I'm working with AWS IoT and it have 3 TLS certificates to store in the ESP32 board, with the following size (in PEM format):
Certificate: 1224 bytes
Private key: 1675 bytes
CA: 1758 bytes
Actually they are hardcoded in the script.
For OTA updates it will be a problem because every board have different certificates and generate a firmware for each board don't look a good idea.
So, where is the best place to store these certificates? in NVS? Sd card? other? it can corrupt with a power failure?
Where is the best place to store certificates?
Re: Where is the best place to store certificates?
Hi copercini,
The AWS IoT examples that are part of IDF include a configuration option for storing them on the SD card, so that is one option.
If you're concerned about physical access readout of the private key data then enabling flash encryption and storing them in an encrypted data partition on the ESP32's flash is an option. There isn't an example for this, but the support for it is present. The only thing is that as it's the internal flash you would still need a provisioning step for loading keys into each device.
We're currently in the process of merging support for formatting & mounting a FAT filesystem that is located in a partition on the internal flash, which will make it simpler to store data like keys and certs on the ESP32's internal flash. (Both approaches use the ESP-IDF filesystem, so the basics are the same - just that instead of mounting the SD card you will mount the internal FAT filesystem.)
Angus
The AWS IoT examples that are part of IDF include a configuration option for storing them on the SD card, so that is one option.
If you're concerned about physical access readout of the private key data then enabling flash encryption and storing them in an encrypted data partition on the ESP32's flash is an option. There isn't an example for this, but the support for it is present. The only thing is that as it's the internal flash you would still need a provisioning step for loading keys into each device.
We're currently in the process of merging support for formatting & mounting a FAT filesystem that is located in a partition on the internal flash, which will make it simpler to store data like keys and certs on the ESP32's internal flash. (Both approaches use the ESP-IDF filesystem, so the basics are the same - just that instead of mounting the SD card you will mount the internal FAT filesystem.)
Angus
Who is online
Users browsing this forum: No registered users and 98 guests