Hi Alex,
NVS encryption, flash encryption and secure boot are different things which partially depend on each other. Let's put secure boot aside and try to only do nvs encryption first.
You first need to enable flash encryption, sometimes also called "generic flash encryption". I recommend using a host-generated key for first trials which allows you to re-flash the app as many times as possible, if the settings are correct. You can find instructions here:
https://docs.espressif.com/projects/esp ... erated-key.
Once have done that and verified that the app is encrypted, e.g. by using the flash encryption
example , you can proceed to enabling nvs encryption.
You DO NOT mark the nvs partition itself as encrypted, as nvs encryption works differently than the normal flash encryption.
But you do need little key partition which is encrypted with normal flash encryption. This and the other steps to setup and use an encrypted nvs partition are described here:
https://docs.espressif.com/projects/esp ... encryption. We don't have an example app for nvs encryption, but you can have a look at the nvs unit tests:
https://github.com/espressif/esp-idf/bl ... nvs.c#L346. These unit tests work, I just tested them today. They erase the whole nvs partition before each run, though.
Despite your opinion, you do need to use
instead of the normal initialization functions

. Without it you won't have nvs encryption. The rest of the code, even the de-initialization stays the same though.
You also need to compile in the options for generic flash encryption and nvs flash encryption, as described in the document pages.
Only after succeeding with all this to a satisfiable degree, I recommend you can think about secure boot. After enabling secure boot and flash encryption in release mode, your debugging and re-flashing abilities will be very limited!
Let us know how it goes!
All the Best,
Jakob