![\"ESP32](\"https:\/\/i0.wp.com\/randomnerdtutorials.com\/wp-content\/uploads\/2022\/09\/ESP32-ESP-NOW-Encrypted-Messages.jpg?resize=1200%2C675&quality=100&strip=all&ssl=1\")
<\/figure><\/div>\n\n\nIf you’re new to ESP-NOW, we recommend reading the following getting started guide first to get familiar with ESP-NOW concepts and functions on the ESP32:<\/p>\n\n\n\n
- Getting Started with ESP-NOW (ESP32 with Arduino IDE)<\/a><\/li><\/ul>\n\n\n\n
CCMP Security Protocol<\/h2>\n\n\n\n
CCMP means Counter Mode with Cipher Block Chaining Message Authentication Code Protocol. This is an encryption protocol designed for Wireless LAN. ESP-NOW can use the CCMP method to encrypt messages. <\/p>\n\n\n\n
Accordingly to the documentation<\/a>:<\/p>\n\n\n\n
“ESP-NOW use CCMP <\/strong>method which can be referenced in IEEE Std. 802.11-2012 to protect the vendor-specific action frame.” <\/em><\/p>\n\n\n\n
The Wi-Fi device maintains a Primary Master Key (PMK)<\/strong> and several Local Master Keys (LMK)<\/strong>. The length of the keys is 16 bytes.<\/p>\n\n\n\n
Primary Master Key (PMK)<\/h3>\n\n\n\n
PMK is used to encrypt LMK with the AES-128 algorithm. To set the PMK key of the Wi-Fi device, you can use the esp_now_set_pmk()<\/span> function to set PMK. If PMK is not set, a default PMK will be used.<\/p>\n\n\n\n
Local Master Key (LMK)<\/h3>\n\n\n\n
You should set the LMK of the paired device to encrypt the vendor-specific action frame with CCMP method. The maximum number of different LMKs is six. The LMK is a property of the peer, esp_now_peer_info_t<\/span> object, and can be set on the lmk<\/span> property as we’ll see later.<\/p>\n\n\n\n
ESP32: Getting Board MAC Address<\/h2>\n\n\n\n
To communicate via ESP-NOW, you need to know the MAC Addresses of the boards so that you can add each other as peers.<\/p>\n\n\n\n
Each ESP32 has a unique MAC Address<\/a> and that’s how we identify each board (learn how to Get and Change the ESP32 MAC Address<\/a>).<\/p>\n\n\n\n
To get your board’s MAC Address, upload the following code.<\/p>\n\n\n
\/*\n Rui Santos & Sara Santos - Random Nerd Tutorials\n Complete project details at https:\/\/RandomNerdTutorials.com\/get-change-esp32-esp8266-mac-address-arduino\/\n Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files. \n The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\n*\/\n#include <WiFi.h>\n#include <esp_wifi.h>\n\nvoid readMacAddress(){\n uint8_t baseMac[6];\n esp_err_t ret = esp_wifi_get_mac(WIFI_IF_STA, baseMac);\n if (ret == ESP_OK) {\n Serial.printf("%02x:%02x:%02x:%02x:%02x:%02x\\n",\n baseMac[0], baseMac[1], baseMac[2],\n baseMac[3], baseMac[4], baseMac[5]);\n } else {\n Serial.println("Failed to read MAC address");\n }\n}\n\nvoid setup(){\n Serial.begin(115200);\n\n WiFi.mode(WIFI_STA);\n WiFi.STA.begin();\n\n Serial.print("[DEFAULT] ESP32 Board MAC Address: ");\n readMacAddress();\n}\n \nvoid loop(){\n\n}\n<\/code><\/pre>\n\tView raw code<\/a><\/p>\n\n\n\n
After uploading the code, open the Serial Monitor at a baud rate of 115200 and press the ESP32 RST\/EN button. The MAC address should be printed as follows:<\/p>\n\n\n
\n![\"ESP-NOW](\"https:\/\/i0.wp.com\/randomnerdtutorials.com\/wp-content\/uploads\/2020\/01\/ESP32_MAC_Address_Serial_monitor.jpg?resize=652%2C421&quality=100&strip=all&ssl=1\")
<\/figure><\/div>\n\n\nSave your board MAC address because you’ll need it in the next ESP-NOW examples.<\/p>\n\n\n\n
Project Overview<\/h2>\n\n\n\n
The example we’ll show you is very simple so that you can understand how to encrypt your ESP-NOW messages. The sender will send a structure that contains two random numbers, x<\/span> and y<\/span>, and a counter<\/span> variable (to keep track of the number of sent packets).<\/p>\n\n\n
\n![\"ESP32](\"https:\/\/i0.wp.com\/randomnerdtutorials.com\/wp-content\/uploads\/2022\/09\/ESP-NOW-send-encrypted-messages.png?resize=1000%2C435&quality=100&strip=all&ssl=1\")
<\/figure><\/div>\n\n\nHere are the main steps:<\/p>\n\n\n\n
- The sender sets its PMK;<\/li>
- The sender adds the receiver as a peer and sets its LMK;<\/li>
- The receiver sets its PMK (should be the same of the receiver);<\/li>
- The receiver adds the sender as a peer and sets its LMK (should be the same as the one set on the sender board);<\/li>
- The sender sends the following structure to the receiver board:<\/li><\/ol>\n\n\n\n
typedef struct struct_message {\n int counter;\n int x;\n int y;\n} struct_message;<\/code><\/pre>\n\n\n\n- The receiver gets the message.<\/li><\/ol>\n\n\n\n
ESP32 Sender Sketch (ESP-NOW Encrypted)<\/h2>\n\n\n\n
Here’s the code for the ESP32 Sender board. Copy the code to your Arduino IDE, but don’t upload it yet. You need to make a few modifications to make it work for you.<\/p>\n\n\n
\/*\r\n Rui Santos & Sara Santos - Random Nerd Tutorials\r\n Complete project details at https:\/\/RandomNerdTutorials.com\/esp32-esp-now-encrypted-messages\/\r\n Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files.\r\n The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\r\n*\/\r\n#include <esp_now.h>\r\n#include <WiFi.h>\r\n\r\n\/\/ REPLACE WITH THE RECEIVER'S MAC Address\r\nuint8_t receiverAddress[] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};\r\n\r\n\/\/ PMK and LMK keys\r\nstatic const char* PMK_KEY_STR = "REPLACE_WITH_PMK_KEY";\r\nstatic const char* LMK_KEY_STR = "REPLACE_WITH_LMK_KEY";\r\n\r\n\/\/ Structure example to send data\r\n\/\/ Must match the receiver structure\r\ntypedef struct struct_message {\r\n int counter;\r\n int x;\r\n int y;\r\n} struct_message;\r\n\r\n\/\/ Create a struct_message called myData\r\nstruct_message myData;\r\n\r\n\/\/ Counter variable to keep track of number of sent packets\r\nint counter;\r\n\r\n\/\/ Variable to save peerInfo\r\nesp_now_peer_info_t peerInfo;\r\n\r\n\/\/ callback when data is sent\r\nvoid OnDataSent(const uint8_t *mac_addr, esp_now_send_status_t status) {\r\n Serial.print("\\r\\nLast Packet Send Status:\\t");\r\n Serial.println(status == ESP_NOW_SEND_SUCCESS ? "Delivery Success" : "Delivery Fail");\r\n}\r\n \r\nvoid setup() {\r\n \/\/ Init Serial Monitor\r\n Serial.begin(115200);\r\n \r\n \/\/ Set device as a Wi-Fi Station\r\n WiFi.mode(WIFI_STA);\r\n \r\n \/\/ Init ESP-NOW\r\n if (esp_now_init() != ESP_OK) {\r\n Serial.println("There was an error initializing ESP-NOW");\r\n return;\r\n }\r\n \r\n \/\/ Set PMK key\r\n esp_now_set_pmk((uint8_t *)PMK_KEY_STR);\r\n \r\n \/\/ Register the receiver board as peer\r\n memcpy(peerInfo.peer_addr, receiverAddress, 6);\r\n peerInfo.channel = 0;\r\n \/\/Set the receiver device LMK key\r\n for (uint8_t i = 0; i < 16; i++) {\r\n peerInfo.lmk[i] = LMK_KEY_STR[i];\r\n }\r\n \/\/ Set encryption to true\r\n peerInfo.encrypt = true;\r\n \r\n \/\/ Add receiver as peer \r\n if (esp_now_add_peer(&peerInfo) != ESP_OK){\r\n Serial.println("Failed to add peer");\r\n return;\r\n }\r\n\r\n \/\/ Once ESPNow is successfully Init, we will register for Send CB to\r\n \/\/ get the status of transmitted packet\r\n esp_now_register_send_cb(OnDataSent);\r\n}\r\nvoid loop() {\r\n static unsigned long lastEventTime = millis();\r\n static const unsigned long EVENT_INTERVAL_MS = 5000;\r\n if ((millis() - lastEventTime) > EVENT_INTERVAL_MS) {\r\n lastEventTime = millis();\r\n \r\n \/\/ Set values to send\r\n myData.counter = counter++;\r\n myData.x = random(0,50);\r\n myData.y = random(0,50);\r\n \r\n \/\/ Send message via ESP-NOW\r\n esp_err_t result = esp_now_send(receiverAddress, (uint8_t *) &myData, sizeof(myData));\r\n if (result == ESP_OK) {\r\n Serial.println("Sent with success");\r\n }\r\n else {\r\n Serial.println("Error sending the data");\r\n } \r\n }\r\n}\r\n<\/code><\/pre>\n\tView raw code<\/a><\/p>\n\n\n\n
Don’t forget you need to add the receiver’s MAC address in the code. In my case, the receiver MAC address is 30:AE:A4:07:0D:64<\/span>. So, it will look as follows on the code:<\/p>\n\n\n\n
\/\/ REPLACE WITH THE RECEIVER'S MAC Address\nuint8_t receiverAddress[] = {0x30, 0xAE, 0xA4, 0x07, 0x0D, 0x64};<\/code><\/pre>\n\n\n\nLet’s take a look at the relevant parts of code that deal with encryption.<\/p>\n\n\n\n
Create the PMK and LMK keys for this device on the following lines. It can be made of numbers and letters and the keys are 16 bytes (you can search online for “online byte counter” to check the length of your keys).<\/p>\n\n\n\n
static const char* PMK_KEY_STR = \"REPLACE_WITH_PMK_KEY\";\nstatic const char* LMK_KEY_STR = \"REPLACE_WITH_LMK_KEY\";<\/code><\/pre>\n\n\n\nFor example, the key can be something like this 00XXmkwei\/lpP\u00c7f<\/span>. <\/p>\n\n\n\n
The sender and receiver should have the same PMK and LMK keys.<\/p>\n\n\n\n
Set the device PMK key using the esp_now_set_pmk()<\/span> function as follows:<\/p>\n\n\n\n
esp_now_set_pmk((uint8_t *)PMK_KEY_STR);<\/code><\/pre>\n\n\n\nThe LMK is a property of the peer device, so you must set it when you register a device as peer. You set the LMK as follows:<\/p>\n\n\n\n
for (uint8_t i = 0; i < 16; i++) {\n peerInfo.lmk[i] = LMK_KEY_STR[i];\n}<\/code><\/pre>\n\n\n\nYou also need to set the encrypt<\/span> peer property as true<\/span>.<\/p>\n\n\n\n
peerInfo.encrypt = true;<\/code><\/pre>\n\n\n\nAnd that’s it. This is all you need to do to encrypt ESP-NOW messages. Now, you can use the ESP-NOW function to exchange data and the messages will be encrypted.<\/p>\n\n\n\n
ESP32 Receiver Sketch (ESP-NOW Encrypted Messages)<\/h2>\n\n\n\n
Here’s the code for the ESP32 Receiver board. Copy the code to your Arduino IDE, but don’t upload it yet. You need to make a few modifications to make it work for you.<\/p>\n\n\n
\/*\r\n Rui Santos & Sara Santos - Random Nerd Tutorials\r\n Complete project details at https:\/\/RandomNerdTutorials.com\/esp32-esp-now-encrypted-messages\/\r\n Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files.\r\n The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\r\n*\/\r\n#include <esp_now.h>\r\n#include <WiFi.h>\r\n\r\n\/\/ REPLACE WITH YOUR MASTER MAC Address\r\nuint8_t masterMacAddress[] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};\r\n\r\n\/\/ PMK and LMK keys\r\nstatic const char* PMK_KEY_STR = "REPLACE_WITH_PMK_KEY";\r\nstatic const char* LMK_KEY_STR = "REPLACE_WITH_LMK_KEY";\r\n\r\n\/\/ Structure example to send data\r\n\/\/ Must match the sender structure\r\ntypedef struct struct_message {\r\n int counter; \/\/ must be unique for each sender board\r\n int x;\r\n int y;\r\n} struct_message;\r\n\r\n\/\/ Create a struct_message called myData\r\nstruct_message myData;\r\n\r\n\/\/ Function to print MAC address on Serial Monitor\r\nvoid printMAC(const uint8_t * mac_addr){\r\n char macStr[18];\r\n snprintf(macStr, sizeof(macStr), "%02x:%02x:%02x:%02x:%02x:%02x",\r\n mac_addr[0], mac_addr[1], mac_addr[2], mac_addr[3], mac_addr[4], mac_addr[5]);\r\n Serial.println(macStr);\r\n}\r\n\r\n\/\/ Callback function executed when data is received\r\nvoid OnDataRecv(const uint8_t * mac_addr, const uint8_t *incomingData, int len) {\r\n \r\n Serial.print("Packet received from: ");\r\n printMAC(mac_addr);\r\n \r\n memcpy(&myData, incomingData, sizeof(myData));\r\n Serial.print("Bytes received: ");\r\n Serial.println(len);\r\n Serial.print("Packet number: ");\r\n Serial.println(myData.counter);\r\n Serial.print("X: ");\r\n Serial.println(myData.x);\r\n Serial.print("Y: ");\r\n Serial.println(myData.y);\r\n}\r\nvoid setup() {\r\n \/\/ Init Serial Monitor\r\n Serial.begin(115200);\r\n \r\n \/\/ Set device as a Wi-Fi Station\r\n WiFi.mode(WIFI_STA);\r\n \r\n \/\/ Init ESP-NOW\r\n if (esp_now_init() != ESP_OK) {\r\n Serial.println("There was an error initializing ESP-NOW");\r\n return;\r\n }\r\n \r\n \/\/ Set the PMK key\r\n esp_now_set_pmk((uint8_t *)PMK_KEY_STR);\r\n \r\n \/\/ Register the master as peer\r\n esp_now_peer_info_t peerInfo;\r\n memcpy(peerInfo.peer_addr, masterMacAddress, 6);\r\n peerInfo.channel = 0;\r\n \/\/ Setting the master device LMK key\r\n for (uint8_t i = 0; i < 16; i++) {\r\n peerInfo.lmk[i] = LMK_KEY_STR[i];\r\n }\r\n \/\/ Set encryption to true\r\n peerInfo.encrypt = true;\r\n \r\n \/\/ Add master as peer \r\n if (esp_now_add_peer(&peerInfo) != ESP_OK){\r\n Serial.println("Failed to add peer");\r\n return;\r\n }\r\n \r\n \/\/ Once ESPNow is successfully Init, we will register for recv CB to\r\n \/\/ get recv packer info\r\n esp_now_register_recv_cb(esp_now_recv_cb_t(OnDataRecv));\r\n}\r\nvoid loop() {\r\n \r\n}\r\n<\/code><\/pre>\n\tView raw code<\/a><\/p>\n\n\n\n
You need to add the sender board as a peer. So, you need to know its MAC address. Add the sender MAC address in the following line:<\/p>\n\n\n\n
uint8_t masterMacAddress[] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};<\/code><\/pre>\n\n\n\nSet the PMK and LMK keys. Should be the same as the other board.<\/p>\n\n\n\n
static const char* PMK_KEY_STR = \"REPLACE_WITH_PMK_KEY\";\nstatic const char* LMK_KEY_STR = \"REPLACE_WITH_LMK_KEY\";<\/code><\/pre>\n\n\n\nSet the device PMK key using the esp_now_set_pmk()<\/span> function as follows:<\/p>\n\n\n\n
esp_now_set_pmk((uint8_t *)PMK_KEY_STR);<\/code><\/pre>\n\n\n\nThe LMK is a property of the peer device, so you must set it when you register a device as peer. You set the LMK as follows:<\/p>\n\n\n\n
for (uint8_t i = 0; i < 16; i++) {\n peerInfo.lmk[i] = LMK_KEY_STR[i];}<\/code><\/pre>\n\n\n\nYou also need to set the encrypt<\/span> peer property as true<\/span>.<\/p>\n\n\n\n
peerInfo.encrypt = true;<\/code><\/pre>\n\n\n\nAnd that’s it, now the receiver board can receiver and decrypt the encrypted messages sent by the sender.<\/p>\n\n\n\n
Demonstration<\/h2>\n\n\n\n
Upload the codes to the corresponding boards.<\/p>\n\n\n\n
Open the Serial Monitor to check what’s going on. You can use PuTTY to be able to see the messages on both boards simultaneously. <\/p>\n\n\n\n
This is what you should get on the receiver board:<\/p>\n\n\n
\n![\"ESP-NOW](\"https:\/\/i0.wp.com\/randomnerdtutorials.com\/wp-content\/uploads\/2022\/09\/ESP-NOW-Receiver-Encrypted-Messages-Received.png?resize=501%2C418&quality=100&strip=all&ssl=1\")
<\/figure><\/div>\n\n\nOn the sender board, you should get “Delivery Success” messages.<\/p>\n\n\n
\n![\"ESP-NOW](\"https:\/\/i0.wp.com\/randomnerdtutorials.com\/wp-content\/uploads\/2022\/09\/ESP-NOW-Sender-Encrypted-Messages-Serial-Monitor-Delivery-Success.png?resize=601%2C469&quality=100&strip=all&ssl=1\")
<\/figure><\/div>\n\n\nWrapping Up<\/h2>\n\n\n\n
In this tutorial, you learned how to encrypt ESP-NOW messages using PMK and LMK keys.<\/p>\n\n\n\n
I tested the encryption in different scenarios and here are the results:<\/p>\n\n\n\n
- Sender and receiver encrypted with same keys<\/strong>: receiver board receives the messages successfully;<\/li><\/ul>\n\n\n\n
- The sender sends encrypted messages, but the receiver doesn’t have the keys or has different keys: the receiver doesn’t get the messages;<\/li><\/ul>\n\n\n\n
- The receiver has the code for encryption but the sender doesn’t<\/strong>: the receiver gets the messages anyway. I don’t think this is the behavior we expected. Since we add the encryption code on both boards, one would expect that if the receiver board got a message that is not encrypted, it would ignore it. But that’s not what happens. It receives all messages, encrypted and not encrypted. At the moment, there isn’t a way to know if the received message is encrypted or not, which seems like a limitation at the moment. <\/li><\/ul>\n\n\n\n
We hope you found this tutorial useful. We have more ESP-NOW examples you may like:<\/p>\n\n\n\n
- ESP-NOW Two-Way Communication Between ESP32 Boards<\/a><\/li>
- ESP-NOW with ESP32: Send Data to Multiple Boards (one-to-many)<\/a><\/li>
- ESP-NOW with ESP32: Receive Data from Multiple Boards (many-to-one)<\/a><\/li>
- ESP32: ESP-NOW Web Server Sensor Dashboard (ESP-NOW + Wi-Fi)<\/a><\/li>
- ESP-NOW: Auto-pairing for ESP32\/ESP8266 with Bidirectional Communication and Web Server<\/a><\/li><\/ul>\n\n\n\n
If you would like to learn more about the ESP32 board and IoT, make sure you take a look at our resources:<\/p>\n\n\n\n
- Learn ESP32 with Arduino IDE<\/a><\/li>
- Build Web Servers with ESP32 and ESP8266<\/a><\/li>
- Firebase Web App with ESP32 and ESP8266<\/a><\/li>
- Free ESP32 Projects and Tutorials<\/a><\/li><\/ul>\n\n\n\n
Thanks for reading.<\/p>\n","protected":false},"excerpt":{"rendered":"
In this guide, you’ll learn how to encrypt ESP-NOW messages exchanged between ESP32 boards. ESP-NOW uses the CCMP method for encryption using a Primary Master Key (PMK) and Local Master … <\/p>\n
- Build Web Servers with ESP32 and ESP8266<\/a><\/li>
- ESP-NOW with ESP32: Send Data to Multiple Boards (one-to-many)<\/a><\/li>
- ESP-NOW Two-Way Communication Between ESP32 Boards<\/a><\/li>
- The receiver has the code for encryption but the sender doesn’t<\/strong>: the receiver gets the messages anyway. I don’t think this is the behavior we expected. Since we add the encryption code on both boards, one would expect that if the receiver board got a message that is not encrypted, it would ignore it. But that’s not what happens. It receives all messages, encrypted and not encrypted. At the moment, there isn’t a way to know if the received message is encrypted or not, which seems like a limitation at the moment. <\/li><\/ul>\n\n\n\n
- The sender sends encrypted messages, but the receiver doesn’t have the keys or has different keys: the receiver doesn’t get the messages;<\/li><\/ul>\n\n\n\n
- Sender and receiver encrypted with same keys<\/strong>: receiver board receives the messages successfully;<\/li><\/ul>\n\n\n\n
- The receiver gets the message.<\/li><\/ol>\n\n\n\n