Local broker is small device in one designated area. Its responsibility is provide plain text data exchange for all local devices and encrypted link to central broker. This allows to use very cheap endpoint devices, which has not enough resources for robust data encryption.
MQTT implement client authentication based on username/password, but credentials are sent in plaintext only. This is reasonable because MQTT is designed fo small devices, like AVR, which doesn't have enough resources to implement modern encryption. For that reason, endpoint devices establish a connection with local broker with no encryption and must be placed in secured perimeter.
Local MQTT broker then establish encrypted connection to central MQTT broker and creates secure network.
There are two ways how to establish encrypted bridge connection between local and central broker:
First approach is preferred. See security concerns.
Because network is designed to span over many places, local MQTT broker should be as cheap as possible. It can be even cheaper than endpoint devices.
Currently, local broker can be build from these devices:
Local brokers are nothing more that ordinary Linux powered computers. Many other devices can be easily added.