How to Enable Flash Encryption After Secure Boot V2 is Enabled? [closed]

Question

Closed. This question is not about programming or software development. It is not currently accepting answers.

This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.

Closed 6 months ago.

The community reviewed whether to reopen this question 6 months ago and left it closed:

Original close reason(s) were not resolved

Improve this question

I’ve successfully enabled Secure Boot V2 on my ESP32 device using ESP-IDF, and everything is working fine. Now, I want to enable Flash Encryption as the next step in securing my firmware.

I’m referring to the official ESP-IDF documentation: https://docs.espressif.com/projects/esp-idf/en/latest/esp32/security/security-features-enablement-workflows.html#enable-flash-encryption-externally

According to this, the first step to enable flash encryption externally is: esptool.py --port PORT erase_flash

I am following the documentation, but if there is a way to enable Flash Encryption using menuconfig after Secure Boot V2 has already been enabled, I’m open to that approach as well.

This command erases the entire flash, including the bootloader region (< 0x8000). However, from my understanding, once Secure Boot V2 is enabled and applied, the bootloader cannot be rewritten (as Secure Boot expects a verified bootloader with a valid signature). This raises some concerns:

If I erase the flash, including the bootloader, how can I safely re-flash it again, given that Secure Boot V2 is already enforced?
Is there a safe workflow for enabling Flash Encryption after Secure Boot V2 is enabled, without violating the secure boot policy or bricking the device?
What are the specific challenges or caveats I should be aware of when enabling Flash Encryption after Secure Boot V2?

My goal is to enable both Secure Boot V2 and Flash Encryption, but I’m doing them step-by-step. What can I try next?

Tarmo · Accepted Answer · 2025-06-09 18:16:18Z

0

After you've enabled Secure Boot you're free to erase and flash both the second stage bootloader and the app any way you wish. The only restriction is that both bootloader and app images must be signed with the key that you've configured.

You can flash as before, taking into account that both bootloader and app must be correctly signed
There is very little interaction between Secure Boot and Flash Encryption. One does not disturb the other. Easiest and most foolproof is the standard Flash Encryption scenario where second stage bootloader does the encrypting when it starts.
No need to worry too much.

If you're worried about bricking your nice devkit, buy a few bare ESP32-WROOM modules and a socket that accepts them. This allows you to brick the cheap modules during your experiments, causing least damage.

answered Jun 9 at 18:16

Tarmo

5,0152 gold badges11 silver badges31 bronze badges

Sign up to request clarification or add additional context in comments.

Comments

mauli02k · Accepted Answer · 2025-06-12 07:12:42Z

0

I read the ESP-IDF documentation about secure boot and flash encryption, and also asked some questions on the forum. I got answers stating that flash encryption cannot be enabled on a device where secure boot is already enabled.

answered Jun 12 at 7:12

mauli02k

813 bronze badges

Collectives™ on Stack Overflow

How to Enable Flash Encryption After Secure Boot V2 is Enabled? [closed]

2 Answers 2

Comments

Comments

Hot Network Questions

Collectives™ on Stack Overflow

2 Answers 2

Comments

Comments

Related