esp32c3 NVS encryption (HMAC), secure encryption

[mejhaMA]

Hello,

I was going through documentation of NVS encryption based on HMAC (URL: https://docs.espressif.com/projects/esp ... externally) and I'm having some questions.

Our customer would like to flash esp32c3 devices on their own and we would like to provide all of the necessary .bins (app, nvs, partition table, bootlaoder,...). If our customer generates HMAC and NVS encryption keys, then sends us NVS encryption key and we encrypt NVS with it, will customer be able to decrypt our NVS?
We would like to keep our NVS enrypted and secure, that even customer cannot decrypt it, because it contains sensitive data.
Is there a way to encrypt NVS so that customer cannot decrypt it? So that only esp32c3 will be able to decrypt it?

Thank you in advance.
Miha

[MicroController]

I don't think that's (cryptographically) possible. For one, the ESP's HMAC seems to be based on a shared secret, so symmetrical, i.e. whatever knowledge is needed for HMAC-based encryption is also sufficient for decryption.
And secondly, as long as the other party provides a key for encryption you have no way of ensuring they don't also have access to the decryption key. (Unless you have some root-of-trust (device, "token"...) by which asymmetric (public) keys are verifiably issued to the other party w/o also making the private keys accessible to them.)

If you could generate and burn your own (secret) key into the eFuses before handing the devices over to the other party for flashing/whatever, this could be made into a secure protocol.

Short of that, I think obfuscation is the best you can do, which may or may not be sufficient for your attack scenario.

[mejhaMA]

Thank you for the answer.
That was exacly what I was thinking, but I was not sure.

So what exactly is purpose of HMAC?
Why would one use it over NVS encryption based on Flash encryption, beside that it is more secure?

[MicroController]

What I can find: viewtopic.php?f=13&t=28715&start=10#p131173