Encrypt config file

[mike7ang1rdz]

Hello,
I have a use case when I distribute mosquitto along with an local app that works in offline mode, mosquitto holds messages and when the computer gets internet connection mosquttio forward messages using a bridge. However, the bridge (config file) has a plaintext user name and password which I don't like.

Is there a way to encrypt the config file or encrypt the bridge password? or any work around?

Thank you.

[Daedaluz]

I don't think there is a way today, unless you encrypt the whole config and then decrypt before starting the broker.

Anyway, how would you keep the key secret?
And if you have a way, why can't the whole config be in this location?

Otherwise, I think (not 100) that mosquitto can use mtls, and you could have the key stored on some other secure location, like a tpm.

[mike7ang1rdz]

It would be nice if config is encrypted just as the passwords file.

I'm going to use TLS and the cert is decrypted before start the service, basically a combination of your suggestions

Thanks,

I don't think there is a way today, unless you encrypt the whole config and then decrypt before starting the broker.

Anyway, how would you keep the key secret? And if you have a way, why can't the whole config be in this location?

Otherwise, I think (not 100) that mosquitto can use mtls, and you could have the key stored on some other secure location, like a tpm.

It would be nice if config is encrypted just as the passwords file.

I'm going to use TLS and the cert is decrypted before start the service, basically a combination of your suggestions

Thanks,