NVS doesn't support in-place encryption of a partition with data on it?

[dastoned]

Hi!

I have to set up each ESP32 with some unique NVS data during manufacturing (serial number, private keys, etc). Flash and NVS encryption are enabled.

I quite love the Flash encryption feature where the key gets generated in device and the marked partitions are encrypted in-place. I don't have to worry about generating keys or pre-encrypting the partitions on my PC. Super easy.

So far it seems to me that similar in-place encryption doesn't happen with NVS data. Is that correct? I have to always pre-encrypt the NVS partition with data on it, then flash this to the device?

I've done a few experiments but when NVS encryption is enabled, calling nvs_flash_secure_init_partition() on an NVS partition with un-encrypted data on it will erase the data. Side note: the documentation for this function says absolutely nothing about what it does or what the side effects are. I would really expect to see a useful description of this along with a big fat warning that data gets erased under some circumstances.