A professional embedded security project developed in CircuitPython for the Arduino Nano RP2040 Connect.
Pluto-Secure is an experimental password and credential manager built from scratch to demonstrate secure design and encryption practices in constrained environments. It leverages CircuitPython and cryptographic modules to store, encrypt, and retrieve passwords securely.
This project is part of a professional portfolio to showcase full-cycle secure embedded development.
Build a complete, secure password vault from concept to implementation, demonstrating secure architecture, cryptography, and hardware integration.
- Store passwords securely in onboard flash memory.
- Encrypt passwords using AES-CBC with a user-supplied master key.
- Retrieve stored passwords only with correct authentication.
- Store the master key securely using hash + salt.
- Provide a password suggestion tool:
- Custom length
- Customizable character set: letters, numbers, symbols
- Automatically identify which key to provide based on login page or context.
- Associate usernames and passwords with services or sites.
- Enable local password management with optional user accounts.
- Optional display-based UI (OLED or small screen).
- Secure export/import of encrypted data.
Following the STRIDE model:
| Threat | Risk | Mitigation |
|---|---|---|
| Spoofing | Unauthorized access to secrets | Salted hash comparison of master key |
| Tampering | Modification of saved credentials | AES-CBC encryption with per-entry IV |
| Repudiation | Lack of traceability | (Planned) Optional logging system |
| Information Disclosure | Reading /keys.db file directly |
All data encrypted with strong symmetric encryption |
| Denial of Service | File deletion or filesystem corruption | Physical recovery mode and backups |
| Elevation of Privilege | Gaining access to all secrets | Context-based segmentation and per-entry authentication (future) |
- Symmetric encryption: AES-CBC with 16-byte blocks
- Authentication: SHA256 + salt hash of master key
- Data integrity: Ensured via IV separation and optional HMAC (future)
- Storage control:
- CircuitPython has exclusive write access when in secure mode
- RGB LED indicates storage state: 🔴 CircuitPython-writeable, 🔵 PC-writeable
- Separation of concerns: clean modular architecture
CIRCUITPY/
├── boot.py # Boot mode logic (safe or writable)
├── code.py # Main controller
├── auth_manager.py # Master key management (registration & validation)
├── crypto_engine.py # AES encryption engine
├── key_store.py # Encrypted credential storage
├── keygen.py # Secure password generator
├── ui_serial.py # Serial interface for user input
├── /auth.db # Salt + hash of master password
├── /keys.db # Encrypted credentials database
└── /logs.txt # (Optional) Access logs