feat(config): secure storage

Make a "secure storage", eeprom emulation
This storage is used for wifi creds or api keys
We need to make a salted hardware based later

Author: Times-Z

include/config/ConfigManager.h

@@ -21,6 +21,7 @@
 #define CONFIG_MANAGER_H
 
 #include <ArduinoJson.h>
+#include "config/SecureStorage.h"
 #include <string>
 #include <cstdint>
 
@@ -65,6 +66,7 @@ class ConfigManager {
     uint32_t getLCDSpiHz() const;
     int8_t getLCDBacklightGpio() const;
     bool getLCDBacklightActiveLow() const;
+    bool migrateWiFiToSecureStorage(String ssid, String password);
 
    public:
     bool getLCDEnableSafe() const { return lcd_enable; }
@@ -88,6 +90,7 @@ class ConfigManager {
     std::string ssid;
     std::string password;
     std::string filename;
+    SecureStorage secure;
     bool lcd_enable = true;
     int16_t lcd_w = 240;
     int16_t lcd_h = 240;

include/config/SecureStorage.h

@@ -0,0 +1,42 @@
+// SPDX-License-Identifier: GPL-3.0-or-later
+/*
+ * GeekMagic Open Firmware
+ * Copyright (C) 2026 Times-Z
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#ifndef SECURE_STORAGE_H
+#define SECURE_STORAGE_H
+
+#include <Arduino.h>
+#include <ArduinoJson.h>
+
+class SecureStorage {
+   public:
+    SecureStorage(size_t eepromSize = 2048);
+    bool begin();
+    bool put(const char* key, const char* value);
+    bool remove(const char* key);
+    String get(const char* key, const char* defaultValue = nullptr);
+
+   private:
+    size_t _eepromSize;
+    bool loadToMemory();
+    bool flushToEEPROM();
+    JsonDocument _doc;
+    bool _ready = false;
+};
+
+#endif  // SECURE_STORAGE_H

readme.md

@@ -275,6 +275,15 @@ From there, select and flash the filesystem using the `littlefs.bin` file
 
 Once the device reboots, the setup is complete!
 
+Note: The Wi-Fi credentials in config.json are migrated to EEPROM “secure storage” on first boot. After that, the Wi-Fi credentials are erased from config.json
+
+Data stored in EEPROM (or flash-based EEPROM emulation) is not secure by default
+All values (API keys, Wi-Fi credentials, tokens, etc.) are currently stored in clear text and can be recovered by anyone with physical access to the device or the ability to read the flash memory
+
+This project does not provide hardware-backed security
+
+Do not assume confidentiality against a determined attacker
+
 ## License
 
 This project is licensed under the **GPLv3 License** - see the [LICENSE](LICENSE) file for details

src/config/ConfigManager.cpp

@@ -22,8 +22,9 @@
 
 #include <Logger.h>
 #include "config/ConfigManager.h"
+#include "config/SecureStorage.h"
 
-ConfigManager::ConfigManager(const char* filename) : filename(filename) {}
+ConfigManager::ConfigManager(const char* filename) : filename(filename), secure() {}
 
 /**
  * @brief Loads the configuration from a file stored in SPIFFS
@@ -61,25 +62,44 @@ auto ConfigManager::load() -> bool {
         return false;
     }
 
-    ssid = doc["wifi_ssid"].as<const char*>();
-    password = doc["wifi_password"].as<const char*>();
-
-    lcd_enable = doc["lcd_enable"] | lcd_enable;
-    lcd_w = doc["lcd_w"] | lcd_w;
-    lcd_h = doc["lcd_h"] | lcd_h;
-    lcd_rotation = doc["lcd_rotation"] | lcd_rotation;
-    lcd_mosi_gpio = doc["lcd_mosi_gpio"] | lcd_mosi_gpio;
-    lcd_sck_gpio = doc["lcd_sck_gpio"] | lcd_sck_gpio;
-    lcd_cs_gpio = doc["lcd_cs_gpio"] | lcd_cs_gpio;
-    lcd_dc_gpio = doc["lcd_dc_gpio"] | lcd_dc_gpio;
-    lcd_rst_gpio = doc["lcd_rst_gpio"] | lcd_rst_gpio;
-    lcd_cs_active_high = doc["lcd_cs_active_high"] | lcd_cs_active_high;
-    lcd_dc_cmd_high = doc["lcd_dc_cmd_high"] | lcd_dc_cmd_high;
-    lcd_spi_mode = doc["lcd_spi_mode"] | lcd_spi_mode;
-    lcd_keep_cs_asserted = doc["lcd_keep_cs_asserted"] | lcd_keep_cs_asserted;
-    lcd_spi_hz = doc["lcd_spi_hz"] | lcd_spi_hz;
-    lcd_backlight_gpio = doc["lcd_backlight_gpio"] | lcd_backlight_gpio;
-    lcd_backlight_active_low = doc["lcd_backlight_active_low"] | lcd_backlight_active_low;
+    String ssid = doc["wifi_ssid"] | "";
+    String password = doc["wifi_password"] | "";
+
+    this->lcd_enable = doc["lcd_enable"] | lcd_enable;
+    this->lcd_w = doc["lcd_w"] | lcd_w;
+    this->lcd_h = doc["lcd_h"] | lcd_h;
+    this->lcd_rotation = doc["lcd_rotation"] | lcd_rotation;
+    this->lcd_mosi_gpio = doc["lcd_mosi_gpio"] | lcd_mosi_gpio;
+    this->lcd_sck_gpio = doc["lcd_sck_gpio"] | lcd_sck_gpio;
+    this->lcd_cs_gpio = doc["lcd_cs_gpio"] | lcd_cs_gpio;
+    this->lcd_dc_gpio = doc["lcd_dc_gpio"] | lcd_dc_gpio;
+    this->lcd_rst_gpio = doc["lcd_rst_gpio"] | lcd_rst_gpio;
+    this->lcd_cs_active_high = doc["lcd_cs_active_high"] | lcd_cs_active_high;
+    this->lcd_dc_cmd_high = doc["lcd_dc_cmd_high"] | lcd_dc_cmd_high;
+    this->lcd_spi_mode = doc["lcd_spi_mode"] | lcd_spi_mode;
+    this->lcd_keep_cs_asserted = doc["lcd_keep_cs_asserted"] | lcd_keep_cs_asserted;
+    this->lcd_spi_hz = doc["lcd_spi_hz"] | lcd_spi_hz;
+    this->lcd_backlight_gpio = doc["lcd_backlight_gpio"] | lcd_backlight_gpio;
+    this->lcd_backlight_active_low = doc["lcd_backlight_active_low"] | lcd_backlight_active_low;
+
+    String nvs_ssid = secure.get("wifi_ssid", "");
+    String nvs_password = secure.get("wifi_password", "");
+
+    if ((ssid.length() != 0 && nvs_ssid.length() == 0) || (password.length() != 0 && nvs_password.length() == 0)) {
+        secure.put("wifi_ssid", ssid.c_str());
+        secure.put("wifi_password", password.c_str());
+
+        this->ssid = secure.get("wifi_ssid").c_str();
+        this->password = secure.get("wifi_password").c_str();
+
+        // Ensure we delete the wifi credentials from the json config after migrating
+        ConfigManager::save();
+
+        Logger::info("WiFi credentials migrated to SecureStorage", "ConfigManager");
+    } else {
+        this->ssid = secure.get("wifi_ssid").c_str();
+        this->password = secure.get("wifi_password").c_str();
+    }
 
     return true;
 }
@@ -226,6 +246,8 @@ auto ConfigManager::setWiFi(const char* newSsid, const char* newPassword) -> voi
 /**
  * @brief Save the current configuration to the file
  *
+ * @param clearWifiCreds If true wifi credentials will be cleared from json config
+ *
  * @return true if the configuration was successfully saved false otherwise
  */
 auto ConfigManager::save() -> bool {
@@ -245,11 +267,9 @@ auto ConfigManager::save() -> bool {
 
     JsonDocument doc;
 
-    doc["wifi_ssid"] = ssid.c_str();
-    doc["wifi_password"] = password.c_str();
-    doc["lcd_enable"] = lcd_enable;
-    doc["lcd_w"] = lcd_w;
-    doc["lcd_h"] = lcd_h;
+    secure.put("wifi_ssid", this->getSSID());
+    secure.put("wifi_password", this->getPassword());
+
     doc["lcd_rotation"] = lcd_rotation;
 
     if (serializeJson(doc, file) == 0) {
@@ -264,3 +284,21 @@ auto ConfigManager::save() -> bool {
 
     return true;
 }
+
+/**
+ * @brief Migrate WiFi credentials to SecureStorage
+ *
+ * @param ssid The SSID to store
+ * @param password The password to store
+ * @return true on success false on failure
+ */
+auto ConfigManager::migrateWiFiToSecureStorage(String ssid, String password) -> bool {
+    secure.put("wifi_ssid", ssid.c_str());
+    secure.put("wifi_password", password.c_str());
+
+    ConfigManager::save();
+
+    Logger::info("WiFi credentials migrated to SecureStorage", "ConfigManager");
+
+    return true;
+}