ESP32 flash encryption enabled by Mongoose OS

[novlean]

ESP32 chip comes with built-in security features, one of which is a transparent SPI flash encryption. That feature is critical for securing device's cloud access.
By default, an ESP32 firmware is kept in plain text form on flash:

Code: Select all

# Dump initial 2k of filesystem area to stdout
mos flash-read --arch esp32 0x190000 2000 -  

The flash-read command dumps the flash memory into a file and the output can show that the content is not encrypted. Therefore, sensitive information like TLS private keys could be easily stolen from the flash, since the part of the device's file system is not encrypted.

In order to enable flash encryption, use the Mongoose OS -> https://mongoose-os.com/blog/mongoose-o ... ncryption/

[ESP_Sprite]

Thanks for the information, but your implied assertion that only Mongoose supports flash encryption is incorrect. We've supported this since very early in the esp-idf release process: Documentation.

[sergey.lyubka]

Yes indeed!

Mongoose OS implementation is based on ESP-IDF, in fact we've submitted some patches during our work that has been integrated into ESP-IDF. The point is: Mongoose OS makes flash encryption process very easy - that's a single command. Otherwise, it is not trivial to do in a real firmware.