Hide Wifi Passwords for normal user

hgrue · 28 March 2025 06:48

I would like to hide Wifi-Passwords in “gnome-control-center wifi”. How can I do this?
I found suggestions to encrypt the passwords, but don’t know how.

linux-aarhus · 28 March 2025 07:18

→ NetworkManager - ArchWiki

Another option is to create a systemd-network configuration and preconfigure the wireless network.

→ systemd-networkd - ArchWiki
→ Network configuration/Wireless - ArchWiki

You can use the principle described in [root tip] [Utility Script] Preconfigure ARM installer for WiFi to preconfigure your wifi using wpa_passphrase command.

wpa_passphrase "<ssid>" "<passphrase>"

Be aware that hard to diagnose issues may appear if you are mixing different network managers.

hgrue · 30 March 2025 17:26

This was what i found before.
Do i understand it right: if i don’t activate the tick-box option “Make available to other users” then the password is stored encrypted?

I just tried it, even deleted the wifi-connection, set it up again without sharing it to other users. The psk is still stored in clear text.
I did it with the Gnome-Frontend which is supposed in the Arch-Wiki.

linux-aarhus · 1 April 2025 11:31

Use wpa_passphrase to generate the values.

 $ wpa_passphrase "my-ssid" "MySecretP@ssphrase"
network={
        ssid="my-ssid"
        #psk="MySecretP@ssphrase"
        psk=16b0ed1e473958ed62679e8d4724dd4a692d6d1aa9ca674ccdd9345620395840
}

Then copy the encoded value from the line psk=, the example generated this value

16b0ed1e473958ed62679e8d4724dd4a692d6d1aa9ca674ccdd9345620395840

Then paste it as your passphrase when connecting to the network.

ManLuxer · 2 April 2025 05:25

I just wonder, what use is this type of encryption of the passkey? It doesn’t matter whether someone can see the encrypted password or the unencrypted one, they can log in with both and compromise the network.

hgrue · 4 April 2025 19:44

I want to prevent normal users to copy the PSK to other devices. I think the encrypted PSK will only work on the device on which it is produced. Or will it still be possible to share the wifi passphrase via QR-Code in Gnome?

ManLuxer · 5 April 2025 11:22

Only the password is encrypted and has nothing to do with the computer on which it was encrypted. A copy of the key is sufficient and can be transferred to any computer.

linux-aarhus · 5 April 2025 12:48

The only way to do that is to create a systemd network and change the permissions the wpa_supplicant.conf.

That will effectively prevent any user (except sudo and root) to read the passphrase. It won’t be accessible in NetworkManager either - meaning you cannot scan a qr code to connect to the specific network.

See the above links - especially the part about DHCP and resolver.

hgrue · 10 April 2025 12:24

Thank you linux-aarhus, I will try it this way.