How to Turn ESP32 CYD Into a Secure IoT Data Vault

by Northstrix in Circuits > Microcontrollers

1064 Views, 12 Favorites, 0 Comments

How to Turn ESP32 CYD Into a Secure IoT Data Vault

5 Lock Screens.gif

I've lost count of how many versions of the Midbar data vault I've already released. And while they've served their purpose, they're not easy to set up, to say the least, especially for people with no software engineering background. Getting Midbar up and running involves multiple technical steps: installing UART bridge drivers, installing and configuring the development environment, installing the required libraries, modifying firmware, and hoping for successful compilation—all before even using the device (note that I haven't even mentioned the assembly part).

To make it easier for you to get the Midbar up and running, I made a version that only requires you to install UART bridge drivers, open the WebFlash page, make a couple of clicks there, and get an IoT data vault that you can then configure without closing the page.

If you're interested in making an advanced IoT data vault that utilizes AES-256 to encrypt your data, continue reading this tutorial.

This tutorial is also available on MediumHackster, and Maker Pro.

Supplies

  • ESP32-2432S028R x1
  • PS/2 Keyboard x1
  • PS/2 Port x1 *optional

Install UART Bridge (COM Port) Drivers

To flash the ESP32-2432S028R (CYD), you have to install the UART driver for the CH340G. I've also included a link for the CP210x driver, just in case you decide to use the ESP32-WROOM instead of the CYD.

Upload the Firmware Into the ESP32

1.png
2.png
3.png
4.png
5.png
6.png
7.png

Yes, it's the second step, and it's time to upload the firmware into the ESP32.

To upload the firmware into the ESP2:

  • Open the WebFlash page from the browser that supports the Web Serial API (Google Chrome, Microsoft Edge, Opera);
  • Press the "CONNECT" button;
  • In the pop-up window, select the COM port to which the ESP32 is connected and press the "Connect" button;
  • In the form that appears in the middle of the screen, click on the "INSTALL MIDBAR ESP32 CYD FIREBASE EDITION" option;
  • Regardless of whether you check "Erase device" or not, press the "NEXT" button;
  • Wait for the firmware to be uploaded into the ESP32.

Just in case, here's the actual WebFlash link: https://northstrix.github.io/Midbar-ESP32-CYD-Firebase-Edition/flash

*If you wish to compile the firmware yourself, you can get the source code at:

Set Up Google Firebase

FW8S1NWLV595EDG.png

I would be happy to explain to you how to set up Google Firebase. However, I believe that the article at https://medium.com/firebase-developers/getting-started-with-esp32-and-firebase-1e7f19f63401 does a better job on that. I suggest reading the article up until the “Development Environment Setup” headline.

When setting up the database, save the “Realtime Database URL” and “Web API Key.”

These values will be needed later.

Configure Midbar

1.png
a2.png
IMG_0682.jpg
a3.png

Once you've configured the Google Firebase, return to the WebFlash page, click the "Connect" button, and click on the "LOGS & CONSOLE" line, reboot the ESP32 CYD when the serial terminal opens, paste into the serial terminal five required values, followed by the "Enter" press after each value, and then confirm the configuration by entering the "Y" character and pressing "Enter." Reboot the device after configuring it.

Note that the "Iterations" variable defines the number of iterations for PBKDF2 (Password-Based Key Derivation Function 2). Though you can assign any value that's more than 0 to this variable, I wouldn't advise going above 100 000, as it would take the ESP32 a lot of time to derive the cryptographic keys.

Enjoy the Lock Screens

IMG_0683.jpg
IMG_0684.jpg
IMG_0685.jpg
IMG_0686.jpg
IMG_0687.jpg
IMG_0688.jpg
IMG_0689.jpg
IMG_0690.jpg
IMG_0691.jpg
IMG_0692.jpg
IMG_0693.jpg
IMG_0694.jpg
IMG_0695.jpg

This version of Midbar displays two lock screens. The first one is shown when it initializes the Firebase, and the second one is displayed when it's ready to go and just waiting for you to press any key.


Credit for photos:

Used as 320x190px lock screens:

Atlanta:

Photo by Kelly from Pexels

Dallas:

Photo by Talena Reese from Pexels

Denver:

Photo by Acton Crawford on Unsplash

Haifa:

Image by Volker Glätsch from Pixabay

Jerusalem:

Image by krystianwin from Pixabay

Miami:

Photo by Alejandro Luengo on Unsplash

New Orleans:

Photo by Morgan Petroski on Unsplash

Pittsburgh:

Photo by Yuhan Du on Unsplash

Riyadh:

Image by apriltan18 from Pixabay

Rome:

Photo by Nicole Reyes on Unsplash

Singapore:

Photo by Jay Ang on Unsplash

Tel Aviv:

Image by ran from Pixabay

Used as 320x240px lock screen:

Saint Paul:

Photo by Javier Quiroga on Unsplash


*As for the origin of the patterns (that you'll encounter while using this device):

I made the 80x80px patterns myself. The flower patterns were generated by Bing Image Creator in December 2023.

You can view each pattern individually if you want.

Assemble the Circuit

Circuit Diagram.png

At that point, simply connect the PS/2 port to the board and plug a keyboard into it.

If the keyboard won't work, try connecting it to the 5V (VIN pin).

Set Master Password

IMG_0703.jpg
IMG_0704.jpg
IMG_0705.jpg

To use the Midbar, you first need to set the master password.

You can't change your master password without performing the factory reset first!

Midbar won't be able to decrypt your data without your master password because the cryptographic keys are derived from it. Perhaps Midbar won't even unlock without the correct master password.

When you're done entering your master password, press either the "Enter" or the "ESC" key on the PS/2 keyboard.

After you've unlocked the vault and got to the main menu:

  • Press the "" (DOWNWARDS ARROW) key on the PS/2 keyboard to go down the menu.
  • Press the "" (UPWARDS ARROW) key on the PS/2 keyboard to go up the menu.
  • Press either the "Enter" key on the PS/2 keyboard to open the selected menu.
  • While in the submenu, press either the "Esc" or the "Backspace" key on the PS/2 keyboard to return to the main menu.


While entering a text in a tab:

  • Press "Enter" on the PS/2 keyboard to continue.
  • Press the "Esc" button on the PS/2 keyboard to cancel the current operation.


Benefit From the Secure Data Storage

IMG_0706.jpg
IMG_0707.jpg
IMG_0708.jpg
ezgif-1-0c0ac910b1.gif
IMG_0710.jpg
Firebase.png

Midbar allows you to store the data of four types:

  • Logins;
  • Credit Cards;
  • Notes;
  • Phone Numbers.

This version of Midbar stores data in Google Firebase while retaining the cryptographic keys in the ESP32's RAM.

It also comes with the HMAC-SHA256-based integrity verification feature that alerts you if the decrypted data is unauthentic or corrupt.

*All credentials demonstrated in this tutorial are entirely fictitious. Any similarity to actual credentials is purely coincidental.

Configure the Desktop App

Desktop App.png

Aside from using the hardware password vault, you can also access your encrypted records from the dedicated desktop app. The desktop app, though convenient, may compromise the overall security of Midbar by exposing it to side-channel attacks. So, use it at your own risk.

*Modify the value in the "iterations = 20451" line of the "Launch Me.py" file if you've set the number of iterations for the pbkdf2 other than 20451.

I'll explain how to configure the desktop app in the next two steps.

Get the Firebase Private Key

F1G1QJSLV595EH2.png
F29EIUVLV595EH1.png
FQSDKG6LV595EGO.png

To enable the desktop app to interact with the Firebase, you need to get the private key and place it in the same folder as the desktop (client) application.

To do so:

  • Open your database;
  • Click on the “Settings” icon;
  • Click on the “Project settings” line;
  • When the next tab loads, go to the “Service accounts” tab;
  • Click the “Generate new private key” button;
  • Click the “Generate key” button in the pop-up window;
  • Save the private key to the “…V1.0\Desktop App” folder under the “firebase key.json” name.

Add Database URL to the Desktop App

F8FKB3FLV595EJI.png

Navigate to the “…V1.0\Desktop App” folder, open the “db_url.txt” file, replace my database URL with yours, save the file and close it.

Enjoy the Result

WebFlash + Desktop App + Hardware Vault.png

This version of Midbar offers you military-grade encryption (AES-256) combined with a sophisticated HMAC-SHA256-based integrity verification feature to encrypt your data and ensure its integrity and authenticity.

The fact that Midbar stores the encrypted data in the cloud while keeping the cryptographic keys in the device's RAM enables you to simultaneously access your data from several devices without exposing it to third parties. 

And thanks to the WebFlash feature, you don't need to install the development environment and know how to code to set up the device.


That's it for this tutorial.

If you like this tutorial, please share it.