Secure Wi-Fi Password Storage on an Embedded Device (NetworkManager 1.46)
Íñigo Huguet
ihuguet at redhat.com
Tue Mar 18 09:58:33 UTC 2025
If the card can be removed and mounted in a different system, there is
not much you can do. I can only think of using an encrypted
filesystem, but then you have the problem of how to unlock it
automatically, because I guess that forcing you to manually enter a
password on each boot is not an option.
To store secrets on an embedded device that you cannot control the
physical access, the only effective way that I am aware of is using
one of those cryptographic chips with anti-tampering. That requires
changes in the hardware, of course, and implementing in software a way
to use them, for example to unlock the encrypted filesystem
automatically (never tried, not sure if possible).
On Tue, Mar 18, 2025 at 10:22 AM Juan A. Rubio <jarubio2001 at gmail.com> wrote:
>
> Hi everyone,
>
> I’m currently working on an embedded device built with Buildroot and using NetworkManager 1.46. Because my device relies on an SD card for offline storage, I’m concerned about someone physically removing the card and having easy access to plaintext Wi-Fi passwords in the system-connections files. Although I’ve already tightened file permissions, this doesn’t fully mitigate the risk of direct file access once the card is removed.
>
> Could anyone point me to threads regarding more secure approaches to storing Wi-Fi credentials or suggest recommended solutions—whether built-in features or external plugins—for encrypting, salting, or otherwise obscuring Wi-Fi passwords in NetworkManager on embedded devices? Any details or best practices would be greatly appreciated.
>
> Thank you in advance!
>
> Best regards,
> Juan
>
>
--
Íñigo Huguet
More information about the Networkmanager
mailing list