-
-
Notifications
You must be signed in to change notification settings - Fork 19
Identity Management
Guide for managing cryptographic identities in pyMC Repeater.
- Understanding Identity
- Automatic Identity Generation
- Creating Your Own Identity
- Identity Configuration Methods
- Verifying Your Identity
- Identity Security Best Practices
- Troubleshooting Identity Issues
Each repeater has a unique cryptographic identity consisting of a private key and derived public key. The identity determines your repeater's node address and enables packet signing.
- Private Key: 64-byte (128 hex characters) Ed25519 key used for signing packets
- Public Key: Derived from the private key using Ed25519 scalar multiplication
- Node Address: The first byte of the public key (0x00-0xFF)
- Unique Identification: Each node has a unique address on the mesh network
- Packet Signing: Enables cryptographic verification of packet authenticity
- Network Trust: Allows other nodes to verify messages came from your repeater
- Persistent Identity: Maintains the same address across restarts
If no identity is configured, the repeater automatically generates a new identity on first startup.
repeater:
identity_file: null # Auto-generate- On first startup, generates a random 64-byte Ed25519 private key
- Derives the public key and node address
- Stores the identity in the storage directory
- Reuses the same identity on subsequent runs
- Quick testing and development
- Non-production deployments
- When you don't need a specific node address
There are two main approaches to creating a custom identity:
Create a fresh identity file with a cryptographically secure random key.
Steps:
# Generate a random 64-byte key
python3 -c "import secrets; print(secrets.token_hex(64))" > /etc/pymc_repeater/identity.key
# Secure the file permissions
sudo chmod 600 /etc/pymc_repeater/identity.key
sudo chown root:root /etc/pymc_repeater/identity.keyConfigure in config.yaml:
repeater:
identity_file: "/etc/pymc_repeater/identity.key"Advantages:
- Full control over key storage location
- Good for new deployments
If you have a MeshCore firmware device and want your repeater to use that identity (node address), use the convert_firmware_key.sh script.
- Extract the 64-byte private key from your MeshCore firmware device
- Have sudo access to modify configuration files
- Python 3 with
yamlandnaclpackages installed
cd /path/to/pyMC_Repeater
sudo ./convert_firmware_key.sh <64-byte-hex-key> [config-path]Parameters:
-
<64-byte-hex-key>- The 128 hex character private key from firmware (required) -
[config-path]- Path to config.yaml (optional, defaults to/etc/pymc_repeater/config.yaml)
# Navigate to pyMC_Repeater directory
cd ~/pyMC_Repeater
# Run the conversion script with your firmware key
sudo ./convert_firmware_key.sh \
987BDA619630197351F2B3040FD19B2EE0DEE357DD69BBEEE295786FA78A4D5F298B0BF1B7DE73CBC23257CDB2C562F5033DF58C232916432948B0F6BA4448F2 \
/etc/pymc_repeater/config.yaml- Validates the key format (must be exactly 128 hex characters)
- Derives the public key using Ed25519 scalar multiplication
- Calculates the node address (first byte of public key)
- Creates a timestamped backup of your current config.yaml
-
Imports the key into
mesh.identity_keyfield - Offers to restart the repeater service automatically
=== MeshCore Firmware Key Import ===
Input (64-byte firmware key):
987BDA619630197351F2B3040FD19B2E...
Derived public key: a1b2c3d4e5f6...
Node address: 0xa1
Created backup: /etc/pymc_repeater/config.yaml.backup.1234567890
✓ Successfully updated /etc/pymc_repeater/config.yaml
Restart pymc-repeater service now? (yes/no):
- Running multiple devices with the same key simultaneously can cause network confusion
- Other nodes may see conflicting messages from the same address
- Use shared identity only for migration or testing scenarios
There are two ways to configure your repeater's identity:
Store the private key in a separate file.
Configuration:
repeater:
identity_file: "/etc/pymc_repeater/identity.key"File Format:
The identity file should contain exactly 128 hex characters (64 bytes) representing the private key:
987BDA619630197351F2B3040FD19B2EE0DEE357DD69BBEEE295786FA78A4D5F298B0BF1B7DE73CBC23257CDB2C562F5033DF58C232916432948B0F6BA4448F2
Advantages:
- ✅ Clean separation of config and secrets
- ✅ Easier to manage file permissions independently
- ✅ Can be symlinked or mounted from secure storage
- ✅ Simple text format for easy backup and verification
- ✅ No need to modify config.yaml when rotating keys
Best for:
- Production deployments
- Security-conscious setups
- Manual key management
Store the key directly in config.yaml as a binary field.
Configuration:
mesh:
identity_key: !!binary |
mHvdaZYwGXNR8rMED9GbLuDe41fdaaYwGXNR8rMED9G...Notes:
- This is a YAML binary field (base64-encoded)
- The
convert_firmware_key.shscript uses this method - The encoding is handled automatically by the script
If both methods are configured, the repeater uses this priority:
-
repeater.identity_file(if set and file exists) -
mesh.identity_key(if set in config) - Auto-generated identity (if neither is set)
After configuring an identity, verify it loaded correctly.
# View recent logs with identity information
sudo journalctl -u pymc-repeater -n 100 | grep -i 'identity\|hash\|address'
# Follow logs in real-time
sudo journalctl -u pymc-repeater -f | grep -i 'identity\|hash\|address'INFO - Loading identity from file: /etc/pymc_repeater/identity.key
INFO - Identity loaded successfully
INFO - Node address: 0xa1
INFO - Public key hash: a1b2c3d4e5f6...
# Check if file exists and has correct permissions
sudo ls -la /etc/pymc_repeater/identity.key
# Verify key format (should be exactly 128 hex characters)
cat /etc/pymc_repeater/identity.key | wc -c
# Should output: 128 (or 129 if newline is present)
# Check the key is valid hexadecimal
cat /etc/pymc_repeater/identity.key | grep -E '^[0-9a-fA-F]{128}$'
# Should output the key if validIf the web interface is running:
- Open
http://<repeater-ip>:8080in your browser - Check the "Node Info" or "Status" section
- Verify the node address matches your expectations
The private key is the most sensitive component - anyone with access can impersonate your node.
# Set restrictive permissions (owner read-only)
sudo chmod 600 /etc/pymc_repeater/identity.key
# Ensure root ownership
sudo chown root:root /etc/pymc_repeater/identity.key
# Verify permissions
ls -la /etc/pymc_repeater/identity.key
# Should show: -rw------- 1 root root# Create a secure backup
sudo cp /etc/pymc_repeater/identity.key ~/identity-backup-$(date +%Y%m%d).key
# Store offline securely
# - USB drive in safe location
# - Encrypted backup service
# - Password manager with secure notes- ❌ Don't share via email, chat, or cloud storage
- ❌ Don't commit to version control (git, etc.)
- ❌ Don't post in public forums or documentation
- ✅ Public keys and addresses are safe to share
Unless intentionally sharing identity with a firmware device:
- Each repeater should have its own unique identity
- Prevents address conflicts on the network
- Easier to track and identify individual nodes
- Improves network security and accountability
If you suspect a key has been compromised:
# Generate a new identity immediately
python3 -c "import secrets; print(secrets.token_hex(64))" | sudo tee /etc/pymc_repeater/identity.key
# Restart the repeater
sudo systemctl restart pymc-repeater
# Update documentation with new node address# Protect config.yaml if using mesh.identity_key
sudo chmod 600 /etc/pymc_repeater/config.yaml
sudo chown root:root /etc/pymc_repeater/config.yamlCheck if identity file exists and is readable:
sudo ls -la /etc/pymc_repeater/identity.keyVerify key format (should be 128 hex characters):
cat /etc/pymc_repeater/identity.key | wc -c
# Should output: 128 (or 129 if newline present)
# Remove trailing newline if present
sudo truncate -s 128 /etc/pymc_repeater/identity.keyCheck logs for specific error:
sudo journalctl -u pymc-repeater -n 50 | grep -i identityCommon errors:
-
Identity file not found- Check path in config.yaml matches actual file location -
Invalid key format- Ensure file contains exactly 128 hex characters -
Permission denied- Check file permissions and ownership
Ensure key is exactly 128 hex characters (no spaces/newlines):
echo -n "YOUR_KEY_HERE" | wc -c
# Should output: 128Verify Python dependencies are installed:
python3 -c "import yaml, nacl; print('Dependencies OK')"If dependencies are missing:
pip3 install pyyaml pynacl
# or
sudo apt install python3-yaml python3-naclCheck config path is correct:
sudo ls -la /etc/pymc_repeater/config.yamlRun script with explicit path:
sudo ./convert_firmware_key.sh YOUR_KEY /etc/pymc_repeater/config.yamlIf you imported a firmware key but the address is different:
Verify key was imported correctly:
# Check if mesh.identity_key exists in config
grep -A 5 "mesh:" /etc/pymc_repeater/config.yaml | grep identity_keyRecalculate address from key:
# Create a test script: check_address.py
from nacl.bindings import crypto_scalarmult_ed25519_base_noclamp
key_hex = "YOUR_64_BYTE_KEY_HERE"
key_bytes = bytes.fromhex(key_hex)
scalar = key_bytes[:32]
pubkey = crypto_scalarmult_ed25519_base_noclamp(scalar)
address = pubkey[0]
print(f"Node address should be: 0x{address:02x}")Run it:
python3 check_address.pyEnsure firmware key format is correct:
- Must be full 64-byte key (128 hex chars)
- Not just the 32-byte scalar portion
- Format: [32-byte scalar][32-byte nonce]
Last Updated: January 2026
Compatible with: pyMC Repeater v1.0.5+