Chapter 4. API Guides
• You can also consider protecting phy_init data from physical access, readout, or modification, by marking
the optional phy partition with the flag encrypted.
• The nvs partition cannot be encrypted, because the NVS library is not directly compatible with flash encryp-
tion.
Enabling UART Bootloader Encryption/Decryption
On the first boot, the flash encryption process burns by default the following eFuses:
• DIS_DOWNLOAD_MANUAL_ENCRYPT which disables flash encryption operation when running in UART
bootloader boot mode.
• DIS_DOWNLOAD_ICACHE and DIS_DOWNLOAD_DCACHE which disables the entire MMU flash cache
when running in UART bootloader mode.
• HARD_DIS_JTAG which disables JTAG.
• DIS_LEGACY_SPI_BOOT which disables Legacy SPI boot mode
However, before the first boot you can choose to keep any of these features enabled by burning only selected eFuses
and write-protect the rest of eFuses with unset value 0. For example:
espefuse.py --port PORT burn_efuse DIS_DOWNLOAD_MANUAL_ENCRYPT
espefuse.py --port PORT write_protect_efuse DIS_DOWNLOAD_MANUAL_ENCRYPT
Note: Set all appropriate bits before write-protecting!
Write protection of all the three eFuses is controlled by one bit. It means that write-protecting one eFuse bit will
inevitably write-protect all unset eFuse bits.
Write protecting these eFuses to keep them unset is not currently very useful, as esptool.py does not support
reading encrypted flash.
JTAG Debugging
By default, when Flash Encryption is enabled (in either Development or Release mode) then JTAG debugging is
disabled via eFuse. The bootloader does this on first boot, at the same time it enables flash encryption.
See JTAG with Flash Encryption or Secure Boot for more information about using JTAG Debugging with Flash
Encryption.
Manually Encrypting Files
Manually encrypting or decrypting files requires the flash encryption key to be pre-burned in eFuse (see Using Host
Generated Key) and a copy to be kept on the host. If the flash encryption is configured in Development Mode then it’
s not necessary to keep a copy of the key or follow these steps, the simpler Re-flashing Updated Partitions steps can
be used.
The key file should be a single raw binary file (example: key.bin).
For example, these are the steps to encrypt the file build/my-app.bin to flash at offset 0x10000. Run espse-
cure.py as follows:
espsecure.py encrypt_flash_data --aes_xts --keyfile /path/to/key.bin --address␣
,→0x10000 --output my-app-ciphertext.bin build/my-app.bin
The file my-app-ciphertext.bin can then be flashed to offset 0x10000 using esptool.py. To see all of the
command line options recommended for esptool.py, see the output printed when idf.py build succeeds.
Espressif Systems 1356
Submit Document Feedback
Release v4.4
To Next Page
Loading...
Need help?
General