Security
SCADABLE is mTLS device-to-broker, signed firmware artifacts, read-only GitHub App access. No device or repo trusts any party more than the minimum needed.
Pages in this section
- Device cert lifecycle: mTLS cert minting at flash time, NVS storage, validity windows, renewal path.
At a glance
| Surface | Mechanism |
|---|---|
| Device → broker | mTLS, per-device cert, 7-day validity |
| Firmware artifact integrity | Signed at build time with per-namespace key, verified at OTA-apply time on device |
| Repo → build pipeline | Read-only GitHub App, scoped to Contents, Metadata, and push/release webhooks. No write access. |
| Cert storage on device | NVS namespace scadable_certs, encrypted-NVS-capable on chips with eFuse keys |
| WiFi creds on device | NVS namespace scadable_wifi, never sent to SCADABLE servers (entered by customer in captive portal or by you in Direct mode) |
What we don't store
- Source code. SCADABLE clones at the tag SHA, builds in an ephemeral container, signs the artifact, discards the source tree. We don't keep your code on disk after the build.
- WiFi passwords. Both Direct and Provisioning modes write WiFi creds straight to NVS over WebSerial or captive portal. SCADABLE servers never see them.
- Per-device secrets. Secrets you set in the dashboard are sent to the device on connect, held in RAM, never persisted to NVS by the library.
What we do store
- The signed firmware artifact, on the SCADABLE CDN, indefinitely. Devices need to be able to re-download a release if they roll back or re-flash.
- The signing public key, baked into every device's
gateway-provisioningfirmware at flash time. Used to verify OTAs. - Device cert + namespace ID, in our cert authority's database, so we can revoke a cert if a device is compromised.
What you control
- Which repo SCADABLE can see. GitHub App install scope. See Connect a Repository.
- Which devices belong to which namespace. Each cert is bound to one namespace at mint time; moving a device to a different namespace requires re-flashing.
- Which environment variables and secrets reach which devices. Set per-namespace; pushed to devices on connect.
Roadmap
- On-device EST renewal. Today certs are renewed by re-flashing. The mechanism (EST endpoint at
service-edge) is wired forgateway-linux; bringing it to ESP32 is Phase 2. Until then, certs are 7-day and re-flash-renewed. - Per-namespace signing key rotation. UI to rotate the release-signing key without invalidating in-field firmware. Today we'd hand-rotate.
- SPIFFE/SPIRE for inter-service auth. Today services use HMAC-signed JWTs (
platform/authz); the interface won't change when SPIFFE lands.
Updated 4 days ago