Private unique id used as client secret to access https api

[stoikos]

I would like to use esp32 to post sensor data in our API using https. In order to do that I would like to assign unique private ids (client secret) that is known only to me and there is no way for a third party to figure out or gain access to the id. Then using TLS and the private unique key I can be pretty sure that the incoming request is coming from an ESP32 that I have put out in the field, nobody has tampered with the data and none can send me a fake request.

I have read other posts regarding the same issue and some of the answers were suggesting to use mac address for that purpose or a modified version of it. Although this is a unique value unfortunately is not secure. Anyone can sniff the network and get the mac address used. Then he can flood our API and there will be no way for us to tell if the request comes from our ESP32 or coming from a third party. Modifying the mac address with some predermined algorithm on the ESP side seems like a hack and not a solid solution.

Other solutions suggested to use the NVS but in my experience NVS can be corrupted. At that point NVS needs to be erased along with the private key and the device will no longer be able to connect.

• - Is there a way to have private unique id on ESP? Emphasis on the private
  - Can I use the BLK3 efuse for that?
  - If I do burn the BLK3 can anyone read the BLK3 with the espefuse.py?
  - How can I prevent someone from reading the BLK3?
  - Is there a way (perhaps using secure boot with flash encryption and disabling jtag) to secure it in such a way that only my signed application can read the value in BLK3 and use it to communicate with the https API and a third party has no way to know the key ?

[WiFive]

Don't use blk3, store it in an encrypted partition with secure boot and flash encryption enabled.

[stoikos]

Is this what you are talking about?
viewtopic.php?t=6514