Skip to content

Latest commit

 

History

History
55 lines (39 loc) · 2.2 KB

flash_nvs_encryption.md

File metadata and controls

55 lines (39 loc) · 2.2 KB

Flash and NVS encryption

Below is the quick start guide for encrypting the application and factory partition but before proceeding further please READ THE DOCS FIRST. Documentation References:

Enable flash and NVS encryption some factory settings using idf.py menuconfig

  • Enable the Flash encryption [Security features → Enable flash encryption on boot]
  • The NVS Encryption is enabled by default when Flash Encryption is enabled, [Component config → NVS → Enable NVS encryption]
  • Use partitions_encrypted.csv partition table [Partition Table → Custom partition CSV file]

Please enable the below options if you want to use ESP32 Factory Data Provider

  • Enable ESP32 Factory Data Provider [Component config → CHIP Device Layer → Commissioning options → Use ESP32 Factory Data Provider]
  • Enable ESP32 Device Instance Info Provider [Component config → CHIP Device Layer → Commissioning options → Use ESP32 Device Instance Info Provider]

Generate the factory partition using generate_esp32_chip_factory_bin.py script

  • Please check generating factory data guide for various available factory data options
  • Provide -e option along with other options to generate the encrypted factory partition
  • Two partition binaries will be generated factory_partition.bin and keys/nvs_key_partition.bin

Flashing the application, factory partition, and nvs keys

  • Flash the application using idf.py flash.

    NOTE: If not flashing for the first time you will have to use idf.py encrypted-flash

  • Flash the factory partition, this SHALL be non encrypted write as NVS encryption works differently

esptool.py -p (PORT) write_flash 0x9000 path/to/factory_partition.bin
  • Encrypted flash the nvs keys partition
esptool.py -p (PORT) write_flash --encrypt 0x317000 path/to/nvs_key_partition.bin

NOTE: Above command uses the default addressed printed in the boot logs