Pre encrypted firmware over OTA

jojojijijojo
Posts: 18
Joined: Thu Feb 20, 2020 8:18 am

Pre encrypted firmware over OTA

Postby jojojijijojo » Sun Jul 03, 2022 1:39 pm

Hi,

Assuming that you have to publish the binary files publicly online, Is it possible to use Pre encrypt the binary file using a pre generated key and use that to update a flash encryption enabled ESP32 using OTA?

ESP_Sprite
Posts: 9772
Joined: Thu Nov 26, 2015 4:08 am

Re: Pre encrypted firmware over OTA

Postby ESP_Sprite » Mon Jul 04, 2022 2:18 am

In theory yes, however it is not advised to do so, as retrieving the encryption key for one device will lead to all devices being compromised. I'm not sure to what extent ESP-IDF supports this.

jojojijijojo
Posts: 18
Joined: Thu Feb 20, 2020 8:18 am

Re: Pre encrypted firmware over OTA

Postby jojojijijojo » Mon Jul 04, 2022 4:50 am

Thank you @ESP_Sprite for your reply.

If I understand correctly, if flash encryption is enabled on an ESP32 device, does it expect all future OTA binary files to be in plain text or to be pre-encrypted? And how does it differentiate between the two cases?

axellin
Posts: 200
Joined: Mon Sep 17, 2018 9:09 am

Re: Pre encrypted firmware over OTA

Postby axellin » Mon Jul 04, 2022 5:23 am


jojojijijojo
Posts: 18
Joined: Thu Feb 20, 2020 8:18 am

Re: Pre encrypted firmware over OTA

Postby jojojijijojo » Mon Jul 04, 2022 5:27 am

Thanks, I already went through the new pre_encrypted_ota, but I cannot tell if it works with flash encryption. The way I understand is that pre_encrypted_ota is used to encrypt OTA binaries during transport, and then they are decrypted on device as plaintext, which is the opposite of flash encryption, where we want encrypted OTA binaries during transport, and encrypted flash on device.

axellin
Posts: 200
Joined: Mon Sep 17, 2018 9:09 am

Re: Pre encrypted firmware over OTA

Postby axellin » Tue Jul 05, 2022 2:32 am

It should work.

Who is online

Users browsing this forum: NoTan2 and 87 guests