encrypt encryptionKey and password using AES #62
Assignees
Labels
enhancement
New feature or request
Comments
|
I know Martijn uses this to encrypt and decrypt: |
|
Yes maybe, I just don't catch how the cipher works, and I don't like using things I don't understand :) |
|
Also, unsure how he retrieve the secreteKey from env. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Current situation
The encryptionKey and password are currently stored in the driver settings.
They are stored in plain text.
The consolre.re and 'collect debug info' functions offuscate them.
If the user install an app with homey-api-management permission, that said app could be able to retrive the settings of all the drivers from Homey, including ip address, encryptionKey and so on ...
Registered password and encryptionKey should be encrypted using a private key. Stored, and only decrypted when needed.
The private key itself should not be saved in the github.
DISCLAIMER:
This will not protect the device from a direct and brutal attack, but it should mitigate the risk to steal the password/encryptionKey from ESPhome app.
The text was updated successfully, but these errors were encountered: