DEV Community: Hiroyuki OYAMA

Secure Key-Value Store for Raspberry Pi Pico

Hiroyuki OYAMA — Thu, 17 Apr 2025 08:44:48 +0000

Stop Hardcoding Secrets: How to Secure Configuration on Raspberry Pi Pico.

When developing IoT applications using the Raspberry Pi Pico W or Pico 2 W, you often need to handle configuration data such as Wi-Fi SSIDs, passwords, and API tokens.
During early development, it’s tempting to hardcode these values into the source code to get things running quickly. But in many cases, this practice carries over into production devices deployed in the field.
However, are those values truly secure?

Demo: How "picotool" + "strings" Exposes Your Secrets

It’s common to embed Wi-Fi settings directly in your code like this:

const char wifi_ssid[] = "MyHomeWiFi";
const char wifi_password[] = "SuperSecretWiFi123";

After flashing the firmware to your Raspberry Pi Pico, you can extract and inspect it using the following commands:

$ picotool save -a firmware.bin  # extract firmware from device
$ strings firmware.bin | grep -i wifi  # find wifi string
MyHomeWiFi
SuperSecretWiFi123

As you can see, any sensitive data embedded in the firmware can be read as plaintext.

Why This Happens

In embedded systems, constant strings and configuration values are typically placed in the read only data section during compilation, and then written directly to flash memory.
On the Raspberry Pi Pico, this means anyone with physical access and standard tools like picotool can easily retrieve them. In short, unless you take precautions, all embedded data is accessible to anyone.

The Solution: Secure Configuration with pico-kvstore

Using pico-kvstore, you can securely store configuration data in encrypted form. The setup is straightforward and consists of the following steps:

Step 1. Reading Configuration in Firmware

pico-kvstore is a key-value storage library with a minimal API consisting of only four operations: set, get, find, and delete. Retrieving Wi-Fi configuration values in firmware looks like this:

char ssid[64];
char password[64];

kvs_init();
kvs_get_str("wifi_ssid", ssid, sizeof(ssid));
kvs_get_str("wifi_password", password, sizeof(password));

This code retrieves encrypted values from storage and automatically decrypts them at runtime.

Step 2. Enabling Encrypted Storage in pico-kvstore

pico-kvstore allows flexible storage configuration via the kvs_init() function. To enable encrypted storage, simply initialize the components as shown below:

bool kvs_init(void) {
    blockdevice_t *bd = blockdevice_flash_create(KVSTORE_BANK_OFFSET,
                                                 KVSTORE_BANK_DEFAULT_SIZE);
    kvs_t *underlying_kvs = kvs_logkvs_create(bd);
    kvs_t *kvs = kvs_securekvs_create(underlying_kvs, NULL);
    kvs_assign(kvs);
    return true;
}

Reference implementation: examples/fs_init_secure.c

Step 3. Encrypting and Writing Configuration from Host

pico-kvstore comes bundled with a command-line tool called kvstore-util, which allows you to create and edit configuration disk images on the development host. You can specify the key-value pairs and the <SECRETKEY> directly from the command line to prepare a secure image for deployment.

$ kvstore-util create -f setting.bin
$ kvstore-util set -f setting.bin -k wifi_ssid -v MyHomeWiFi -e <SECRETKEY>
$ kvstore-util set -f setting.bin -k wifi_password -v SuperSecretWiFi123 -e <SECRETKEY>

💡 Note: About <SECRETKEY>
pico-kvstore derives encryption keys from device-unique identifiers:
Pico(RP2040): flash id
Pico 2(RP2350): chipid
You can obtain these values using:
$ picotool info --device
Example output:
flash id: 0xE66358986360212E # RP2040
chipid: 0x2287f6ab737e2c05 # RP2350
Providing these values as <SECRETKEY> ensures that each device uses a different encryption key, preventing decrypted reuse across devices.
Additionally, pico-kvstore allows you to define the encryption key source via callback functions, making it possible to use secrets stored in RP2350’s OTP region, for example.

Step 4. Flashing the Encrypted Configuration

$ picotool load -f setting.bin -o 0x101de000  # RP2040
$ picotool load -f setting.bin -o 0x103de000  # RP2350

Once written, the firmware can access the secure configuration without modification.

Why You Should Encrypt Configuration

Encrypting your configuration provides real, practical benefits in embedded deployments:

✅ Protects Sensitive Information from Physical Access

Unlike plaintext values that can be revealed via tools like strings, encrypted data is unreadable without the key. Even with physical access, attackers cannot easily extract Wi-Fi credentials or API keys.

✅ Device-Specific Keys Strengthen Security

By deriving encryption keys from hardware-specific identifiers like flash id or chipid, encrypted data on one device cannot be reused on another.
This makes leaked configuration data much less useful to attackers. In addition, the RP2350 supports securely storing secrets in its OTP region, which can only be read by firmware with a valid signature. This enables even stronger protection against unauthorized access to device-specific keys.

✅ Enables Safe and Flexible Updates

Encrypted configuration files can be safely updated in the field. For example, if a Wi-Fi password changes, you can simply overwrite the config file — no firmware rebuild is necessary.
This makes secure updates and maintenance easier and less error-prone.

Conclusion: Secure Configuration Is an Easy Win

Hardcoding secrets in firmware may seem convenient during development, but it introduces serious risks when devices are deployed.

By using pico-kvstore, you can:

Keep sensitive values out of the firmware
Store configuration data in encrypted form
Use device-unique keys for added protection
Enable secure, hassle-free configuration updates

These benefits can be achieved with minimal changes to your codebase, and are well worth the investment.
Security doesn’t have to be complicated. Sometimes, the most impactful improvements are the smallest.

Further Resources

📦 GitHub repository: https://github.com/oyama/pico-kvstore

All tools and example code mentioned in this article are available in the repository above.

The Minimal Way to Store Configuration on Raspberry Pi Pico

Hiroyuki OYAMA — Thu, 17 Apr 2025 08:35:49 +0000

Need to store settings like Wi-Fi credentials on Raspberry Pi Pico without a bulky filesystem? Here’s a minimal and reliable solution that works with flash memory directly.
When developing with Raspberry Pi Pico (RP2040), you often need to store configuration data such as Wi-Fi credentials or sensor thresholds. While hardcoding these values into your source code is fine during prototyping, a more flexible solution is preferred for production or multi-device deployments.
A common method is to write data directly to the onboard flash memory. However, flash memory has asymmetric erase and write operations, making it somewhat tricky to handle safely and efficiently.
That’s where pico-kvstore comes in — a simple, robust option designed specifically to handle flash memory characteristics and support day-to-day configuration storage with ease.

The Challenge of Writing Directly to Flash

RP2040 allows storing configuration data directly in flash memory, for example by writing raw bytes or structs to an unused area.
Flash memory updates involve two steps: erase and program. Erase is performed in 4KB blocks, while programming (writing) is done in 256-byte chunks. After erasing, memory is filled with 0xff. Programming a value changes 1 to 0 bit, but changing 0 to 1 bit requires erasing the entire block.
To efficiently use flash memory while safely handling updates and rewrites, you need a custom algorithm and data structure.
pico-kvstore abstracts away these complexities and provides a safe and user-friendly interface for persistent data storage.

Simple and Safe Storage with “pico-kvstore”

pico-kvstore is a lightweight key-value store designed to safely and efficiently store configuration or sensor data in RP2040’s flash memory.
It handles the low-level flash constraints internally, exposing a simple API to the user:

kvs_set(“KEY”, value, strlen(value));
kvs_get(“KEY”, buffer, sizeof(buffer));

While you only interact with keys and values, internally it uses a log-structured format with wear leveling and crash safety.
For users who don’t need a full filesystem but want safe configuration storage, pico-kvstore is an ideal choice.

Writing Wi-Fi Settings from the Host

If your device uses Wi-Fi, being able to update SSID and password after deployment can be extremely useful — for example, when reusing the same firmware in different environments.
pico-kvstore makes it easy to write these settings from your development host and read them back on the device during boot.

1. Writing Config from the Host

Prepare your configuration files on the host and use a tool to create a pico-kvstore image file:

# Write Wi-Fi credentials to a kvstore image
kvstore-util create -f setting.bin
kvstore-util set -f setting.bin -k SSID -v “Home_Wi-Fi”
kvstore-util set -f setting.bin -k PASSWORD -v “Secret Password”

Write the generated setting.bin image file to the Pico’s flash using picotool:

# Write kvstore image to flash
picotool load --offset 0x101de000 setting.bin

2. Reading Config at Boot

On the firmware side, use kvs_get_str() to read stored settings:

char ssid[33];
char pass[64];

kvs_init();
if (kvs_get_str("SSID", ssid, sizeof(ssid)) == 0 &&
    kvs_get_str("PASSWORD", pass, sizeof(pass)) == 0)
{
    connect_to_wifi(ssid, pass);
} else {
    printf("No Wi-Fi config found.\n");
}

Benefits of Separating Configuration from Firmware

By using pico-kvstore, you can decouple your firmware and configuration, leading to several practical advantages:

1. No Need to Rebuild or Reflash

You can update settings without touching the firmware, speeding up development and deployment.

2. Easy Per-Device Configuration

Reuse the same firmware while customizing settings for each device. Ideal for batch provisioning and shipping.

3. Simpler Testing and Version Control

With code and config separated, it’s easier to manage firmware versions and perform consistent testing.

Getting Started

pico-kvstore is easy to integrate into any Pico SDK-based project. Simply pull the code from GitHub and link it in your project.

1. Clone the Repository

git clone --recursive https://github.com/oyama/pico-kvstore.git

2. Add to Your CMake Project

Update your CMakeLists.txt as follows:

add_subdirectory(pico-kvstore)
target_link_libraries(your_project PRIVATE
  kvstore
  kvstore_default
)

3. Minimal Example

#include “kvstore.h”

int main(void) {
    kvs_init();

    kvs_set("hello", "world", 5);

    char buffer[16];
    if (kvs_get_str("hello", buffer, sizeof(buffer)) == 0) 
        printf("hello=%s\n", buffer);

    return 0;
}

4. Flash Storage Area

You can customize the offset and size of the storage area depending on your project. See the repository README for details.

Conclusion — Lightweight Storage for Flexible Operation

pico-kvstore offers a simple yet powerful solution for configuration persistence on resource-constrained platforms like the RP2040.
This article introduced the library using Wi-Fi settings as a concrete example, highlighting key benefits:

A simple API that abstracts away flash memory constraints
Robust structure with wear leveling and crash tolerance
Separation of firmware and configuration for operational flexibility

It’s especially useful for:

IoT devices that require reconfigurable parameters (Wi-Fi, thresholds, etc.)
Deployments with environment-specific settings
Applications that don’t need a full filesystem but benefit from structured storage

Future improvements may include better host integration tools for editing and inspecting config images. We hope pico-kvstore makes your next Pico project a little more efficient.

👉 GitHub Repository:
🔗 https://github.com/oyama/pico-kvstore
Try it out and let me know what you build!