Closed jzombie closed 2 months ago
Loosely related: https://github.com/dmotz/trystero/issues/85
I initially tried to make a C plugin for this but it seems that I couldn't bind directly to the storage I/O events, so I am using an encrypted storage mount instead.
Encrypting retained messages on the server side with Mosquitto requires a few additional steps, as Mosquitto does not natively support message encryption at rest. However, you can achieve this by combining Mosquitto with an external script or service that handles encryption and decryption.
Here are some approaches to encrypt retained messages on the server:
Approach 1: Using a Custom Plugin
You can create a custom Mosquitto plugin that encrypts messages before they are stored and decrypts them when they are retrieved.
Install Mosquitto Development Libraries: Make sure you have the necessary development libraries for Mosquitto to build custom plugins.
Create a Custom Plugin: Write a plugin in C that uses a cryptographic library (e.g., OpenSSL) to encrypt and decrypt messages.
Compile the Plugin: Compile the plugin and configure Mosquitto to load it.
Configure Mosquitto: Add the plugin to the Mosquitto configuration file.
Approach 2: Using a Bridge with Encryption
Set up a Mosquitto bridge to another broker or service that handles encryption and decryption of messages.
Configure Mosquitto Bridge: Add a bridge to the Mosquitto configuration file.
Encryption Service: Use an external service that subscribes to the Mosquitto broker, encrypts messages, and republishes them to the encrypted broker.
Approach 3: Using SSL/TLS for Transport Encryption
While this does not encrypt messages at rest, it ensures that messages are encrypted during transport.
Generate SSL/TLS Certificates: Use OpenSSL to generate certificates.
Configure Mosquitto for SSL/TLS: Add SSL/TLS configuration to the Mosquitto configuration file.
Connect Clients Using SSL/TLS: Configure MQTT clients to connect using SSL/TLS.
Conclusion
While Mosquitto does not natively support encryption of retained messages at rest, you can achieve this through custom plugins, bridging to an encrypted broker, or using SSL/TLS for transport encryption. The best approach depends on your specific requirements and security policies.