Among its authentication options, AWS IoT can use X.509 certificates to perform mutual authentication with IoT devices. Below we will use zymkey to protect the private key assigned to our device by AWS IoT's default configuration. In this example the AWS credentials are encrypted by zymkey and stored on the SD card. This allows development flexibility while enjoying the hardware rooted security features of Zymkey.
Configure and bind your Zymkey
Before working through this tutorial, make sure your Zymkey is connected and bound to your host Raspberry Pi device. For details review to: Getting Started With Zymkey
Registering the AWS IoT device
First, login to the AWS IoT console and Click "Get started" under "Configuring a device":
On the following screen, click "Get started" again:
Choose "Linux/OSX" under "Choose a platform" and "Python" under "Choose a AWS IoT Device SDK:
Now, give your device a name:
And finally, under "Download connection kit for" click the "Linux/OSX" button:
Copy the connection kit to the RPi
Now that we have the connection kit on our local workstation, let's copy it down to the RPi with the command:
scp ~/Downloads/connect_device_package.zip pi@unicornpi:
In the example above, replace
pi@unicornpi with the username and hostname of your RPi.
And finally, connect to your RPi via SSH:
Again, replace the username and hostname in the example above.
Unpack the AWS-provided connect package
Here we create an
awsiot-demo directory for the demo project and unpack the package provided by AWS:
pi@unicornpi:~ $ mkdir awsiot-demo
pi@unicornpi:~ $ cd awsiot-demo/
pi@unicornpi:~/awsiot-demo $ unzip ~/connect_device_package.zip
Locking the private key
The package contains the private key,
unicornpi.private.key, which is the secret Zymkey will protect. Use the following
zymkey lock command:
zymkey lock --rm unicornpi.private.key unicornpi.private.key.lock
The above command will write the locked private key contents to the file
unicornpi.private.key.lock and will remove the original file. The locked file's permissions are also restricted to read-only for the current user:
Using the locked private key
The contents of the locked file can be printed to the screen using the
zymkey unlock command with the output file being
zymkey unlock unicornpi.private.key.lock -
The screenshot below shows just the first couple of lines using
To use it for running the AWS IoT program, run
zymkey unlock with the
-c flag passing along the command to run:
zymkey unlock unicornpi.private.key.lock unicornpi.private.key -c 'bash ./start.sh'
The command above unlocks the file to
unicornpi.private.key and subsequently runs the
start.sh script that was provided in the .zip file. When the program is killed the unlocked file is also removed.
We are working on integrating AWS IoT directly with Zymkey as the private key, instead of using the AWS-provided private key. Stay tuned!