Chapter 4. API Guides
espsecure.py generate_flash_encryption_key my_flash_encryption_key.bin
else if Size of generated AES-XTS key is AES-256 (512-bit key):
espsecure.py generate_flash_encryption_key --keylen 512 my_flash_
,→encryption_key.bin
3. Before the first encrypted boot, burn the key into your device’s eFuse using the command below. This
action can be done only once.
espefuse.py --port PORT burn_key BLOCK my_flash_encryption_key.bin␣
,→KEYPURPOSE
where BLOCK is a free keyblock between BLOCK_KEY0 and BLOCK_KEY5. And KEYPURPOSE is ei-
ther AES_256_KEY_1, XTS_AES_256_KEY_2, XTS_AES_128_KEY. See ESP32-S2 Technical
Reference Manual for a description of the key purposes.
For AES-128 (256-bit key) - XTS_AES_128_KEY:
espefuse.py --port PORT burn_key BLOCK my_flash_encryption_key.bin XTS_
,→AES_128_KEY
For AES-256 (512-bit key) - XTS_AES_256_KEY_1 and XTS_AES_256_KEY_2. espefuse.
py supports burning both these two key purposes together with a 512 bit key to two separate key
blocks via the virtual key purpose XTS_AES_256_KEY. When this is used espefuse.py will burn
the first 256 bit of the key to the specified BLOCK and burn the corresponding block key purpose to
XTS_AES_256_KEY_1. The last 256 bit of the key will be burned to the first free key block after
BLOCK and the corresponding block key purpose to XTS_AES_256_KEY_2
espefuse.py --port PORT burn_key BLOCK my_flash_encryption_key.bin XTS_
,→AES_256_KEY
If you wish to specify exactly which two blocks are used then it is possible to divide key into two 256
bit keys, and manually burn each half with XTS_AES_256_KEY_1 and XTS_AES_256_KEY_2 as
key purposes:
split -b 32 my_flash_encryption_key.bin my_flash_encryption_key.bin.
espefuse.py --port PORT burn_key BLOCK my_flash_encryption_key.bin.aa␣
,→XTS_AES_256_KEY_1
espefuse.py --port PORT burn_key BLOCK+1 my_flash_encryption_key.bin.ab␣
,→XTS_AES_256_KEY_2
If the key is not burned and the device is started after enabling flash encryption, the ESP32-S2 will
generate a random key that software cannot access or modify.
4. In Project Configuration Menu, do the following:
• Enable flash encryption on boot
• Select encryption mode (Development mode by default)
• Select the appropriate bootloader log verbosity
• Save the configuration and exit.
Enabling flash encryption will increase the size of bootloader, which might require updating partition table offset.
See Bootloader Size.
5. Run the command given below to build and flash the complete images.
idf.py flash monitor
Note: This command does not include any user files which should be written to the partitions on the
flash memory. Please write them manually before running this command otherwise the files should be
Espressif Systems 1349
Submit Document Feedback
Release v4.4
To Next Page
Loading...
Need help?
General