Securing ROS2 Nodes with SROS2
In our previous post, we configured the firewall and granted $PROGRAMMER_LAPTOP_IP access to the robot via SSH. But controlling a robot involves more than just external connections—a robot is a complex ecosystem of internal components, including a base controller, cameras, scanners, and movement modules. These components (ROS2 nodes) must communicate securely with each other.
So, how do we secure internal communication between ROS2 nodes?
📚 Table of Contents
- Why Node-to-Node Security Matters
- What Is SROS2?
- SROS2 Setup Script Overview
- Step-by-Step:
sros2_setup()Bash Function - Security Context Summary
- Next Steps: Intrusion Detection with Suricata
Why Node-to-Node Security Matters
In robotic systems powered by ROS2, nodes constantly exchange data—some of it sensitive, such as movement commands or camera feeds. Without encryption and access control, this data is vulnerable to tampering or eavesdropping, especially in networked environments like factories or research labs.
That’s where SROS2 comes in.
What Is SROS2?
SROS2 (Secure ROS2) extends ROS2 with security mechanisms built on the DDS-Security standard. It uses OpenSSL to encrypt node communication and restrict access based on signed permissions.
When configured, SROS2 creates a keystore directory containing:
- A Certificate Authority (CA)
- Each node’s:
- Public certificate
- Private key
- Signed permissions file
This setup ensures only authorized nodes can participate in the ROS2 ecosystem.
SROS2 Setup Script Overview
To streamline setup, we created a script: sros2_setup(). This Bash function initializes a keystore and configures a node (base_controler) for secure communication.
It assumes:
- A working ROS2 installation
- ROS2 user and workspace set in an external script (
common.sh)
Step-by-Step: sros2_setup() Bash Function
1. Install OpenSSL
1
apt install -y openssl
🔧 Ensures the required cryptographic tools are available for SROS2 key generation.
2. Switch to ROS2 User
1
sudo -u "$ROS_USER" bash -c '...'
🏃 Executes setup in the context of the non-root ROS2 user.
Inside the block:
a. Source the ROS2 Environment
1
source /opt/ros/$ROS_DISTRO/setup.bash
🔗 Loads the ROS2 environment variables.
b. Create the Keystore Directory
1
mkdir -p $ROS_WS/sros2_keystore
c. Initialize the Keystore and Create Keys
1
2
ros2 security create_keystore $ROS_WS/sros2_keystore
ros2 security create_key $ROS_WS/sros2_keystore base_controler
🔐 Generates a secure identity for the base_controler node.
4. Define Node Permissions
Create a file with the following XML content:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<permissions>
<grant name="base_controler_grant" subject_name="CN=base_controler">
<validity>
<not_before>2025-01-01T00:00:00</not_before>
<not_after>2027-01-01T00:00:00</not_after>
</validity>
<allow rule="ALLOW">
<domains>
<id>0</id>
</domains>
<topics>
<topic>*</topic>
</topics>
<partitions>
<partition>*</partition>
</partitions>
</allow>
</grant>
</permissions>
📜 This permission file grants the base_controler node access to all topics in domain ID 0.
5. Generate Signed Permissions File
1
ros2 security create_permission $ROS_WS/sros2_keystore base_controler
✍️ Signs the permissions file using the CA to make it valid and enforceable.
Security Context Summary
With this function, we now have:
✅ A keystore initialized for SROS2
✅ A certificate and key pair for the base_controler node
✅ A signed permission file allowing communication
✅ End-to-end encryption for internal robot node communication
Combined with previous security steps—AppArmor, Auditd, and firewall configuration—we’re building a layered security model for our robot.
Next Steps: Intrusion Detection with Suricata
Now that encrypted communication is set up within the robot’s internal architecture, the next step is to detect anomalies or intrusions at the network level. In our next article, we’ll integrate Suricata, an open-source intrusion detection system (IDS), to monitor traffic and alert on suspicious behavior.
Stay tuned 👀
Looking to learn more about ROS2 security, SROS2 node permissions, or robotic system hardening? Bookmark this series and follow along as we secure each layer of our Linux-based robotic system.
For more content like this, tools, and walkthroughs, visit my site at Sebos Technology.