DEV Community

Cover image for 🔐 Securing ROS2 Nodes with SROS2: Encryption and Permissions for Robot Communications
Richard Chamberlain
Richard Chamberlain

Posted on

1

🔐 Securing ROS2 Nodes with SROS2: Encryption and Permissions for Robot Communications

In our previous post, we configured the firewall and granted $PROGRAMMER_LAPTOP_IP access to the robot via SSH. But controlling a robot involves more than just external connections—a robot is a complex ecosystem of internal components, including a base controller, cameras, scanners, and movement modules. These components (ROS2 nodes) must communicate securely with each other.

So, how do we secure internal communication between ROS2 nodes?


📚 Table of Contents

  1. Why Node-to-Node Security Matters
  2. What Is SROS2?
  3. SROS2 Setup Script Overview
  4. Step-by-Step: sros2_setup() Bash Function
  5. Security Context Summary
  6. Next Steps: Intrusion Detection with Suricata

Why Node-to-Node Security Matters

In robotic systems powered by ROS2, nodes constantly exchange data—some of it sensitive, such as movement commands or camera feeds. Without encryption and access control, this data is vulnerable to tampering or eavesdropping, especially in networked environments like factories or research labs.

That's where SROS2 comes in.


What Is SROS2?

SROS2 (Secure ROS2) extends ROS2 with security mechanisms built on the DDS-Security standard. It uses OpenSSL to encrypt node communication and restrict access based on signed permissions.

When configured, SROS2 creates a keystore directory containing:

  • A Certificate Authority (CA)
  • Each node's:
    • Public certificate
    • Private key
    • Signed permissions file

This setup ensures only authorized nodes can participate in the ROS2 ecosystem.


SROS2 Setup Script Overview

To streamline setup, we created a script: sros2_setup(). This Bash function initializes a keystore and configures a node (base_controler) for secure communication.

It assumes:

  • A working ROS2 installation
  • ROS2 user and workspace set in an external script (common.sh)

Step-by-Step: sros2_setup() Bash Function

1. Install OpenSSL

apt install -y openssl
Enter fullscreen mode Exit fullscreen mode

🔧 Ensures the required cryptographic tools are available for SROS2 key generation.


2. Switch to ROS2 User

sudo -u "$ROS_USER" bash -c '...'
Enter fullscreen mode Exit fullscreen mode

🏃 Executes setup in the context of the non-root ROS2 user.

Inside the block:

a. Source the ROS2 Environment

source /opt/ros/$ROS_DISTRO/setup.bash
Enter fullscreen mode Exit fullscreen mode

🔗 Loads the ROS2 environment variables.

b. Create the Keystore Directory

mkdir -p $ROS_WS/sros2_keystore
Enter fullscreen mode Exit fullscreen mode

c. Initialize the Keystore and Create Keys

ros2 security create_keystore $ROS_WS/sros2_keystore
ros2 security create_key $ROS_WS/sros2_keystore base_controler
Enter fullscreen mode Exit fullscreen mode

🔐 Generates a secure identity for the base_controler node.


4. Define Node Permissions

Create a file with the following XML content:

<permissions>
  <grant name="base_controler_grant" subject_name="CN=base_controler">
    <validity>
      <not_before>2025-01-01T00:00:00</not_before>
      <not_after>2027-01-01T00:00:00</not_after>
    </validity>
    <allow rule="ALLOW">
      <domains>
        <id>0</id>
      </domains>
      <topics>
        <topic>*</topic>
      </topics>
      <partitions>
        <partition>*</partition>
      </partitions>
    </allow>
  </grant>
</permissions>
Enter fullscreen mode Exit fullscreen mode

📜 This permission file grants the base_controler node access to all topics in domain ID 0.


5. Generate Signed Permissions File

ros2 security create_permission $ROS_WS/sros2_keystore base_controler
Enter fullscreen mode Exit fullscreen mode

✍️ Signs the permissions file using the CA to make it valid and enforceable.


Security Context Summary

With this function, we now have:

✅ A keystore initialized for SROS2

✅ A certificate and key pair for the base_controler node

✅ A signed permission file allowing communication

End-to-end encryption for internal robot node communication

Combined with previous security steps—AppArmor, Auditd, and firewall configuration—we're building a layered security model for our robot.


See code here

Next Steps: Intrusion Detection with Suricata

Now that encrypted communication is set up within the robot's internal architecture, the next step is to detect anomalies or intrusions at the network level. In our next article, we’ll integrate Suricata, an open-source intrusion detection system (IDS), to monitor traffic and alert on suspicious behavior.

Stay tuned 👀


Looking to learn more about ROS2 security, SROS2 node permissions, or robotic system hardening? Bookmark this series and follow along as we secure each layer of our Linux-based robotic system.

For more content like this, tools, and walkthroughs, visit my site at Sebos Technology.

Heroku

Built for developers, by developers.

Whether you're building a simple prototype or a business-critical product, Heroku's fully-managed platform gives you the simplest path to delivering apps quickly — using the tools and languages you already love!

Learn More

Top comments (0)

Image of Datadog

Keep your GPUs in check

This cheatsheet shows how to use Datadog’s NVIDIA DCGM and Triton integrations to track GPU health, resource usage, and model performance—helping you optimize AI workloads and avoid hardware bottlenecks.

Get the Cheatsheet

👋 Kindness is contagious

Dive into this thoughtful article, cherished within the supportive DEV Community. Coders of every background are encouraged to share and grow our collective expertise.

A genuine "thank you" can brighten someone’s day—drop your appreciation in the comments below!

On DEV, sharing knowledge smooths our journey and strengthens our community bonds. Found value here? A quick thank you to the author makes a big difference.

Okay