search

Baldhor / Homey-ESPhome-Enhanced

This is an Homey app which adds support for ESPHome devices. ESPHome is a system to control your ESP8266/ESP32 by simple yet powerful configuration files and control them remotely through Home Automation systems. More information on their homepage: https://www.esphome.io/
GNU General Public License v3.0
5 stars 3 forks source link

encrypt encryptionKey and password using AES #62

Open Baldhor opened 7 months ago

Baldhor commented 7 months ago

Current situation The encryptionKey and password are currently stored in the driver settings. They are stored in plain text. The consolre.re and 'collect debug info' functions offuscate them.


That's kind of ok, but it's far from perfect!

If the user install an app with homey-api-management permission, that said app could be able to retrive the settings of all the drivers from Homey, including ip address, encryptionKey and so on ...


Registered password and encryptionKey should be encrypted using a private key. Stored, and only decrypted when needed.


The private key itself should not be saved in the github.


DISCLAIMER: This will not protect the device from a direct and brutal attack, but it should mitigate the risk to steal the password/encryptionKey from ESPhome app.

RoadXY commented 7 months ago

I know Martijn uses this to encrypt and decrypt: https://github.com/martijnpoppen/com.vag.core/blob/e9d5bec1d8ce7ce859cc75cb33f69de1b508b6b7/lib/helpers.js#L21

Baldhor commented 7 months ago

Yes maybe, I just don't catch how the cipher works, and I don't like using things I don't understand :) But it looks simple to use.

Baldhor commented 7 months ago

Also, unsure how he retrieve the secreteKey from env. const secretKey = Homey.env.SECRET;

RoadXY commented 7 months ago

https://apps.developer.homey.app/the-basics/app#environment