How to Enable Flash Encryption After Secure Boot V2 is Enabled?
Posted: Mon Jun 09, 2025 12:51 pm
Hi all,
I’ve successfully enabled Secure Boot V2 on my ESP32 device using ESP-IDF, and everything is working fine. Now, I want to enable Flash Encryption as the next step in securing my firmware.
I’m referring to the official ESP-IDF documentation:
https://docs.espressif.com/projects/esp ... externally
According to this, the first step to enable flash encryption externally is:
This command erases the entire flash, including the bootloader region (< 0x8000). However, from my understanding, once Secure Boot V2 is enabled and applied, the bootloader cannot be rewritten (as Secure Boot expects a verified bootloader with a valid signature). This raises some concerns:
Thanks!
I’ve successfully enabled Secure Boot V2 on my ESP32 device using ESP-IDF, and everything is working fine. Now, I want to enable Flash Encryption as the next step in securing my firmware.
I’m referring to the official ESP-IDF documentation:
https://docs.espressif.com/projects/esp ... externally
According to this, the first step to enable flash encryption externally is:
Code: Select all
esptool.py --port PORT erase_flash- If I erase the flash, including the bootloader, how can I safely re-flash it again, given that Secure Boot V2 is already enforced?
- Is there a safe workflow for enabling Flash Encryption after Secure Boot V2 is enabled, without violating the secure boot policy or bricking the device?
- What are the specific challenges or caveats I should be aware of when enabling Flash Encryption after Secure Boot V2?
Thanks!