I just tested flash encryption with the mentioned changes, such as removing the line in
nvs_partition_lookup.cpp and adding the
encrypted flag to the NVS partition. I did this on a device that had worked unencrypted before and had already stored some data in the NVS partition. I recompiled the binaries and flashed the device with flash encryption enabled as described. During boot, I could verify how the bootloader, the partition table, the NVS partition, and the app partition got encrypted. Unfortunately, the previously saved data in the NVS partition could not be read.
When I afterwards store data with flash encryption enabled, everything works fine, and I can read from and write to the values inside the NVS partition. But I did not manage to write an existing partition to the flash and read its values which is often necessary for factory data, neither with
Code: Select all
esptool.py write_flash 0x10000 nvs_factory.bin
nor with encryption enabled.
Code: Select all
esptool.py write_flash 0x10000 nvs_factory.bin --encrypt
This behavior indicates that it would not be possible to flash a (factory) partition on the device that gets encrypted during the first boot process and is readable for the NVS system. This is probably the downside of this procedure, or has anyone succeeded with this?
With the nvs_keys partition, it is possible to pre-encrypt a partition (e.g., factory partition), flash both the factory partition and nvs_keys partition to the device, and read from it.