates:

$ sudo apt -y full-upgrade

Set up kiosk mode

This tutorial requires one additional piece of software, wtype, which simulates keyboard activity. To install it, run the following command:

$ sudo apt -y install wtype

Next, we’ll tell your Raspberry Pi what to present in kiosk mode and how to present it. In this tutorial, we’ll display the Raspberry Pi home page and a page showing the time in London, switching between the two every few seconds.

To achieve this, we will edit .config/labwc/autostart, which is a configuration file used to automatically run programs when the Raspberry Pi OS desktop has loaded.

Edit the .config/labwc/autostart file in nano, a text editor, by running the following command:

$ nano .config/labwc/autostart

Add the following two lines:

chromium https://raspberrypi.com https://time.is/London --kiosk --noerrdialogs --disable-infobars --no-first-run --enable-features=OverlayScrollbar --start-maximized &
~/switchtab.sh

The first line opens the Chromium web browser in kiosk mode, with two tabs open: raspberrypi.com and time.is. The extra options alter kiosk mode in the following ways:

--noerrdialogs

Suppresses error messages

--disable-infobars

Disables notification infobars

--no-first-run

Skips the first-run setup experience that typically appears when launching for the first time

--enable-features=OverlayScrollbar

Scrollbars appear only when necessary and overlay content instead of using a dedicated scroll gutter

--start-maximized

Starts the browser in maximised full-screen mode

The second line executes a bash script (which we’ll create soon!) that automatically switches between the two tabs every ten seconds.

The ampersand (&) at the end of the first line is very important, as it ensures that both lines in the autostart file are run in parallel. If it were omitted, chromium would run, but the switchtab.sh script wouldn’t. (Technically, if the ampersand were missing, the switchtab.sh script would run after chromium has finished running — but since we’re running Chromium in kiosk mode, there’s no way to quit it!)

Press Ctrl+X, then Y, and finally Enter to save the edited file with nano. Next, we’ll write the bash script that switches between the two tabs. Usually, the keyboard shortcut Ctrl+Tab cycles through open browser tabs. The script will use the program we installed, wtype, to simulate and automate these keystrokes. To create the script with nano, type:

$ nano ~/switchtab.sh

Add the following to the file:

#!/bin/bash

# Find Chromium browser process ID
chromium_pid=$(pgrep chromium | head -1)

# Check if Chromium is running
while [[ -z $chromium_pid ]]; do
  echo "Chromium browser is not running yet."
  sleep 5
  chromium_pid=$(pgrep chromium | head -1)
done

echo "Chromium browser process ID: $chromium_pid"

# Loop to send keyboard events
while true; do
  # Send Ctrl+Tab using `wtype` command
  wtype -M ctrl -P Tab -p Tab
  sleep 10
done

This script first checks that the Chromium browser is running. If not, it waits five seconds before trying again (this gives Chromium enough time to launch before moving on). To toggle between the two tabs, the script uses wtype to simulate Ctrl+Tab every ten seconds.

Press Ctrl+X, then Y, and finally Enter to save the new file with nano. Mark the file as executable so that it can be run as a script:

$ chmod +x ~/switchtab.sh

Finally, reboot your Raspberry Pi:

$ sudo reboot

Once your Raspberry Pi has rebooted, your display should be showing Chromium in kiosk mode, toggling between raspberrypi.com and time.is every ten seconds.

Depending on which websites your Raspberry Pi kiosk is displaying, you may want to temporarily plug a USB mouse into your Raspberry Pi so that you can dismiss any cookie pop-ups; the mouse can be unplugged again afterwards.

Add security and fail-safe functionality

Kiosk-mode devices run unattended for long periods of time and frequently restart. They are usually left unattended in public places, making them vulnerable to unwanted attention or interference. Kiosks can also be a potential target for hackers. None of this is conducive to a reliable, long-term kiosk-mode installation. Although it’s not realistic to make them 100% secure, there are a number of things we can do to protect devices running in kiosk mode.

Hide USB ports

As this project currently stands, simply plugging a keyboard and mouse into the USB ports on your Raspberry Pi would give an attacker full control. To defend against this, the Raspberry Pi should be placed in a physically secure case to make the ports inaccessible.

Set up SSH using keys rather than a password

Until now, you have connected to your Raspberry Pi with SSH using a password. We can provide an extra layer of security by using pre-generated private-public ED25519 keys and removing the ability to log in with a username and password altogether. With key-based authentication, you’ll keep a private key on your usual computer and a public key on your Raspberry Pi. This variant of authentication is much harder to crack than a username and password. To create ED25519 keys (which are more secure than the older RSA keys), open a terminal on your usual computer and run the following:

$ ssh-keygen -t ed25519

Accepting the defaults when prompted will create a private key and a public key. The location of these saved files is also given:

$ ssh-keygen
Generating public/private ed25519 key pair.
Enter file in which to save the key (/Users/<username>/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/<username>/.ssh/id_ed25519
Your public key has been saved in /Users/<username>/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:u3Ry3y8g3tEo4TChzzjmebihkWqonbhVj7qiq3BsjMk <username>@<hostname>.local
The key's randomart image is:
+--[ED25519 256]--+
|                 |
|        .        |
|       . .       |
|      . o .      |
|    .  +S+ . o   |
|.= . ++ o.+ + .  |
|+E* +oo++.o+ o   |
|+*.+ o+o.=.....  |
|@=*.. .o.   . .o.|
+----[SHA256]-----+
$

The id_ed25519 file is your private key; do not share it. The id_ed25519.pub file is your public key. To use key-based authentication, transfer the public key to your Raspberry Pi.

Run the following command on your usual computer to print your public key to your terminal:

$ cat ~/.ssh/id_ed25519.pub

Copy the output of the command into your clipboard. Now, let’s move the public key onto your Raspberry Pi.

Connect to your Raspberry Pi over SSH:

$ ssh <username>@pi-kiosk.local

Then, create a folder called .ssh in your home directory:

$ mkdir ~/.ssh

Next, open a text editor for a new file named authorized_keys in the .ssh folder:

$ nano ~/.ssh/authorized_keys

Paste the contents of id_ed25519.pub from your usual computer into this file. Press Ctrl+X, then Y, and finally Enter to save the file with nano. Finally, disconnect from your Raspberry Pi:

$ exit

Now try reconnecting, from your usual computer, to your Raspberry Pi via SSH again:

$ ssh <username>@pi-kiosk.local

If everything works as expected, you will no longer be prompted to enter a password. We can now disable password access completely by editing the /etc/ssh/sshd_config file:

$ sudo nano /etc/ssh/sshd_config

Find the line that reads #PasswordAuthentication yes. Uncomment it by removing the #, then change yes to no, so that it looks like this:

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

Press Ctrl+X, then Y, and finally Enter to save the file with nano. Reboot your Raspberry Pi:

$ sudo reboot

Now your Raspberry Pi is hardened against attacks over SSH.

SD card read-only mode

Unplugging your Raspberry Pi to shut it down can eventually result in system file corruption. Any operating system stored on an SD card may eventually fail if used for long periods of time. To reduce these risks, you can set your SD card to read-only. Open the raspi-config tool with the following command:

$ sudo raspi-config

Navigate through the menu system as follows:

  1. Select Performance Options

  2. Select Overlay File System

  3. Confirm that you would like to enable the overlay file system

  4. Confirm that you would like to write-protect the boot partition

  5. Press Tab to navigate to the Finish button

  6. Confirm reboot

This whole process may take a few minutes to complete.

note

If you need to enable read-write access again to carry out an update or adjust your scripts, SSH back into your Raspberry Pi and use the above raspi-config command to disable the overlay file system, then reboot when prompted.

You can now carry out any work required. When you’ve tested your modifications, you’ll need to run raspi-config one more time to revert your SD card to a read-only state.

Take kiosk mode further

This guide covers the basics of setting up a simple web page viewer in kiosk mode. From here, you can explore more complex kiosk projects, such as a CCTV viewing station, a home automation system, or perhaps the ultimate kiosk-mode project: a magic mirror. Our tutorial is based on Magic Mirror2, the winner of The MagPi (now Raspberry Pi Official Magazine)'s 50th-issue celebration feature, as voted by the Raspberry Pi community.