![[The AI Show Episode 144]: ChatGPT’s New Memory, Shopify CEO’s Leaked “AI First” Memo, Google Cloud Next Releases, o3 and o4-mini Coming Soon & Llama 4’s Rocky Launch](https://www.marketingaiinstitute.com/hubfs/ep%20144%20cover.png)
![[DEALS] The All-in-One Microsoft Office Pro 2019 for Windows: Lifetime License + Windows 11 Pro Bundle (89% off) & Other Deals Up To 98% Off](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![Is this too much for a modular monolith system? [closed]](https://i.sstatic.net/pYL1nsfg.png)
_Andreas_Prott_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![What features do you get with Gemini Advanced? [April 2025]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2024/02/gemini-advanced-cover.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Apple Shares Official Trailer for 'Long Way Home' Starring Ewan McGregor and Charley Boorman [Video]](https://www.iclarified.com/images/news/97069/97069/97069-640.jpg)
![Apple Watch Series 10 Back On Sale for $299! [Lowest Price Ever]](https://www.iclarified.com/images/news/96657/96657/96657-640.jpg)
![EU Postpones Apple App Store Fines Amid Tariff Negotiations [Report]](https://www.iclarified.com/images/news/97068/97068/97068-640.jpg)
![Apple Slips to Fifth in China's Smartphone Market with 9% Decline [Report]](https://www.iclarified.com/images/news/97065/97065/97065-640.jpg)
Secure Key-Value Store for Raspberry Pi Pico
Stop Hardcoding Secrets: How to Secure Configuration on Raspberry Pi Pico. When developing IoT applications using the Raspberry Pi Pico W or Pico 2 W, you often need to handle configuration data such as Wi-Fi SSIDs, passwords, and API tokens. During early development, it’s tempting to hardcode these values into the source code to get things running quickly. But in many cases, this practice carries over into production devices deployed in the field. However, are those values truly secure? Demo: How "picotool" + "strings" Exposes Your Secrets It’s common to embed Wi-Fi settings directly in your code like this: const char wifi_ssid[] = "MyHomeWiFi"; const char wifi_password[] = "SuperSecretWiFi123"; After flashing the firmware to your Raspberry Pi Pico, you can extract and inspect it using the following commands: $ picotool save -a firmware.bin # extract firmware from device $ strings firmware.bin | grep -i wifi # find wifi string MyHomeWiFi SuperSecretWiFi123 As you can see, any sensitive data embedded in the firmware can be read as plaintext. Why This Happens In embedded systems, constant strings and configuration values are typically placed in the read only data section during compilation, and then written directly to flash memory. On the Raspberry Pi Pico, this means anyone with physical access and standard tools like picotool can easily retrieve them. In short, unless you take precautions, all embedded data is accessible to anyone. The Solution: Secure Configuration with pico-kvstore Using pico-kvstore, you can securely store configuration data in encrypted form. The setup is straightforward and consists of the following steps: Step 1. Reading Configuration in Firmware pico-kvstore is a key-value storage library with a minimal API consisting of only four operations: set, get, find, and delete. Retrieving Wi-Fi configuration values in firmware looks like this: char ssid[64]; char password[64]; kvs_init(); kvs_get_str("wifi_ssid", ssid, sizeof(ssid)); kvs_get_str("wifi_password", password, sizeof(password)); This code retrieves encrypted values from storage and automatically decrypts them at runtime. Step 2. Enabling Encrypted Storage in pico-kvstore pico-kvstore allows flexible storage configuration via the kvs_init() function. To enable encrypted storage, simply initialize the components as shown below: bool kvs_init(void) { blockdevice_t *bd = blockdevice_flash_create(KVSTORE_BANK_OFFSET, KVSTORE_BANK_DEFAULT_SIZE); kvs_t *underlying_kvs = kvs_logkvs_create(bd); kvs_t *kvs = kvs_securekvs_create(underlying_kvs, NULL); kvs_assign(kvs); return true; } Reference implementation: examples/fs_init_secure.c Step 3. Encrypting and Writing Configuration from Host pico-kvstore comes bundled with a command-line tool called kvstore-util, which allows you to create and edit configuration disk images on the development host. You can specify the key-value pairs and the directly from the command line to prepare a secure image for deployment. $ kvstore-util create -f setting.bin $ kvstore-util set -f setting.bin -k wifi_ssid -v MyHomeWiFi -e $ kvstore-util set -f setting.bin -k wifi_password -v SuperSecretWiFi123 -e
Stop Hardcoding Secrets: How to Secure Configuration on Raspberry Pi Pico.
When developing IoT applications using the Raspberry Pi Pico W or Pico 2 W, you often need to handle configuration data such as Wi-Fi SSIDs, passwords, and API tokens.
During early development, it’s tempting to hardcode these values into the source code to get things running quickly. But in many cases, this practice carries over into production devices deployed in the field.
However, are those values truly secure?
Demo: How "picotool" + "strings" Exposes Your Secrets
It’s common to embed Wi-Fi settings directly in your code like this:
const char wifi_ssid[] = "MyHomeWiFi";
const char wifi_password[] = "SuperSecretWiFi123";
After flashing the firmware to your Raspberry Pi Pico, you can extract and inspect it using the following commands:
$ picotool save -a firmware.bin # extract firmware from device
$ strings firmware.bin | grep -i wifi # find wifi string
MyHomeWiFi
SuperSecretWiFi123
As you can see, any sensitive data embedded in the firmware can be read as plaintext.
Why This Happens
In embedded systems, constant strings and configuration values are typically placed in the read only data section during compilation, and then written directly to flash memory.
On the Raspberry Pi Pico, this means anyone with physical access and standard tools like picotool can easily retrieve them. In short, unless you take precautions, all embedded data is accessible to anyone.
The Solution: Secure Configuration with pico-kvstore
Using pico-kvstore, you can securely store configuration data in encrypted form. The setup is straightforward and consists of the following steps:
Step 1. Reading Configuration in Firmware
pico-kvstore is a key-value storage library with a minimal API consisting of only four operations: set, get, find, and delete. Retrieving Wi-Fi configuration values in firmware looks like this:
char ssid[64];
char password[64];
kvs_init();
kvs_get_str("wifi_ssid", ssid, sizeof(ssid));
kvs_get_str("wifi_password", password, sizeof(password));
This code retrieves encrypted values from storage and automatically decrypts them at runtime.
Step 2. Enabling Encrypted Storage in pico-kvstore
pico-kvstore allows flexible storage configuration via the kvs_init() function. To enable encrypted storage, simply initialize the components as shown below:
bool kvs_init(void) {
blockdevice_t *bd = blockdevice_flash_create(KVSTORE_BANK_OFFSET,
KVSTORE_BANK_DEFAULT_SIZE);
kvs_t *underlying_kvs = kvs_logkvs_create(bd);
kvs_t *kvs = kvs_securekvs_create(underlying_kvs, NULL);
kvs_assign(kvs);
return true;
}
Reference implementation: examples/fs_init_secure.c
Step 3. Encrypting and Writing Configuration from Host
pico-kvstore comes bundled with a command-line tool called kvstore-util, which allows you to create and edit configuration disk images on the development host. You can specify the key-value pairs and the
$ kvstore-util create -f setting.bin
$ kvstore-util set -f setting.bin -k wifi_ssid -v MyHomeWiFi -e
$ kvstore-util set -f setting.bin -k wifi_password -v SuperSecretWiFi123 -e
