Generate signing keys

More information on how to secure your MySensors network are here. In this wiki you can find the instruction on how to generate the signing keys using the MySensors installation in your gateway (Raspberry Pi) or, as an alternative, using a node.

You have to install the generated keys in both, nodes and gateway, and the same keys can be used for both MySensors instances, nrf24 and RFM69.

Each key will be generated in two formats: the alphanumeric one has to be used in the gateway, while the hexadecimal one is meant to be used in your nodes.

Genarate HMAC key

pi@d-diot: $ cd /home/pi/MySensors/rfm69
pi@d-diot:/home/pi/MySensors/rfm69 $ ./bin/mysgw-rfm69 --gen-soft-hmac-key 

You should something like that. Write down the key and keep them secret!

Generating key... done.
To use the new key, update the value in /etc/mysensors-rfm69.conf witn:
soft_hmac_key=AD5FEE012A7C793950558BA97E974F5B85476584ED1E4AC77FDB9FB0DE72A04F
 
The next line is intended to be used in SecurityPersonalizer.ino:
#define MY_HMAC_KEY 0XAD,0X5F,0XEE,0X1,0X2A,0X7C,0X79,0X39,0X50,0X55,0X8B,0XA9,0X7E,0X97,0X4F,0X5B,0X85,0X47,0X65,0X84,0XED,0X1E,0X4A,0XC7,0X7F,0XDB,0X9F,0XB0,0XDE,0X72,0XA0,0X4F

Generate AES key:

pi@d-diot:/home/pi/MySensors/rfm69 $ ./bin/mysgw-rfm69 --gen-aes-key 

You should something like that. Write down the key and keep them secret!

Generating key... done.
To use the new key, update the value in /etc/mysensors-rfm69.conf witn:
aes_key=26548DFDCF82E9DF33E7500E629D9C40
 
The next line is intended to be used in SecurityPersonalizer.ino:
#define MY_AES_KEY 0X26,0X54,0X8D,0XFD,0XCF,0X82,0XE9,0XDF,0X33,0XE7,0X50,0XE,0X62,0X9D,0X9C,0X40
 
Note: The gateway was not built with encryption support.
      Any key set with aes_key option in the config file is ignored.

As you can see in the note this key will be ignored. More details here.

Genarate SOFT-SERIAL key

pi@d-diot:/home/pi/MySensors/rfm69 $ ./bin/mysgw-rfm69 --gen-soft-serial

You should something like that. Write down the key and keep them secret!

Generating key... done.
To use the new key, update the value in /etc/mysensors-rfm69.conf witn:
soft_serial_key=C2B57D1215706E0F91
 
The next line is intended to be used in SecurityPersonalizer.ino:
#define MY_SOFT_SERIAL 0XC2,0XB5,0X7D,0X12,0X15,0X70,0X6E,0XF,0X91

To generate your signing key you have to upload in your Arduino board or bare ATmega microcontroller the SecurityPersonalizer.ino sketch that comes pre-installed with the MySensors library in the Arduino IDE.

Uncomment the following lines before uploading the sketch

  • #define GENERATE_KEYS_ATSHA204A
  • #define GENERATE_KEYS_SOFT

Upload and run the sketch; if nothing is go wrong, in the serial monitor of the Arduino IDE you should see your three keys.

A modified version of the SecurityPersonalizer.ino sketch, distributed as PlatformIO project, is available in the d-diot github repo.

Follow the firmware upload guide to know how to flash your Arduino board with PlatformIO CLI, directly from your d-diot hub.

To download the PlatformIO d-diot-personalize-node project, run the following command:

homeassistant@d-diot:~/pio $ git clone https://github.com/d-diot/d-diot-personalize-node.git

To install the keys in your gateway, copy the three keys lines (HMAC, AES and SOFT-SERIAL) in both configuration files of your two gateway instances.

pi@d-diot: $ sudo nano /etc/mysensors-rfm69.conf
pi@d-diot: $ sudo nano /etc/mysensors-nrf24.conf 

To install the keys in a node you can follow this how to.

  • how_to/mysensors/generate_private_keys.txt
  • Last modified: 2019/06/20 16:02
  • by franzunix