Prevent readout of MQTT client certificates
Posted: Fri Feb 20, 2026 9:52 pm
Hi,
I'd like to use the ESP-AT as a coprocessor in an existing application to establish an MQTT connection over TLS with a client certificate. However, I would like to prevent attackers with physical access to the device from reading out the certificate/key and thus being able to connect to my broker with another device.
As far as I can tell, once the certificate and key are uploaded using AT+SYSMFG=2 (or baked into the firmware at compile-time), it is possible to simply read out the files using AT+SYSMFG=1 (and there may be other commands which could be used to get the files?).
Is there a way to securely store this data and enable TLS connections without being able to read out the certificate and/or key? Of course, the use of Flash encryption is mandatory so the PKI data can't just be read from an SPI flash dump.
I'd like to use the ESP-AT as a coprocessor in an existing application to establish an MQTT connection over TLS with a client certificate. However, I would like to prevent attackers with physical access to the device from reading out the certificate/key and thus being able to connect to my broker with another device.
As far as I can tell, once the certificate and key are uploaded using AT+SYSMFG=2 (or baked into the firmware at compile-time), it is possible to simply read out the files using AT+SYSMFG=1 (and there may be other commands which could be used to get the files?).
Is there a way to securely store this data and enable TLS connections without being able to read out the certificate and/or key? Of course, the use of Flash encryption is mandatory so the PKI data can't just be read from an SPI flash dump.