How to encrypt a file?

All ESP8266 boards running MicroPython.
Official boards are the Adafruit Huzzah and Feather boards.
Target audience: MicroPython users with an ESP8266 board.
Post Reply
User avatar
andrequeiroz
Posts: 8
Joined: Tue Dec 04, 2018 11:07 pm
Location: Foz do Iguacu - Brasil
Contact:

How to encrypt a file?

Post by andrequeiroz » Wed Jul 24, 2019 5:36 am

I have a function that writes my ssid and password to a file 'wifi.dat', I would like to encrypt this information. how can I do this?
-------------------------------------------------
def write_profiles (profiles):
lines = []
for ssid, password in profiles.items ():
lines.append.encrypt ("% s;% s \ n"% (ssid, password))

with open (NETWORK_PROFILES, "w") as f:
f.write (''. join (lines))
--------------------------------------------------
Note: I didn't find examples of how to use the ucryptlib library

thank you

User avatar
jimmo
Posts: 783
Joined: Tue Aug 08, 2017 1:57 am
Location: Sydney, Australia

Re: How to encrypt a file?

Post by jimmo » Thu Jul 25, 2019 12:49 pm

Hi,

I'll include some quick notes about how to use ucryptlib below, but first I should ask if you're trying to secure the secret data, or just trying to make it harder for someone to find it. The problem here is that you need to encrypt/decrypt the data with a key - and that key is going to be in your code, so someone trying to find the secret data has everything they need to decrypt it. You can make this harder by compiling your Python code to bytecode (e.g. to a .mpy file), or even freezing it into the firmware (a frozen module) but this is still reasonably straightforward for someone to get your secret key.

Anyway, ucryptolib gives you an AES cipher. You initialise it with a key (either 16 or 32 bytes, as a bytes() or bytearray()) and a mode (see the documentation, note that CTR mode is unsupported on all ports), and then you can pass blocks of data to encrypt. Your blocks need to be multiples of 16 bytes. The same process in reverse with decrypt.

Code: Select all

>>> import ucryptolib
>>> enc = ucryptolib.aes(b'1234567890123456', 1)
>>> data = 'input plaintext'
>>> data_bytes = data.encode()
>>> enc.encrypt(data_bytes + b'\x00' * ((16 - (len(data_bytes) % 16)) % 16))
b'\xfe!F\x87?\xdb\x19\x18\xcdM\x83\x9b\xaa\x02\xa9\x04'
>>> data = 'input pl' # shorter message, should get padded
>>> data_bytes = data.encode()
>>> enc.encrypt(data_bytes + b'\x00' * ((16 - (len(data_bytes) % 16)) % 16))
b"[\x9df\xa3\xa0\xa5'\xa5v\xc1\xfeNI\xa9\x96\x03"
Then to decrypt those two messages:

Code: Select all

>>> dec = ucryptolib.aes(b'1234567890123456', 1)
>>> dec.decrypt(b'\xfe!F\x87?\xdb\x19\x18\xcdM\x83\x9b\xaa\x02\xa9\x04')
b'input plaintext\x00'
>>> dec.decrypt(b"[\x9df\xa3\xa0\xa5'\xa5v\xc1\xfeNI\xa9\x96\x03")
b'input pl\x00\x00\x00\x00\x00\x00\x00\x00'
>>> 


User avatar
andrequeiroz
Posts: 8
Joined: Tue Dec 04, 2018 11:07 pm
Location: Foz do Iguacu - Brasil
Contact:

Re: How to encrypt a file?

Post by andrequeiroz » Fri Jul 26, 2019 11:58 pm

Hello, I'm just trying to make access to data difficult, but you put it very well, this will not solve this problem. Thanks for the explanation and the code. But I will ask another question, how to get around this problem of exposing my password?

jomas
Posts: 32
Joined: Mon Dec 25, 2017 1:48 pm
Location: Netherlands

Re: How to encrypt a file?

Post by jomas » Sat Jul 27, 2019 8:54 am

There is no need to store the password in a file. Once you entered the password it will be stored 'somewhere' in the esp. So after reboot it will use that stored password.

User avatar
pythoncoder
Posts: 3651
Joined: Fri Jul 18, 2014 8:01 am
Location: UK
Contact:

Re: How to encrypt a file?

Post by pythoncoder » Mon Jul 29, 2019 12:46 pm

I'm not sure how, as variables don't survive a reboot. To make it survive a reboot or a power cycle it must be stored in some form of nonvolatile storage. This usually means a file. Unless the ESP32 has something else? Where do you have in mind?
Peter Hinch

User avatar
jimmo
Posts: 783
Joined: Tue Aug 08, 2017 1:57 am
Location: Sydney, Australia

Re: How to encrypt a file?

Post by jimmo » Mon Jul 29, 2019 1:28 pm

I think they're talking about ESP8266? In which case it's correct that the details given to wlan.connect(...) will be persisted. (I don't know the details or whether it's encrypted or not though). Like you say, this isn't the case on ESP32 (or any other MicroPython port).

But perhaps it should be??

User avatar
jimmo
Posts: 783
Joined: Tue Aug 08, 2017 1:57 am
Location: Sydney, Australia

Re: How to encrypt a file?

Post by jimmo » Mon Jul 29, 2019 1:32 pm

andrequeiroz wrote:
Fri Jul 26, 2019 11:58 pm
Hello, I'm just trying to make access to data difficult, but you put it very well, this will not solve this problem. Thanks for the explanation and the code. But I will ask another question, how to get around this problem of exposing my password?
Unfortunately right now there isn't really a good answer. This is a hard problem, and requires hardware support. I believe some progress is being made on secure boot functionality for ESP32.

In general MicroPython makes this extra hard, because as soon as you give the user the ability to access the REPL, then they can pretty much do anything. See this thread for more info -- https://github.com/micropython/micropython/issues/4856

User avatar
pythoncoder
Posts: 3651
Joined: Fri Jul 18, 2014 8:01 am
Location: UK
Contact:

Re: How to encrypt a file?

Post by pythoncoder » Tue Jul 30, 2019 10:07 am

jimmo wrote:
Mon Jul 29, 2019 1:28 pm
I think they're talking about ESP8266? In which case it's correct that the details given to wlan.connect(...) will be persisted. (I don't know the details or whether it's encrypted or not though).
Good point. I'm have no knowledge of ESP8266 internals, but from what I've read on the web the logon details are not encrypted and this is seen as a serious weakness in the ESP8266 design. I've assumed that this is the reason why the ESP32 does not persist this information.
jimmo wrote:
Mon Jul 29, 2019 1:28 pm
But perhaps it should be??
If there's a way of doing it securely.
Peter Hinch

Christian Walther
Posts: 61
Joined: Fri Aug 19, 2016 11:55 am

Re: How to encrypt a file?

Post by Christian Walther » Tue Jul 30, 2019 10:58 am

As far as I have read another reason is that it wears out the flash because it always writes to the same sector.

User avatar
pythoncoder
Posts: 3651
Joined: Fri Jul 18, 2014 8:01 am
Location: UK
Contact:

Re: How to encrypt a file?

Post by pythoncoder » Tue Jul 30, 2019 11:17 am

Yes. However if you always connect to the same network re-writing needn't occur.
Peter Hinch

Post Reply