Security
Network Isolation
- Tailscale — All cloud communication encrypted via WireGuard
- No inbound ports — The adapter initiates all connections outbound
- VLAN isolation — Recommended: put IoT devices on a separate VLAN from user traffic
- Firewall rules — Only allow outbound UDP 41641 and HTTPS 443
Secret Management
| Secret | Storage | Notes |
|---|---|---|
| API Key | Environment variable | Never committed to source control |
| UniFi credentials | Environment variable | Use a dedicated service account |
| Tailscale auth key | Used once during setup | Not stored after initial connection |
| Device credentials | SQLite database | Database file permissions: 600 |
Hardening Checklist
- Change default Raspberry Pi password
- Disable password-based SSH (use key-based auth)
- Enable automatic security updates (
unattended-upgrades) - Set restrictive file permissions on
.envand SQLite database - Disable unused network services
- Mount SD card with
noexecfor non-application partitions - Enable firewall (
ufw) with minimal allowed rules - Use a dedicated, non-root user for the IoT Adapter service
Data at Rest
- SQLite database contains device configurations and credentials
- Ensure the database file has restrictive permissions (
chmod 600) - Consider full-disk encryption for sensitive deployments
Next Steps
- Network Security — Platform-wide security
- Installation — Setup guide