2

I'm looking to add encryption to an embedded data logger and I'd really appreciate some advice to make sure that my approach is reasonable/secure.

The user will load a GPG public key onto the device. Sensor data will come in over time, and the device will then use the GPG public key to encrypt the sensor data. If the device is compromised, importantly the data should not be recoverable with just the public key. At a later time, the user will collect the device, download the data, and use the private key to decrypt the results.

First, I generate a public/private key pair on a separate machine:

gpg --gen-key
gpg --export -a "User Usington" > my.public.key

Then, I import just the public key to the embedded device. I place absolute trust in the key loaded by the user, so I bypass some verification. Also, the embedded device may not have the correct date set. I then encrypt some data:

FILE_NAME=lorem.txt
OUT_NAME=${FILE_NAME}.gpg
KEY_NAME=my.public.key

# Import the key
gpg --batch --allow-non-selfsigned-uid --ignore-time-conflict --import ${KEY_NAME} 

# Scrape the key ID
KEYID=$(gpg --batch --ignore-time-conflict --with-colons ${KEY_NAME} | head -n1 | cut -d: -f5)

# Encrypt the data
cat ${FILE_NAME} | gpg --batch --ignore-time-conflict --ignore-valid-from --trust-model always --recipient ${KEYID} --encrypt > ${OUT_NAME}

Does this look reasonable?

Bill
  • 21
  • 1
  • 2
    What exactly is your threat model? It looks like you're trying to mitigate a device compromise, but if the device is compromised early on they'll be able to get the sensor data directly, before it's encrypted. There is also nothing here preventing fabrication of data after the device has been compromised. – AndrolGenhald Sep 05 '18 at 14:53

0 Answers0