Secure Wi-Fi Password Storage on an Embedded Device (NetworkManager 1.46)
Andrei Borzenkov
arvidjaar at gmail.com
Tue Mar 18 10:50:02 UTC 2025
On Tue, Mar 18, 2025 at 12:33 PM Juan A. Rubio <jarubio2001 at gmail.com> wrote:
>
> Hi everyone,
>
> I’m currently working on an embedded device built with Buildroot and using NetworkManager 1.46. Because my device relies on an SD card for offline storage, I’m concerned about someone physically removing the card and having easy access to plaintext Wi-Fi passwords in the system-connections files. Although I’ve already tightened file permissions, this doesn’t fully mitigate the risk of direct file access once the card is removed.
>
> Could anyone point me to threads regarding more secure approaches to storing Wi-Fi credentials or suggest recommended solutions—whether built-in features or external plugins—for encrypting, salting, or otherwise obscuring Wi-Fi passwords in NetworkManager on embedded devices? Any details or best practices would be greatly appreciated.
>
I am not sure what you expect. If you want WiFi to come up unattended,
you need to store the passphrase. It does not matter how you encrypt
it - as long as it has to be decrypted automatically, it will be
available offline because everything needed to decrypt it must be
present too.
If your device has TPM or similar, one could use it to encrypt the
passphrase. This will protect against offline attacks, but probably
not against an attacker physically present.
> Thank you in advance!
>
> Best regards,
> Juan
>
>
More information about the Networkmanager
mailing list