Secure Wi-Fi Password Storage on an Embedded Device (NetworkManager 1.46)
Juan A. Rubio
jarubio2001 at gmail.com
Tue Mar 18 10:45:34 UTC 2025
Hi Íñigo,
Thank you for your quick response. While I do plan to leverage the
hardware-based solutions in the future, I’m currently looking for a simpler
interim approach, even though it may be less secure.
One idea is to create a Network Manager plugin that could salt the password
before it’s written to disk. Could you or someone point me to any relevant
code sections responsible for writing passwords to the connection files? If
it’s feasible, I’d also consider patching that particular logic directly to
meet my immediate needs.
Thanks in advance for your guidance, and please let me know if you have any
other suggestions or insights. I truly appreciate your help.
Best regards,
Juan
On Tue, Mar 18, 2025 at 10:58 AM Íñigo Huguet <ihuguet at redhat.com> wrote:
> If the card can be removed and mounted in a different system, there is
> not much you can do. I can only think of using an encrypted
> filesystem, but then you have the problem of how to unlock it
> automatically, because I guess that forcing you to manually enter a
> password on each boot is not an option.
>
> To store secrets on an embedded device that you cannot control the
> physical access, the only effective way that I am aware of is using
> one of those cryptographic chips with anti-tampering. That requires
> changes in the hardware, of course, and implementing in software a way
> to use them, for example to unlock the encrypted filesystem
> automatically (never tried, not sure if possible).
>
> On Tue, Mar 18, 2025 at 10:22 AM Juan A. Rubio <jarubio2001 at gmail.com>
> wrote:
> >
> > Hi everyone,
> >
> > I’m currently working on an embedded device built with Buildroot and
> using NetworkManager 1.46. Because my device relies on an SD card for
> offline storage, I’m concerned about someone physically removing the card
> and having easy access to plaintext Wi-Fi passwords in the
> system-connections files. Although I’ve already tightened file permissions,
> this doesn’t fully mitigate the risk of direct file access once the card is
> removed.
> >
> > Could anyone point me to threads regarding more secure approaches to
> storing Wi-Fi credentials or suggest recommended solutions—whether built-in
> features or external plugins—for encrypting, salting, or otherwise
> obscuring Wi-Fi passwords in NetworkManager on embedded devices? Any
> details or best practices would be greatly appreciated.
> >
> > Thank you in advance!
> >
> > Best regards,
> > Juan
> >
> >
>
>
> --
> Íñigo Huguet
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/networkmanager/attachments/20250318/c159073d/attachment.htm>
More information about the Networkmanager
mailing list