MicroPython Forum (Archive)

I have a function that writes my ssid and password to a file 'wifi.dat', I would like to encrypt this information. how can I do this?
-------------------------------------------------
def write_profiles (profiles):
lines = []
for ssid, password in profiles.items ():
lines.append.encrypt ("% s;% s \ n"% (ssid, password))

with open (NETWORK_PROFILES, "w") as f:
f.write (''. join (lines))
--------------------------------------------------
Note: I didn't find examples of how to use the ucryptlib library

thank you

Hi,

I'll include some quick notes about how to use ucryptlib below, but first I should ask if you're trying to secure the secret data, or just trying to make it harder for someone to find it. The problem here is that you need to encrypt/decrypt the data with a key - and that key is going to be in your code, so someone trying to find the secret data has everything they need to decrypt it. You can make this harder by compiling your Python code to bytecode (e.g. to a .mpy file), or even freezing it into the firmware (a frozen module) but this is still reasonably straightforward for someone to get your secret key.

Anyway, ucryptolib gives you an AES cipher. You initialise it with a key (either 16 or 32 bytes, as a bytes() or bytearray()) and a mode (see the documentation, note that CTR mode is unsupported on all ports), and then you can pass blocks of data to encrypt. Your blocks need to be multiples of 16 bytes. The same process in reverse with decrypt.
Then to decrypt those two messages:

Hello, I'm just trying to make access to data difficult, but you put it very well, this will not solve this problem. Thanks for the explanation and the code. But I will ask another question, how to get around this problem of exposing my password?

There is no need to store the password in a file. Once you entered the password it will be stored 'somewhere' in the esp. So after reboot it will use that stored password.

I'm not sure how, as variables don't survive a reboot. To make it survive a reboot or a power cycle it must be stored in some form of nonvolatile storage. This usually means a file. Unless the ESP32 has something else? Where do you have in mind?

I think they're talking about ESP8266? In which case it's correct that the details given to wlan.connect(...) will be persisted. (I don't know the details or whether it's encrypted or not though). Like you say, this isn't the case on ESP32 (or any other MicroPython port).

But perhaps it should be??

andrequeiroz wrote: ↑

Fri Jul 26, 2019 11:58 pm

Hello, I'm just trying to make access to data difficult, but you put it very well, this will not solve this problem. Thanks for the explanation and the code. But I will ask another question, how to get around this problem of exposing my password?

Unfortunately right now there isn't really a good answer. This is a hard problem, and requires hardware support. I believe some progress is being made on secure boot functionality for ESP32.

In general MicroPython makes this extra hard, because as soon as you give the user the ability to access the REPL, then they can pretty much do anything. See this thread for more info -- https://github.com/micropython/micropython/issues/4856

jimmo wrote: ↑

Mon Jul 29, 2019 1:28 pm

I think they're talking about ESP8266? In which case it's correct that the details given to wlan.connect(...) will be persisted. (I don't know the details or whether it's encrypted or not though).

Good point. I'm have no knowledge of ESP8266 internals, but from what I've read on the web the logon details are not encrypted and this is seen as a serious weakness in the ESP8266 design. I've assumed that this is the reason why the ESP32 does not persist this information.

jimmo wrote: ↑

Mon Jul 29, 2019 1:28 pm

But perhaps it should be??

If there's a way of doing it securely.

As far as I have read another reason is that it wears out the flash because it always writes to the same sector.

Yes. However if you always connect to the same network re-writing needn't occur.