docs/guides/esp32/flash_nvs_encryption.md - third_party/github/project-chip/connectedhomeip - Git at Google

 # Flash and NVS encryption

 Below is the quick start guide for encrypting the application and factory
 partition but before proceeding further please READ THE DOCS FIRST.
 Documentation References:

 -   [Flash Encryption](https://docs.espressif.com/projects/esp-idf/en/latest/esp32/security/flash-encryption.html)
 -   [NVS Encryption](https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-reference/storage/nvs_flash.html#nvs-encryption)

 ## Enable flash and NVS encryption some factory settings using `idf.py menuconfig`

 -   Enable the Flash encryption [Security features → Enable flash encryption on
     boot]
 -   The NVS Encryption is enabled by default when Flash Encryption is enabled,
     [Component config → NVS → Enable NVS encryption]
 -   Use `partitions_encrypted.csv` partition table [Partition Table → Custom
     partition CSV file]

 Please enable the below options if you want to use ESP32 Factory Data Provider

 -   Enable ESP32 Factory Data Provider [Component config → CHIP Device Layer →
     Commissioning options → Use ESP32 Factory Data Provider]
 -   Enable ESP32 Device Instance Info Provider [Component config → CHIP Device
     Layer → Commissioning options → Use ESP32 Device Instance Info Provider]

 ## Generate the factory partition using `generate_esp32_chip_factory_bin.py` script

 -   Please check [generating factory data guide](factory_data.md) for various
     available factory data options
 -   Provide `-e` option along with other options to generate the encrypted
     factory partition
 -   Two partition binaries will be generated `factory_partition.bin` and
     `keys/nvs_key_partition.bin`

 ## Flashing the application, factory partition, and nvs keys

 -   Flash the application using `idf.py flash`.

     NOTE: If not flashing for the first time you will have to use
     `idf.py encrypted-flash`

 -   Flash the factory partition, this SHALL be non encrypted write as NVS
     encryption works differently

 ```
 esptool.py -p (PORT) write_flash 0x9000 path/to/factory_partition.bin
 ```

 -   Encrypted flash the nvs keys partition

 ```
 esptool.py -p (PORT) write_flash --encrypt 0x317000 path/to/nvs_key_partition.bin
 ```

 NOTE: Above command uses the default addressed printed in the boot logs
	# Flash and NVS encryption

	Below is the quick start guide for encrypting the application and factory
	partition but before proceeding further please READ THE DOCS FIRST.
	Documentation References:

	- [Flash Encryption](https://docs.espressif.com/projects/esp-idf/en/latest/esp32/security/flash-encryption.html)
	- [NVS Encryption](https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-reference/storage/nvs_flash.html#nvs-encryption)

	## Enable flash and NVS encryption some factory settings using `idf.py menuconfig`

	- Enable the Flash encryption [Security features → Enable flash encryption on
	boot]
	- The NVS Encryption is enabled by default when Flash Encryption is enabled,
	[Component config → NVS → Enable NVS encryption]
	- Use `partitions_encrypted.csv` partition table [Partition Table → Custom
	partition CSV file]

	Please enable the below options if you want to use ESP32 Factory Data Provider

	- Enable ESP32 Factory Data Provider [Component config → CHIP Device Layer →
	Commissioning options → Use ESP32 Factory Data Provider]
	- Enable ESP32 Device Instance Info Provider [Component config → CHIP Device
	Layer → Commissioning options → Use ESP32 Device Instance Info Provider]

	## Generate the factory partition using `generate_esp32_chip_factory_bin.py` script

	- Please check [generating factory data guide](factory_data.md) for various
	available factory data options
	- Provide `-e` option along with other options to generate the encrypted
	factory partition
	- Two partition binaries will be generated `factory_partition.bin` and
	`keys/nvs_key_partition.bin`

	## Flashing the application, factory partition, and nvs keys

	- Flash the application using `idf.py flash`.

	NOTE: If not flashing for the first time you will have to use
	`idf.py encrypted-flash`

	- Flash the factory partition, this SHALL be non encrypted write as NVS
	encryption works differently

	```
	esptool.py -p (PORT) write_flash 0x9000 path/to/factory_partition.bin
	```

	- Encrypted flash the nvs keys partition

	```
	esptool.py -p (PORT) write_flash --encrypt 0x317000 path/to/nvs_key_partition.bin
	```

	NOTE: Above command uses the default addressed printed in the boot logs