ESP_Angus wrote:As WiFive says, using flash encryption & secure boot together provides local physical firmware security. To protect data in transit over the network, you need additional steps.
To prevent OTA updates being downloaded by unauthorised parties, I'd recommend using HTTPS and some kind of authentication method based on a private key or other secret stored in the client ESP32 - either TLS Client Certificate auth, or some kind of secret device ID which is not broadcast but stored encrypted in the ESP32 flash.
The ESP32 identifies itself to the server over HTTPS, and then the sends provides the .bin image using TLS to encrypt the data transfer.
Thanks for your detailed answer , I understand that completely Now.