Flash encryption and boot secure with esptool

[ctacb_]

Good afternoon.

As i understood esp32's protect separated on two parts:
1 - My programm can be encrypted by espsecure (esptool script), and then decrypted by esp32 using key saved at block_1 fuse before.
2 - Bootloader secure it's something hard. I can't understand it at this moment.

So to secure my programm with Flash encryption i do:

1 - espsecure.py generate_flash_encryption_key key.bin
2 - espefuse.py --port /dev/ttyUSB0 burn_key flash_encryption key.bin
3 - espsecure encrypt_flash_data --keyfile key.bin --address 0x10000 -o my-app-encrypted.bin my-app.bin
4 - flash my-app-encrypted.bin to the esp32.

All's right?

If i'm fine, pls, explain about bootloader secure?
How it's works.
What to do in step by step.

I will be very grateful!

[WiFive]

No, you only do steps 3&4 to update the app.

https://docs.espressif.com/projects/esp ... ption.html
https://docs.espressif.com/projects/esp ... -boot.html

[ctacb_]

No, you only do steps 3&4 to update the app

Sorry, i don't understand?
Can you please quote text that you did answered?

[ESP_Angus]

Hi ctacb,

If you're pre-generating the key then the steps for flash encryption are the ones shown here:
https://docs.espressif.com/projects/esp ... yption-key

For the first boot, you generate a key and flash with espefuse.py (steps 1 & 2 in your post) then you flash a plaintext bootloader and plaintext app with "esptool.py write_flash ...". The app will encrypt its own flash on first boot (this includes the app and the bootloader).

After the first boot, to update the app again you build the new and app and then encrypt it on the host and flash the encrypted .bin file (steps 3 & 4 in your post). (This part in the docs.)

You will probably also want to enable secure boot to prevent unauthorized code being booted. This is done separately, see https://docs.espressif.com/projects/esp ... -boot.html

[ctacb_]

Thx you ESP_Angus