Hello,

The espsecure script uses standard python os.urandom call for RNG requirement. Please refer to documentation details here for more information: https://docs.python.org/3/library/os.html#os.urandom

Regarding the EN 18031 compliance, please refer to:

https://developer.espressif.com/blog/2025 ...

Hello,

1. If we have different keys, should we sign our binaries with all keys? (e.g. in the example before we have 3 ECDSA keys on secure blocks, so should we sign the binaries three times?)


Yes, if you would like to consider key revocation feature then you must sign the bootloader image with ...

Hello,

To switch from the flash encryption development to release mode, we recommend using API `esp_flash_encryption_set_release_mode`. This API can be called in the application startup sequence and it shall take care of burning all necessary efuses required for the release mode. ( https://github ...

Hello,

1) In development mode, is it possible to reflash non-encrypted firmware in the flash ? If the answer is yes, does it mean that :
A) The Esp32S3 can automatically use the key stored in the eFuses (Because it has been put inside the 1st time) and encrypt the FW when flashing (In the UART ...

The error here points to no legit application binary on the flash. Can you please confirm that you are flashing application binary at either factory/ota_0/ota_1 partition offset?

1.- I imagine that this manual will be valid for any recent version of IDF, I am working with version 5.1.2.??? I ask because it is in the master branch and does not appear in the documentation of the version I use.

Yes, the host based security workflow document should apply to ESP-IDF 5.1.2 ...

Neither of the two chips that I have blocked trying to activate flash encryption and secure boot v2 allow me to connect with espefuse.py

Sorry to hear that. This also confirms that UART DL mode is disabled on these chips. For future experiments, please keep `CONFIG_SECURE_INSECURE_ALLOW_DL_MODE ...

Hello,

Sorry for the delayed reply!

In the instructions you shared, I was unable to see a command to flash the bootloader image. Please note that for secure boot enabled case, the default `idf.py flash` won't flash the bootloader on the device. If you could share more information about the eFuse ...

E (273) flash_encrypt: Flash encryption eFuse bit was not enabled in bootloader but CONFIG_SECURE_FLASH_ENC_ENABLED is on


This error indicates that the flash encryption is not yet enabled on this device. Maybe the device was power cycled interim the bootloader was enabling the flash encryption ...