Skip to content

[SECURITY] Migrate MQTT to authenticated HiveMQ Cloud with TLS #2

New issue
New issue
Open
Open
[SECURITY] Migrate MQTT to authenticated HiveMQ Cloud with TLS#2
@farcomiot

Description

@farcomiot
farcomiot
opened on Feb 17, 2026

🔒 MQTT Security Migration

Parent: #1

Current State

  • Using public HiveMQ broker (broker.hivemq.com:1883)
  • No authentication, no encryption
  • Anyone can subscribe to farcom/enviro and read sensor data

Goal

  • Migrate to HiveMQ Cloud (free tier: 100 connections)
  • Enable TLS/SSL (port 8883)
  • Add username/password authentication
  • Store credentials securely via .env file (not in git)

Tasks

  • Create HiveMQ Cloud account (ref: HiveEmail / HivePw)
  • Generate cluster credentials
  • Update Pi script: add TLS context (ssl.create_default_context())
  • Update Pi script: add username/password to MQTT connect
  • Update dashboard: switch WebSocket endpoint to wss:// with auth
  • Test end-to-end encrypted flow
  • Update docs/CREDENTIALS.md with new reference keys
  • Remove public broker fallback

Pi Script Changes

# Current (insecure)
client.connect("broker.hivemq.com", 1883, 60)

# Target (secure)
import ssl
context = ssl.create_default_context()
client.username_pw_set(os.environ["MQTT_USER"], os.environ["MQTT_PASS"])
client.tls_set_context(context)
client.connect(os.environ["MQTT_HOST"], 8883, 60)

Risk

  • Dashboard must be updated simultaneously (breaking change)
  • Public broker data will stop flowing immediately

Ref: #1 Roadmap — Security & Infrastructure

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions