encrypt firmware with ESP32

Posts: 31
Joined: Thu Oct 03, 2019 9:41 am

encrypt firmware with ESP32

Postby AlexESP32 » Mon Jun 29, 2020 7:52 pm

Hey guys ;)

As mentioned in the topic I want to encrypt the firmware with the stored nvs data (password, certificates, ...).
Unfortunately I didn't understand the method of the espressif documentation (flash encryption, nvs encrytpion, secure boot).

To encrypt the NVS there are some questions:
Do I really need to adjust the source code or is it possible to do all with python scripts?
I tried this method: https://dev.to/kkentzo/how-to-encrypt-t ... esp32-4n9k and there is an additional function "nvs_secure_initialize". Do I need this function? Unfortunately this doesnt work in my opinion...

Thank you in advance.

Kind Regards,

Posts: 5
Joined: Mon Jun 01, 2020 6:28 am

Re: encrypt firmware with ESP32

Postby ESP_jakob » Wed Jul 01, 2020 10:07 am

Hi Alex,

NVS encryption, flash encryption and secure boot are different things which partially depend on each other. Let's put secure boot aside and try to only do nvs encryption first.

You first need to enable flash encryption, sometimes also called "generic flash encryption". I recommend using a host-generated key for first trials which allows you to re-flash the app as many times as possible, if the settings are correct. You can find instructions here: https://docs.espressif.com/projects/esp ... erated-key.
Once have done that and verified that the app is encrypted, e.g. by using the flash encryption example , you can proceed to enabling nvs encryption.

You DO NOT mark the nvs partition itself as encrypted, as nvs encryption works differently than the normal flash encryption.
But you do need little key partition which is encrypted with normal flash encryption. This and the other steps to setup and use an encrypted nvs partition are described here: https://docs.espressif.com/projects/esp ... encryption. We don't have an example app for nvs encryption, but you can have a look at the nvs unit tests: https://github.com/espressif/esp-idf/bl ... nvs.c#L346. These unit tests work, I just tested them today. They erase the whole nvs partition before each run, though.

Despite your opinion, you do need to use

Code: Select all

instead of the normal initialization functions ;) . Without it you won't have nvs encryption. The rest of the code, even the de-initialization stays the same though.
You also need to compile in the options for generic flash encryption and nvs flash encryption, as described in the document pages.

Only after succeeding with all this to a satisfiable degree, I recommend you can think about secure boot. After enabling secure boot and flash encryption in release mode, your debugging and re-flashing abilities will be very limited!

Let us know how it goes!

All the Best,

Posts: 31
Joined: Thu Oct 03, 2019 9:41 am

Re: encrypt firmware with ESP32

Postby AlexESP32 » Thu Jul 02, 2020 4:58 pm

Hey Jakob!

Thank you very much :)

I think I am on the right way:
I can encrypt my partitions with flash encryption and also I got nvs encryption to work.

But there are some more questions:
1. Maybe it is possilbe to explain in short why nvs cannot be encrypted with flash encryption.
In my opinion the encryption works like that:
Take the key and encrypt bootloader, partition table, all application and all partitions which has the addition "encrypted". What are the problems that nvs cannot be encrypted here?

2. What is the method if I want to re-flash the firmware (also the nvs partition) in release mode?
In my opinion I have to encrypt the firmware / partition !at the host! with the key which I have created and then I flash the encrypted firmware. Am I right? What is the command for this?

3. Why Development Mode is not "secure"? In my opinion the only difference between Development Mode and Release Mode is: At Development Mode I can flash the ESP 4x with plain text. At release I can do this only once. Am I right? In this case Development Mode would be secure too.

4. What is this command for: idf.py encrypted-flash monitor
In my opinion I use this command if a key is burned and the firmware is encrypted and I want to flash a new encrypted firmware.
But if this is true: Why is there no key required to encrypt this new firmware at the host?
And what is the difference to this command: espsecure.py encrypt_flash_data --keyfile my_flash_encryption_key.bin --address 0x10000 -o build/my-app-encrypted.bin build/my-app.bin
The last command make much more sense in my opinion than this command: idf.py encrypted-flash monitor

Thank you very much :) :)

Who is online

Users browsing this forum: WardMas and 16 guests