MQTT - Secure Communication

MQTT (Part 4): Secure Communication Between Devices

Ensuring secure communication between devices is crucial when working with MQTT. In the previous parts of this MQTT series, you set up communication between two ESP8266 devices and exchanged sensor data. However, security measures were not yet implemented. Without proper security, an unauthorized user could intercept your data or disrupt your system.

This tutorial will guide you through integrating authentication so that your ESP8266 devices require a username and password to connect to the MQTT broker. While this does not guarantee complete security, it is a significant step toward protecting your data and devices.

Configuring the MQTT Broker

To secure your MQTT broker, you need to enable authentication on the Mosquitto broker running on your Raspberry Pi.

Step 1: Creating the Password File

Use the mosquitto_passwd command to create a password file and add users. Enter the following command in the terminal, replacing <username> with a username of your choice:

sudo mosquitto_passwd -c /etc/mosquitto/passwd <username>

You will then be prompted to enter a password. Choose a strong password—resources such as the Boston University provide guidelines for secure passwords. You will later use this password in your ESP8266 sketches.

To add another user without overwriting the existing password file, use this command, replacing <username> and <password> accordingly:

sudo mosquitto_passwd -b /etc/mosquitto/passwd <username> <password>

Step 2: Configuring Mosquitto

Next, edit the Mosquitto configuration file by running:

sudo nano /etc/mosquitto/mosquitto.conf

Append the following lines at the end of the file:

allow_anonymous false
password_file /etc/mosquitto/passwd

These settings disable anonymous access and specify the path to the password file.

Step 3: Restarting the Mosquitto Service

To apply the changes, restart the Mosquitto broker using:

sudo systemctl restart mosquitto

Configuring the ESP8266 Clients

Now, update your ESP8266 sketches so that they authenticate with a username and password when connecting to the broker.

Step 1: Adding Authentication Details

At the beginning of your sketch, define the username and password:

const char* mqtt_user = "Your_MQTT_Username";
const char* mqtt_password = "Your_MQTT_Password";

Step 2: Modifying the Reconnection Function

Use these credentials in the reconnect() function. The updated function should look like this:

void reconnect() {
  while (!client.connected()) {
    Serial.print("Connecting to MQTT...");
    if (client.connect("ESP8266Client", mqtt_user, mqtt_password)) {
      Serial.println("Connected");
      client.subscribe("esp8266/light");
    } else {
      Serial.print("Error, rc=");
      Serial.print(client.state());
      Serial.println(". Retrying in 5 seconds");
      delay(5000);
    }
  }
}

Step 3: Testing the Connection

Update your ESP8266 sketches with these changes and test the connection. If everything works as expected, you have successfully secured your MQTT system!

Related projects & guides:

  1. MQTT (Part 2): Setting Up an MQTT Broker on the Raspberry Pi
  2. MQTT (Part 3): Sending and Receiving Data
  3. ESP32 Internet Radio
  4. MQTT (Part 1): Introduction
GREAT
We don't track you. Enjoy your cookies while making awesome projects!