securityencryptionesp32bootloaderesp-idf

How to Enable Flash Encryption After Secure Boot V2 is Enabled?


I’ve successfully enabled Secure Boot V2 on my ESP32 device using ESP-IDF, and everything is working fine. Now, I want to enable Flash Encryption as the next step in securing my firmware.

I’m referring to the official ESP-IDF documentation: https://docs.espressif.com/projects/esp-idf/en/latest/esp32/security/security-features-enablement-workflows.html#enable-flash-encryption-externally

According to this, the first step to enable flash encryption externally is: esptool.py --port PORT erase_flash

I am following the documentation, but if there is a way to enable Flash Encryption using menuconfig after Secure Boot V2 has already been enabled, I’m open to that approach as well.

This command erases the entire flash, including the bootloader region (< 0x8000). However, from my understanding, once Secure Boot V2 is enabled and applied, the bootloader cannot be rewritten (as Secure Boot expects a verified bootloader with a valid signature). This raises some concerns:

  1. If I erase the flash, including the bootloader, how can I safely re-flash it again, given that Secure Boot V2 is already enforced?

  2. Is there a safe workflow for enabling Flash Encryption after Secure Boot V2 is enabled, without violating the secure boot policy or bricking the device?

  3. What are the specific challenges or caveats I should be aware of when enabling Flash Encryption after Secure Boot V2?

My goal is to enable both Secure Boot V2 and Flash Encryption, but I’m doing them step-by-step. What can I try next?


Solution

  • I read the ESP-IDF documentation about secure boot and flash encryption, and also asked some questions on the forum. I got answers stating that flash encryption cannot be enabled on a device where secure boot is already enabled.