Chapter 4. API Guides
espefuse.py -p PORT summary
4.13.7 Reading and Writing Data in Encrypted Flash
ESP32-S2 application code can check if flash encryption is currently enabled by calling
esp_flash_encryption_enabled(). Also, a device can identify the flash encryption mode by call-
ing esp_get_flash_encryption_mode().
Once flash encryption is enabled, be more careful with accessing flash contents from code.
Scope of Flash Encryption
Whenever the SPI_BOOT_CRYPT_CNT eFuse is set to a value with an odd number of bits, all flash content accessed
via the MMU’s flash cache is transparently decrypted. It includes:
• Executable application code in flash (IROM).
• All read-only data stored in flash (DROM).
• Any data accessed via spi_flash_mmap().
• The firmware bootloader image when it is read by the ROM bootloader.
Important: The MMU flash cache unconditionally decrypts all existing data. Data which is stored unencrypted
in flash memory will also be “transparently decrypted”via the flash cache and will appear to software as random
garbage.
Reading from Encrypted Flash
To read data without using a flash cache MMU mapping, you can use the partition read function
esp_partition_read(). This function will only decrypt data when it is read from an encrypted partition.
Data read from unencrypted partitions will not be decrypted. In this way, software can access encrypted and non-
encrypted flash in the same way.
You can also use the following SPI flash API functions:
• esp_flash_read() to read raw (encrypted) data which will not be decrypted
• esp_flash_read_encrypted() to read and decrypt data
The ROM function SPIRead() can read data without decryption, however, this function is not supported in esp-idf
applications.
Data stored using the Non-Volatile Storage (NVS) API is always stored and read decrypted from the perspective of
flash encryption. It is up to the library to provide encryption feature if required. Refer to NVS Encryption for more
details.
Writing to Encrypted Flash
It is recommended to use the partition write function esp_partition_write(). This function will only encrypt
data when it is written to an encrypted partition. Data written to unencrypted partitions will not be encrypted. In this
way, software can access encrypted and non-encrypted flash in the same way.
You can also pre-encrypt and write data using the function esp_flash_write_encrypted()
Also, the following ROM function exist but not supported in esp-idf applications:
• esp_rom_spiflash_write_encrypted pre-encrypts and writes data to flash
• SPIWrite writes unencrypted data to flash
Since data is encrypted in blocks, the minimum write size for encrypted data is 16 bytes and the alignment is also 16
bytes.
Espressif Systems 1353
Submit Document Feedback
Release v4.4
To Next Page
Loading...
Need help?
General