Chapter 4. API Guides
4.13.8 Updating Encrypted Flash
OTA Updates
OTA updates to encrypted partitions will automatically write encrypted data if the function
esp_partition_write() is used.
Before building the application image for OTA updating of an already encrypted device, enable the option Enable
flash encryption on boot in project configuration menu.
For general information about ESP-IDF OTA updates, please refer to OTA
Updating Encrypted Flash via Serial
Flashing an encrypted device via serial bootloader requires that the serial bootloader download interface has not been
permanently disabled via eFuse.
In Development Mode, the recommended method is Re-flashing Updated Partitions.
In Release Mode, if a copy of the same key stored in eFuse is available on the host then it’s possible to pre-encrypt
files on the host and then flash them. See Manually Encrypting Files.
4.13.9 Disabling Flash Encryption
If flash encryption was enabled accidentally, flashing of plaintext data will soft-brick the ESP32-S2. The device will
reboot continuously, printing the error flash read err, 1000 or invalid header: 0xXXXXXX.
For flash encryption in Development mode, encryption can be disabled by burning the SPI_BOOT_CRYPT_CNT
eFuse. It can only be done one time per chip by taking the following steps:
1. In Project Configuration Menu, disable Enable flash encryption on boot, then save and exit.
2. Open project configuration menu again and double-check that you have disabled this option! If this option is
left enabled, the bootloader will immediately re-enable encryption when it boots.
3. With flash encryption disabled, build and flash the new bootloader and application by running idf.py
flash.
4. Use espefuse.py (in components/esptool_py/esptool) to disable the
SPI_BOOT_CRYPT_CNT by running:
espefuse.py burn_efuse SPI_BOOT_CRYPT_CNT
Reset the ESP32-S2. Flash encryption will be disabled, and the bootloader will boot as usual.
4.13.10 Key Points About Flash Encryption
• Flash memory contents is encrypted using XTS-AES-128 or XTS-AES-256. The flash encryption key is 256
bits and 512 bits respectively and stored in one or two BLOCK_KEYN eFuses internal to the chip and, by
default, is protected from software access.
• Flash access is transparent via the flash cache mapping feature of ESP32-S2 - any flash regions which are
mapped to the address space will be transparently decrypted when read.
Some data partitions might need to remain unencrypted for ease of access or might require the use of flash-
friendly update algorithms which are ineffective if the data is encrypted. NVS partitions for non-volatile storage
cannot be encrypted since the NVS library is not directly compatible with flash encryption. For details, refer
to NVS Encryption.
• If flash encryption might be used in future, the programmer must keep it in mind and take certain precautions
when writing code that uses encrypted flash.
• If secure boot is enabled, re-flashing the bootloader of an encrypted device requires a “Re-flashable”secure
boot digest (see Flash Encryption and Secure Boot).
Espressif Systems 1354
Submit Document Feedback
Release v4.4
To Next Page
Loading...
Need help?
General