Flash Encryption key write protection.

[ESP_Angus]

1-
espsecure.py generate_flash_encryption_key acti_flash_encryption_key.bin

2-
espefuse.py --port COM155 burn_key flash_encryption acti_flash_encryption_key.bin

3-
espsecure.py encrypt_flash_data --keyfile acti_flash_encryption_key.bin --address 0x10000 -o ./build/app-encrypted.bin ./build/app-template.bin

4-

esptool.py --port COM155 --baud 115200 write_flash 0x10000 ./build/app-encrypted.bin


Are these steps correct. Am I missing any steps?

Each step looks correct but you are missing some steps between (2) and (3). After you burn the flash encryption key, the first time you flash you need to flash a plaintext bootloader and a plaintext app. The ESP32 will encrypt itself on the first boot.

The steps are laid out in more detail here:
http://esp-idf.readthedocs.io/en/latest ... yption-key

(The missing part is under the heading "First Flash with pregenerated key".)

[snahmad75]

1-
espsecure.py generate_flash_encryption_key acti_flash_encryption_key.bin

2-
espefuse.py --port COM155 burn_key flash_encryption acti_flash_encryption_key.bin
3-
esptool.py --port COM155 --baud 115200 write_flash 0x10000 ./build/app-template.bin

4-
espsecure.py encrypt_flash_data --keyfile acti_flash_encryption_key.bin --address 0x10000 -o ./build/app-encrypted.bin ./build/app-template.bin

5-

esptool.py --port COM155 --baud 115200 write_flash 0x10000 ./build/app-encrypted.bin


I have added missing step. Is this good now?

[WiFive]

Instead of step 3 you should set appropriate encryption settings in menuconfig and do make flash. When you boot first time it will encrypt the flash including not just the app but bootloader, etc.. Step 4-5 is for updating app.

[snahmad75]

ok,

Do I need to change my config only one thing mention below for step3 and do make flash.

The bootloader must be compiled with flash encryption support enabled. In make menuconfig, navigate to “Security Features” and select “Yes” for “Enable flash encryption on boot”.

[WiFive]

Yes

[ESP_Angus]

That's correct, set this one option and rebuild the entire project including bootloader (ie make or make flash).

When flash encryption is on, "make flash" won't automatically perform flashing (this is a safety feature as you can brick devices if the keys aren't yet set up correctly - as you unfortunately discovered). But it will print the full command line to run for flashing, and then you can run it manually.

[snahmad75]

Just to clarify

Question #1
Enable below option make sense. good.

option #2
The bootloader must be compiled with flash encryption support enabled. In make menuconfig, navigate to “Security Features” and select “Yes” for “Enable flash encryption on boot”

How about sub options "Potential insecure options" under above option. do I need to enable them?


How about first option above it.

option #'1

In make menuconfig, navigate to “Security Features” and select “Yes” for “Enable secure boot in bootloader”

Question #2

http://esp-idf.readthedocs.io/en/latest ... yption-key

Is Disabling Flash Encryption sub topic to disable temporary and run application without encryption.

Question #3

Do I need to bother with these commands.

espefuse.py --port PORT burn_efuse DISABLE_DL_DECRYPT
espefuse.py --port PORT write_protect_efuse DISABLE_DL_ENCRYPT

Question #4

So the burn a key to the device (one time only) . I need to keep key saved in my file. do not lose my key file.

[snahmad75]

Can some one reply to clarify my last post.

[ESP_Angus]

Hi snahmad75,

How about sub options "Potential insecure options" under above option. do I need to enable them?

You can read about these options here (or press the '?' key when highlighted in menuconfig) to decide:
http://esp-idf.readthedocs.io/en/latest ... re-options

(In general, no - and never in production. But maybe you have some use case that can use one of them in testing.)

Is Disabling Flash Encryption sub topic to disable temporary and run application without encryption.

It allows you to re-flash plaintext bootloader & app without encryption. It doesn't allow you to run the previously encrypted application.

Do I need to bother with these commands.

espefuse.py --port PORT burn_efuse DISABLE_DL_DECRYPT
espefuse.py --port PORT write_protect_efuse DISABLE_DL_ENCRYPT

No. To understand why, refer to the documentation where these commands are quoted:
http://esp-idf.readthedocs.io/en/latest ... decryption

So the burn a key to the device (one time only) . I need to keep key saved in my file. do not lose my key file.

That is correct.

Can I ask what stage of development you're at right now? Usually we would only recommend customers start enabling flash encryption and secure boot after their application is feature complete and at least the beta stage. You can develop your application with plaintext devices for prototyping and debugging and then enable the security features for final testing before you go into production.

[snahmad75]

I am at initial stage of development but I need to test enable the security features for later production usage.
I guess I can test encryption key with my dev board and keep encryption private key save into file to be used later.
Thanks for answer all my question. I am satisfied.