Secure Wi-Fi Password Storage on an Embedded Device (NetworkManager 1.46)

Juan A. Rubio jarubio2001 at gmail.com
Tue Mar 18 15:50:06 UTC 2025 

On Tue, Mar 18, 2025 at 4:23 PM Beniamino Galvani <bgalvani at redhat.com> wrote:
>
> On Tue, Mar 18, 2025 at 03:46:58PM +0100, Íñigo Huguet wrote:
> > On Tue, Mar 18, 2025 at 1:53 PM Juan A. Rubio <jarubio2001 at gmail.com> wrote:
> > > > If you are ok with modifying NM code - it is in
> > > > src/libnm-core-impl/nm-keyfile.c. Otherwise you can always write a
> > > > program that supplies secrets via SecretAgent API and this program can
> > > > do whatever you want.
> > >
> > > Hi Andrei,
> > >
> > > this is the kind of information that I was looking for.
> >
> > I'd opt for the SecretAgent API, as it will be stable. You can drop a
> > custom program with Buildroot. If you opted for modifying NM code via
> > patches you will need to deal with potential conflicts on each NM
> > version update.
>
> I second this.
>
> You can implement the SecretAgent D-Bus API from an external program
> that will be queried by NetworkManager to retrieve the
> secrets. Otherwise, it is easier to use libnm (possibly with GObject
> introspection) and extend the "NMSecretAgentOld", so that you only
> have to implement the missing methods (get_secrets(), save_secrets(),
> etc). If you plan to do this in C, you can have a look at
> "nm-secret-agent-simple.c" in the NM tree (there are some indirections
> that make it not so simple, though). For Python, you can have a look
> at this:
>
> https://github.com/NetworkManager/NetworkManager/pull/375
>
> Note that the python example there requires the other commit in the PR
> to fix the GObject introspection bindings in NM, otherwise you'll get
> errors.
>
> > IMHO you won't get nothing more than a small obfuscation with either
> > method, so it's probably not worth it, but you know better what your
> > project needs, of course.
>
> Any method for which the password or the password-encrypting key is
> stored on the filesystem is not secure if the threat is physical
> access. If the attacker has physical access to the device, a hardware
> token doesn't seem a feasible solution either.
>
> Beniamino

Beniamino/Íñigo

Thanks for the suggestion I agree that the SecretAgent D-Bus API is
the better long-term option.

In the short term, I'll add some obfuscation to improve security. In
the near future we'll follow up with a more secure solution using the
available security hardware.

BR,
Juan

More information about the Networkmanager mailing list