encryption #291
Description
It would be useful to be able to encrypt firmware and/or config directories. Right now, both firmware and configurations are in plaintext, meaning that loss/theft of the device/SD card potentially exposes information.
There are different ways of implementing this. A virtual or encrypted file system is probably not in the cards, since firmware doesn't support this.
However, decrypting on boot and encrypting when a different firmware is chosen is probably the best option. I'm assuming this would require a JSON or YAML file defining which files belong together. This could also be used as a boot menu:
- name: meshtastic
boot: meshtastic.bin
extra_files:
- meshtastic.conf
public_key: 09b0b8098b08eb0838409282bcda
encrypted: yes
- name: meshcore
boot: meshcore.bin
extra_files:
- meshcore.conf
public_key: 09b0b8098b08eb0838409282bcda
encrypted: yesWith a bit of extra syntax, this could even allow using the same firmware with multiple config files
- name: meshtastic2
boot: meshtastic.bin
extra_files:
- file: meshtastic-2.conf as: meshtastic.conf
public_key: 09b0b8098b08eb0838409282bcda
encrypted: yesNote the use of a public key for automatic encryption; the private key would be derived from the user-provided password on boot. That is, the files are decrypted with the private key (derived from the user password) and encrypted with the public key (stored in the config file, but obviously also derived from the user password at some point).