[api] Allow noise encryption key to be set at runtime (#7296)

Co-authored-by: Jesse Hills <3060199+jesserockz@users.noreply.github.com>
2025-09-29 08:32:26 +01:00 · 2025-04-16 20:15:25 -05:00
parent ca4838a5f4
commit 2fd5f9ac58
14 changed files with 373 additions and 78 deletions
--- a/esphome/components/api/init.py
+++ b/esphome/components/api/init.py
@@ -82,6 +82,19 @@ ACTIONS_SCHEMA = automation.validate_automation(
    ),
 )

+ENCRYPTION_SCHEMA = cv.Schema(
+    {
+        cv.Optional(CONF_KEY): validate_encryption_key,
+    }
+)
+
+
+def _encryption_schema(config):
+    if config is None:
+        config = {}
+    return ENCRYPTION_SCHEMA(config)
+
+
 CONFIG_SCHEMA = cv.All(
    cv.Schema(
        {
@@ -95,11 +108,7 @@ CONFIG_SCHEMA = cv.All(
                CONF_SERVICES, group_of_exclusion=CONF_ACTIONS
            ): ACTIONS_SCHEMA,
            cv.Exclusive(CONF_ACTIONS, group_of_exclusion=CONF_ACTIONS): ACTIONS_SCHEMA,
-            cv.Optional(CONF_ENCRYPTION): cv.Schema(
-                {
-                    cv.Required(CONF_KEY): validate_encryption_key,
-                }
-            ),
+            cv.Optional(CONF_ENCRYPTION): _encryption_schema,
            cv.Optional(CONF_ON_CLIENT_CONNECTED): automation.validate_automation(
                single=True
            ),
@@ -151,9 +160,17 @@ async def to_code(config):
            config[CONF_ON_CLIENT_DISCONNECTED],
        )

-    if encryption_config := config.get(CONF_ENCRYPTION):
-        decoded = base64.b64decode(encryption_config[CONF_KEY])
-        cg.add(var.set_noise_psk(list(decoded)))
+    if (encryption_config := config.get(CONF_ENCRYPTION, None)) is not None:
+        if key := encryption_config.get(CONF_KEY):
+            decoded = base64.b64decode(key)
+            cg.add(var.set_noise_psk(list(decoded)))
+        else:
+            # No key provided, but encryption desired
+            # This will allow a plaintext client to provide a noise key,
+            # send it to the device, and then switch to noise.
+            # The key will be saved in flash and used for future connections
+            # and plaintext disabled. Only a factory reset can remove it.
+            cg.add_define("USE_API_PLAINTEXT")
        cg.add_define("USE_API_NOISE")
        cg.add_library("esphome/noise-c", "0.1.6")
    else: