Cyber Security of Octoprint Servers

Hi,

I am trying to get my employer to let me network our Prusa printers using Octoprint however I have been asked the below questions by our cyber security team. I love the software and have used it in a previous company, hopefully @foosel might see this and be able to help.

  1. How is the information sent to the Octoprint servers and then to the printer secured? (is it encrypted?)

  2. Who owns the Octoprint servers and where are they based?

  3. Who has access to the data sent through the Octoprint system? (Does anyone have the rights to the data?)

  4. How are OTA firmware updates ensured they are secure, i.e. they are what I sent and not malicious?

  5. Can the OTS firmware updates feature be disabled?

  6. Has anyone else had any experience of using Octoprint within a large organisation?

I have looked on the forum and FAQ but haven't managed to find definite answers that I can present back as evidence.

Kind Regards

Adam Thickett

With all the server questions (1-3): OctoPrint is self-hosted, so you install the server on your device and have full control over it, you own it, it is based right in front of you. No data leaves that server unless you make it do so.

If you mean servers that run the OctoPrint websites, on *.octoprint.org, that depends which ones - if this is what you want then all the privacy policies etc. are linked on the individual sites.

Updates (5-6): the updates are all run through the GitHub API, and the entire software update plugin can be disabled, none of the updates happen automatically either. All API requests to check for updates are using https, as would downloading them & installing them.

Hi @Charlie_Powell,

Thanks for the very clear and awesome answers. I had mis-understood how the OctoPi worked but now it is much clearer. I was under the impression that the Octopi software ran through a web based server system. I now can see that the data security is much better than I thought.

Hopefully this will help me persuade my business to let me use the software.

Thanks

Adam

Just a small addition to the above:
OctoPrint and OctoPi are separate projects.
OctoPrint is the software that helps controlling your 3d printer.
OctoPi is a Linux distribution based on Raspbian (and thus, Debian) to run on a Raspberry Pi that already includes OctoPrint plus everything you need to run it.
Both are Free Open Source Software.

1 Like

Hello,

The questions are somewhat ambiguous. I will make some simplifying assumptions and point out what I think would be answers to typical configurations.

  1. Secure communication to OctoPrint depends on its configuration and also on the specific printer, as some Prusa printers support LAN communication directly. In my experience, the most common case is that you are communicating from the OctoPrint host to the printer via USB cable and the communication between your OctoPrint instance and the 3d printer is never on your LAN. You would need to upload files to OctoPrint via a browser, and that traffic would be on your LAN. For the security conscious, OctoPrint would be configured to use HTTPS (secure HTTP) and the data would be sent using the configured encryption - likely a version of TLS (transport-layer security).

  2. Hosting on your own hardware would be the most secure option. That means that you own the OctoPrint servers and they are based wherever you set them up. The simplest case is to use a Raspberry PI for the hardware and OctoPi, an installation of the Raspberry Pi OS with OctoPrint preinstalled. The Raspberry Pi would be connected to the printer with a USB cable. Currently, this is complicated because Raspberry Pis are expensive and hard to come by due supply chain issues, although this is expected to get back to normal eventually. You can also use a PC running either Windows or Linux for this purpose.

  3. For self-hosting, the question about data ownership is a non sequitur. You own the data and it doesn't leave your control. If you use an external host, that gets more complicated as you would need LAN-capable printers and your IT group would have to setup bidirectional communication to the remote server. Personally, I wouldn't allow it on my networks. It would be very difficult to justify the enterprise risk when a local installation is quite practical and likely necessary to get the USB connection.

  4. If you are talking about updates to the printer's firmware, that can be done through OctoPrint via a plugin. The firmware is typically provided by the manufacture or compiled using the Arduino IDE, Visual Studio Code, or some other development environment. It would then be uploaded to OctoPrint via HTTPS, which is encrypted, and then sent to the printer via the USB connection. Since I customize my printers' firmware, this is something that I use fairly frequently.

  5. I assume that this is a typo and you really meant can OTA firmware updates be disabled. 3d printer firmware is not updated automatically. You would have to initiate firmware updates manually.

  6. I have not used OctoPrint in a large organization but I do enterprise IT for a living and run multiple 3d printers via OctoPrint at home. Each printer is hosted on its own Raspberry Pi. I use a plugin for firmware updating and compile in either the Arduino IDE or Visual Studio Code depending on the target printer as I have customized both the printers and their firmware.

I hope this is helpful

Darren.

1 Like

Thanks @dselvage for your detailed response.

I have been asked the two questions below by our IT team and so I thought you might be able to accurately answer these as you have already set this system up.

1)IP ports required open for the solution to work

2)Any TCP or client server protocols needed

Thanks

Adam

On an OctoPi image, it is listening on port 80 by default. On any other kind of install, the default is 5000 unless you configure it otherwise.

1 Like

To clarify, OctoPi by default will use local network access only (does not need to be public, actually recommended against doing that) on ports 80 and 443.

1 Like

Sorry, I have been out of town for the past two week. The answers from Charlie_Powell and jneilliii are essentially correct. Assuming a USB connection for the printer, the only port you need is one to serve the interface to your web browser. The port is configurable. For OctoPi, the default is port 80 for HTTP (unencrypted) or port 443 for HTTPS (encrypted).

Here is a little more information for your IT department:

OctoPrint is a web application with a built-in web server that provides a user-friendly and network-enabled interface to a 3D printer.

3D printers are CNC (computer numeric controlled) devices and generally speak some flavor of g-code. Gcode is normally sent to the printer via USB in serial port emulation mode. This USB connection between the 3D printer and the host computer is private as it is a point-to-point wired connection. The equivalent to g-code for a paper (2D) printer would be PCL or Postscript.

OctoPrint is a web-based front-end that acts as an intermediary between your network and the printer. OctoPrint is effectively a web server with special-purpose support to interface with and manage 3D printers. Instead of having your computer send g-code to the printer directly using a native application on the computer, it provides the interface to your browser.

I hope this is helpful to you.

Darren.

1 Like

Thanks so much for this extra clarification.

Thanks to all the support provided here I am now well on the way through the long road to getting Octopi used on our network.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.