Flash and NVS encryption

Below is the quick start guide for encrypting the application and factory partition but before proceeding further please READ THE DOCS FIRST. Documentation References:

• Flash Encryption
• NVS Encryption

Enable flash and NVS encryption some factory settings using idf.py menuconfig

• Enable the Flash encryption [Security features → Enable flash encryption on boot]
• The NVS Encryption is enabled by default when Flash Encryption is enabled, [Component config → NVS → Enable NVS encryption]
• Use partitions_encrypted.csv partition table [Partition Table → Custom partition CSV file]

Please enable the below options if you want to use ESP32 Factory Data Provider

• Enable ESP32 Factory Data Provider [Component config → CHIP Device Layer → Commissioning options → Use ESP32 Factory Data Provider]
• Enable ESP32 Device Instance Info Provider [Component config → CHIP Device Layer → Commissioning options → Use ESP32 Device Instance Info Provider]

Generate the factory partition using generate_esp32_chip_factory_bin.py script

• Please check generating factory data guide for various available factory data options
• Provide -e option along with other options to generate the encrypted factory partition
• Two partition binaries will be generated factory_partition.bin and keys/nvs_key_partition.bin

Flashing the application, factory partition, and nvs keys

• Flash the application using idf.py flash.

  NOTE: If not flashing for the first time you will have to use idf.py encrypted-flash

• Flash the factory partition, this SHALL be non encrypted write as NVS encryption works differently

esptool.py -p (PORT) write_flash 0x9000 path/to/factory_partition.bin

• Encrypted flash the nvs keys partition

esptool.py -p (PORT) write_flash --encrypt 0x317000 path/to/nvs_key_partition.bin

NOTE: Above command uses the default addressed printed in the boot logs