Since this problem doesn’t seem to properly solved within Arduino-ESP32 (issue is still open), I would first ask for an official guide from the developers (via comment in issue or new issue etc); PIO can then integrate that. But it has to exist in the first place
my goal is only to protect my code against flash reading. Therefore I am thinking the “Secure Boot” is not necessary. In my opinion is what I need is only the flash encryption in development mode. In this case it is possible to flash the chip again with a new sketch, but the sketch is encrypted and the secret key is protected. What do you think about?
After days of trials I have realized that the easiest solution is just to do as explained in this post:
Basically with esp idf you just need to create a bootloader that suits your esp32 (select the flash frequency and the flash size) with the crypt flag enabled as relase (and ‘none’ set as bootloader log info) and replace the file in the Arduino bootloader folder you find at:
Upload your sketch with Arduino as normal and after wait 2min 30s and you will see the flash will be encrypted with a randomly generated key.
Be careful when you do the bootloader file renaming, make sure you always restore the old bootloader when you have done the encrytion.
To check if the flash is encrypted include the following condition in your Arduino project in the setup function. #include “esp_flash_encrypt.h” //encryption check
Unfortunately if you do like this the boot will automatically create a random key to encrypt the flash when you flash the esp from USB, it will take around 2 min to encrypt, and at the end of the process if you power up again your flash will be encrypted, but you will not know the key. From IDF console you can digit espfuse.py COM5 summary
Obviously putting your com and you will see the line with all ??? That is the key but it is not showed. Nobody will know it. You will only be able to update via OTA, if you’ll try from USB you will brick your esp.
Dear @pedros89 thanks a lot for explain
when you say You will only be able to update via OTA,.…
so when the time to update the firmware comes it is able to automatic decrypt the flash and starting the update?
When you say that the random key is generated ok it is clear but then where is stored this key used for encrypting the flash?
the point is if someone tries to retrieve the key used for encryption is it possible to get it or not?