How to Enable Flash Encryption After Secure Boot V2 is Enabled?

[Vaibhav02]

Hi all,

I’ve successfully enabled Secure Boot V2 on my ESP32 device using ESP-IDF, and everything is working fine. Now, I want to enable Flash Encryption as the next step in securing my firmware.

I’m referring to the official ESP-IDF documentation:
https://docs.espressif.com/projects/esp ... externally

According to this, the first step to enable flash encryption externally is:

Code: Select all

esptool.py --port PORT erase_flash

This command erases the entire flash, including the bootloader region (< 0x8000). However, from my understanding, once Secure Boot V2 is enabled and applied, the bootloader cannot be rewritten (as Secure Boot expects a verified bootloader with a valid signature). This raises some concerns:

• If I erase the flash, including the bootloader, how can I safely re-flash it again, given that Secure Boot V2 is already enforced?

• Is there a safe workflow for enabling Flash Encryption after Secure Boot V2 is enabled, without violating the secure boot policy or bricking the device?

• What are the specific challenges or caveats I should be aware of when enabling Flash Encryption after Secure Boot V2?

My goal is to enable both Secure Boot V2 and Flash Encryption, but I’m doing them step-by-step. Any guidance or an updated recommended workflow for this scenario would be appreciated.

Thanks!