Below is the quick start guide for encrypting the application and factory partition but before proceeding further please READ THE DOCS FIRST. Documentation References:
- Enable the Flash encryption [Security features → Enable flash encryption on boot]
- The NVS Encryption is enabled by default when Flash Encryption is enabled, [Component config → NVS → Enable NVS encryption]
- Use
partitions_encrypted.csvpartition table [Partition Table → Custom partition CSV file]
Please enable the below options if you want to use ESP32 Factory Data Provider
- Enable ESP32 Factory Data Provider [Component config → CHIP Device Layer → Commissioning options → Use ESP32 Factory Data Provider]
- Enable ESP32 Device Instance Info Provider [Component config → CHIP Device Layer → Commissioning options → Use ESP32 Device Instance Info Provider]
- Please check generating factory data guide for various available factory data options
- Provide
-eoption along with other options to generate the encrypted factory partition - Two partition binaries will be generated
factory_partition.binandkeys/nvs_key_partition.bin
-
Flash the application using
idf.py flash.NOTE: If not flashing for the first time you will have to use
idf.py encrypted-flash -
Flash the factory partition, this SHALL be non encrypted write as NVS encryption works differently
esptool.py -p (PORT) write_flash 0x9000 path/to/factory_partition.bin
- Encrypted flash the nvs keys partition
esptool.py -p (PORT) write_flash --encrypt 0x317000 path/to/nvs_key_partition.bin
NOTE: Above command uses the default addressed printed in the boot logs