Page 1 of 1

ESP32 flash encryption enabled by Mongoose OS

Posted: Fri May 19, 2017 4:32 pm
by novlean
ESP32 chip comes with built-in security features, one of which is a transparent SPI flash encryption. That feature is critical for securing device's cloud access.
By default, an ESP32 firmware is kept in plain text form on flash:

Code: Select all

# Dump initial 2k of filesystem area to stdout
mos flash-read --arch esp32 0x190000 2000 -  
The flash-read command dumps the flash memory into a file and the output can show that the content is not encrypted. Therefore, sensitive information like TLS private keys could be easily stolen from the flash, since the part of the device's file system is not encrypted.

In order to enable flash encryption, use the Mongoose OS -> https://mongoose-os.com/blog/mongoose-o ... ncryption/

Re: ESP32 flash encryption enabled by Mongoose OS

Posted: Sat May 20, 2017 10:13 am
by ESP_Sprite
Thanks for the information, but your implied assertion that only Mongoose supports flash encryption is incorrect. We've supported this since very early in the esp-idf release process: Documentation.

Re: ESP32 flash encryption enabled by Mongoose OS

Posted: Mon May 22, 2017 1:03 pm
by sergey.lyubka
Yes indeed!

Mongoose OS implementation is based on ESP-IDF, in fact we've submitted some patches during our work that has been integrated into ESP-IDF. The point is: Mongoose OS makes flash encryption process very easy - that's a single command. Otherwise, it is not trivial to do in a real firmware.