如何在设备上安全地存储密码？

Question

I have a raspberry pi that needs to access a service using a username and password. What is the standard procedure to store the user credentials on the device.

I know that a user on a phone would enter the username and password in order to get a token which is valid for a certain period of time. This allows to !not! store the credentials locally.

However, my device (DVR) needs to run 24/7 and the user cannot regularly enter the password. So I somehow need to store the password on the device to login every once in a while or after a reboot.

I am concerned because the device is publicly accessible and someone could potentially take it, plug it into a computer and read the password from storage.

Answer 1

You have to think about what exact attacks you want to protect against. The TL;DR is you won't be able to protect it against everything that comes to mind.

One question is whether it's ok to enter some kind of a secret (a password) when the device boots up. You're saying it's running 24/7, so a reboot should probably not be very frequent. If your concern is somebody taking the Raspberry and reading the password from the disk (or card, in case of a Pi), you could try and keep it in memory only. Startup would need the password to be entered, but whoever takes the device (or the card) physically would not be able to learn the password. Of course this is not entirely secure, somebody could either read the password from memory without taking the Pi (you said they have physical access), or they could maintain power while taking it so that the password is kept in memory. But it would be much more secure than writing the password to the storage.

Another thing you can do is assign the device some kind of a token. If you think the token is compromised (somebody learnt it in any way), you can just change the token to a new one. But you still need a way to discover when credentials are stolen. But you would need this anyway.

You can monitor the device for physical tampering or theft. If it is tampered with or stolen, you can assume the credentials are compromised, and you can then issue new credentials to your service.

Also you're saying it runs 24/7, so I assume it has a fixed IP address. You can implement IP address restriction on the service that it connects to with the credentials, so even if credentials are compromised, an attacker is very limited in where he can connect from (but you mentioned a DVR, which typically uses UDP traffic, and it's much easier to forge source IP addresses over UDP than over TCP).

Probably needless to say, but obviously you should use unique credentials on this device that you use nowhere else and for no other puspose.

Note that you can pick several of these if you like to protect against different threats, or to build defense in depth. But you have to keep in mind that whatever you give to users (potential attackers) is lost and you can safely assume they have full control. However, the level of effort is different, and if you can make it hard or risky enough for an attacker, that's probably reasonably good in many situations.