General Question about Flash Encryption

[andreko]

Hi, just a general question about the usage of flash encryption. The documentation says

Flash encryption is intended for encrypting the contents of off-chip flash memory.

What does that exactly mean? Does it only make sense for an ESP chip that has a separate flash chip attached via SPI?
Or is it also necessary for ESP chips that have "internal" flash in a SiP configuration, like a ESP8684H4 for example?
I would guess that the latter is already protected by the package and the flash is not accessible from the outside.

What is the general recommendation here? Any thoughts or experience from the forum?

Thanks for all helpful feedback.

[ESP_Sprite]

Yes, SiP is also included in 'off-chip' flash. Whether the packaging itself already is enough protection depends on your threat model, see e.g. here for a demonstration (on STM32 clone chips) where it might not be.

[andreko]

Thanks for the reply. OK I understand that there are ways to open the plastic package, but usually there would be no access to the SiP flash using normal pins I guess. But anyway a good point to maybe enable flash encryption for this scenario as well.