esp32-s3 manual firmware encryption and OTA without sdkconfig flash-encryption enabled

[Jonathan2892]

Hi,

I want to know if my process for encryption is correct and if it is needed to enable flash encryption in sdkconfig to have OTA updates encrypted.

For now my process is the following:

Code: Select all

esptool.py --port $SERIAL_PORT erase_flash
espsecure.py generate_flash_encryption_key --keylen 512 $ENCRYPTION_KEY_PATH
espsecure.py encrypt_flash_data --aes_xts --keyfile $ENCRYPTION_KEY_PATH --address 0x0 --output $FIRMWARE_ENCRYPTED_PATH/$MAC.bootloader.bin $BOOTLOADER_UNENCRYPTED_PATH

Of course I do the encryption also for partition, app and OTA data.

Code: Select all

espefuse.py -p $SERIAL_PORT burn_key BLOCK_KEY0 $ENCRYPTION_KEY_PATH XTS_AES_256_KEY --show-sensitive-info

I use --show-sensitive-info and save the logs, so I know the key for each device. I need this in case of a major fail, because then I can flash the devices manually again.

Code: Select all

 espefuse.py -p $SERIAL_PORT burn_efuse DIS_DOWNLOAD_MANUAL_ENCRYPT 1
 espefuse.py -p $SERIAL_PORT burn_efuse SPI_BOOT_CRYPT_CNT 7

Later on I burn all security relevant fuses and I also plan to use secure-boot v2.

I know that form now on I can only flash already encrypted data. And that is fine for me.
What I am now wondering about is that I have not enabled flash-encryption in the sdkconfig, but actually I do not need it right? Because I manually encrypt the binaries on my host-computer.

My OTA update is in plaintext and the esp32-s3 will encrypt the data when OTA is performed as said in the docs. Do I have to enable flash-encryption in sdkconfig for that to work?

Best

[Jonathan2892]

Think I found the answer in the docs:

Before building the application image for OTA updating of an already encrypted device, enable the option Enable flash encryption on boot in project configuration menu.

This means that I have to activate the option ‘Flash encryption on boot’, even if it is not necessary for flashing encrypted data via the manual way.