I am building a device to sell with ESPHome.
Just got updates working.
Now I am wondering, how would I provide security for the API, ota and the web interface.
These are set at compile time but it does not make sense to provide it then because then it’s easy to figure out the password by checking my GitHub 
Is there any good way dealing with that?
(Without letting the user adopt the device)
What is user doing with ota in the first place if he is not allowed to adopt the device?
Are these not password or secrets protectable? I seem to recollect the docs mentioning that.
You will have to disclose these secrets to your purchasers if you wish them to be able to do updates, or they might be tempted to flash their own firmware over the top of yours. You could set up a routine to create a unique code for each device as you flash it. Put it on a QR Code is a suggestion. Alternatively tie it to an encryption routine where something unique to each device, such as the MAC address forms part of a security key you control. This leaves you open to decryption by sharp eyed hackers, and roving bots.
Be aware that use of some code sourced from open source conditions puts obligations on you if you are using it commercially where you are obliged to disclose your code as well. There have been recent instances where this has been pursued through the courts, particularly to raise awareness and make an example of blatant offenders. Intellectual property theft is still theft. Making money from others voluntary contributions is something to carefully consider, ethically, unless you are significantly value adding, in which case you should acknowledge their contribution as well.
Always stand on the shoulders of giants, but attribute and play within the rules and spirit of goodwill that makes open source so powerful.
Look at most successful software, built on building blocks of standard, robust, well tested software. Often open source, and the help/about screen is where the contributions are acknowledged.
Locking away your source code is often resented by the type of user that would download from GitHub. Better to sell your hardware and offer the software for free. See Espressif and WaveShare for living successful examples.
I never said, the user is not allowed to adopt the device.
I am saying, that it would be easier for the user to get updates from me, when they do not want to bother with ESPHome breaking changes that happen every so often.
I want to make it easy. But then comes the question. how do I provide prover encryption?
@ IOT7712
My code will be fully open source since I want to be part of the “Made for ESPHome” programm.
I read it like that.
Anyway, there’s captive portal for wifi credentials. For ota or web server passwords nothing that i’m aware of.
Just instruct them not to upgrade esphome and nothing breaks.
With weekly updates, how long do you think they will resist the temptation?
Open source everything. Leave the security where it belongs - with the user.
Show some trust and it will be reciprocated. Some people like to be treated as imbeciles, everything working automagically, but people that frequent places like these forums probably prefer full disclosure.
Make your reputation and money on service and support. People are happy to pay for that if your documentation is good but they still need hand holding. For those that can master your device without interaction, you have made easy money on sale of the hardware.
If they are not willing to upload code to their devices, probably they resist.
On the other hand a person that maintains his HA setup, likely doesn’t need babysitting for esphome.
In case of standalone esphome setup with web server I can see use for approach OP is looking for. But web server password is mainly useful to prevent kids to accidentally playing with it, if they are curious enough to go to github to get it, they can start learning esphome as well…
Yes, knowledge is power. Having common passwords posted on GitHub is suicide.