Device Authentication

AWS uses certificates to authenticate a device ( e.g a Raspberry Pi board).

How does BalenaCloud authenticates a device?
Where can I find a detailed explanation?

Thank you

Hey, @rlev, here are links to our relevant docs about device provisioning:

Let us know if these are sufficient or not for you. Feedback is appreciated.


Thank you for your response.

If I understood correctly’s documentation regards security I would say the Balena authenticates a device based solely in a “API key” which is created upon successful provisioning. I understand the VPN adds an extra layer of security. I could not find how this “API Key” is generated i.e randomly or if it takes hardware into consideration e.g mac address, etc.

In this context : If a malicious user for example gets access to a Rapsberry Pi sd card. What could be the implications?


Hey @rlev,

The devices’s API key is a randomly generated UUID specific to that device. A large part of our codebase is Open Source, and forms the basis for both the openBalena Open Source project (where users can run their own balena backend on the server of their choice) and our balenCloud hosted service. You can find OpenBalena here: and you can find the specific code for generating a device’s API key here: (you’ll need to follow the included interfaces to find the final generation point, but it’s a random string).

With respect to what a malicious user could do if they get their hands on an SD card: they could potentially spoof that device and access the data on the card. However, a device API key is limited to control of that device and that device only. It does not allow the alteration of the application the device is associated with, nor does it contain any other credentials that could expose the application, the owners or any collaborators to potential attack.

We do not take hardware factors into account presently. Using the MAC address of a device is incredibly insecure anyway, MAC address spoofing is incredibly easy to do, and in fact the ip command that ships with most distributions of Linux these days allows you to change the MAC address of an interface.

That said, we are currently carrying out work internally to allow the use of encryption dongles to secure sections such as the dedicated data partitions, although we have not yet announced a roadmap for this.

Best regards,


Thanks for response.

Hey @rlev,
I’m very interested in how people are approaching authentication and device identity, beyond authenticating with the fleet management platform.

I’m building some PKI-oriented tools to ease device-to-service and device-to-device discovery and authentication, and I could really use some perspective on how well they fit with engineering requirements. If you’re interested in using PKI for discovery and authentication, I would love to hear more about your use case.