Need a means to protect my source code


This topic comes up from time-to-time, but I haven't seen a satisfactory answer.

I need a way to encrypt the source code on the micro SD card so that the card is useless if someone pulls it out and tries to make off with my IP. Obviously, some type of encryption key would be required by the loader to decrypt flows.

Extra credit: Allow the encryption to be applied at the flow or node level.

Has any thought been given to such a feature? What are others doing?



One possible route is to encrypt a partition on the SD card. The downside is that you would have to enter a password every time you boot. Some idea of how to do it:

1 Like


Interesting, but the password at boot time is not workable because my devices are deployed "headless".



It is difficult to think of a simple alternative. If the data is not encrypted in a way that requires manual entry of a password then if someone has a Pi similar to the one the card is running in then if they removed the card from the original Pi and put it in there own one then the Pi would boot and from there they would be able to access the files.
One solution I can see to that would be to have some hardware on the original Pi which cannot be easily replicated and encrypt the data using a key derived from something in the hardware, so effectively a hardwired password built into the original Pi or a daughter board attached to it.
Another solution would be to have the password on the local network somewhere and have the Pi access it on boot and decrypt the node-red partition using that. But if this person is able to get access to the Pi to get the card out then perhaps he has access (at least temporarily) to the local network too.



You cannot have full headless, hands-off encryption without specialist hardware which isn't likely available for the Pi.

The best I can think of would be to create a trap that, on boot, checks for some known entity or value from your local network and, if not present, destroys the data. Of course, that will only work if the card is booted up. To help mitigate that, you can use an encrypted partition with the key buried as deep as possible in a root accessible only file. Come to think of it, if the startup check fails, you only need to trash the key file not the partition.

Needless to say, keep backups! And keep them offsite - if someone gets access to your Pi - they will take EVERYTHING including local backups. I know it happened to me a couple of decades ago.



There is a raspberry pi serial number that could be used as an encryption key. That seems workable for the case where the SD card has wandered off.

What if flows could be loaded over the network and never saved to local storage? That would safeguard the code and facilitate the distribution of updates, which is another challenge we face with IoT devices. Two for the price of one.



You can create custom storage plugins for the runtime - so yes, that would be doable. Although how would you know it was an authorised device requesting the flows and not someone who has accessed your device and got any certificates/keys off it and reused them?

This is a hard problem to do right. As Julian said, short of using purpose-made secure hardware, all you can do is make it inconvenient to access your flows rather than make it impossible.



If someone has access to the Pi to grab the SD card, what makes you think they won't just pocket the Pi?



I keep a record of authorized devices in the cloud using the serial number.

Network loading would be the best option for my use case, I think. Sounds like a non-trivial effort.



In my case, the pi is attached to other hardware in a way that it makes it pretty hard to remove. But we expose the SD card slot for field software updates.



An Atmega32u4 in USB key format programmed to act as a USB device could handle a simple handshake to act as a hardware dongle like they used to use to protect software licenses. You could do something drastic like glue the Atmega to the case itself so it couldn't be removed. or something like that.. Just spitballing here.

It looks like this and can be programmed to connect as a USB device of your choosing.



Have you looked at this product?



Here is one more by Infineon
I’ve never heard of Zymbit but well familiar with Infineon, its TPM chip is installed in my toughbook and was active when I used it for work.
I would definetly go for this one