How to keep a secret value in a plugin

I need to send Firebase FCM notifications from a vera plugin to an iPhone app I’m developing. I’ve got it working ok. But to send any notification to my app I need to include the Firebase server key in the header of the ssl call and I want to keep that secret.

I’m hoping one day to publish the app and the plugin, so this isn’t just for personal use.

What’s the best way to either encrypt a single value or an entire LUA file such that even a competent vera developer can’t get at the value?


The app marketplace has the ability to encrypt Lua files. I haven’t seen it used for anything other than PLEG and family. I’m not sure if anyone has ever tried to crack it, so its security is unknown (and therefore suspect, really). Also, the unencrypted files are stored in the app marketplace–they are encrypted when installed on a Vera, so anyone who gains access to your account there, and anyone at Vera/eZLO with access to that subsystem or its servers, could potentially have access to cleartext.

Thanks, I’ve just had a play with that it seems to work ok. Though as you say it relies on the security of the MIOS marketplace and their staff. It seems when you actually release a plugin they do a manual code check too. If there were any financial implications I don’t think I’d risk it. But for just sending notifications to a single device it’s probably an acceptable risk.