Protect Arduino Sketch on ESP32 via flash encryption

I want to prevent my code against flash reading. I find in the manual of the esp32 the possibility “flash encryption”.

Is that the right way to protect my code against read access?

How can I enable this? I am using the arduine framework on PalttformIO.

Is a manual or a code example available?

Best regards

Related topic: ESP32 Secure Boot

Where did you see a guide for Arduino-ESP32? All I see is a very long issue with homebrew solutions which might or might not brick your ESP32 if it goes wrong.

I am looking for a example that is working. Could you help me? A homebrew solutions is ok, if it’s work :slight_smile:

Maybe is there another solution to protect a code against reading?

Since this problem doesn’t seem to properly solved within Arduino-ESP32 (issue is still open), I would first ask for an official guide from the developers (via comment in issue or new issue etc); PIO can then integrate that. But it has to exist in the first place :sweat_smile:


my goal is only to protect my code against flash reading. Therefore I am thinking the “Secure Boot” is not necessary. In my opinion is what I need is only the flash encryption in development mode. In this case it is possible to flash the chip again with a new sketch, but the sketch is encrypted and the secret key is protected. What do you think about?

I am following this manual: Flash Encryption - ESP32 - — ESP-IDF Programming Guide latest documentation → Using Host Generated Flash Encryption Key:


  1. Burn with the FLASH_CRYPT_CONFIG to 0xF (“ burn_efuse FLASH_CRYPT_CONFIG 0xf”)

  2. Generate with “ generate_flash_encryption_key my_flash_encryption_key.bin” a key

  3. Burn with “ --port PORT burn_key flash_encryption my_flash_encryption_key.bin” the key in the esp32

  1. Configure in the “Hello World” example (or another esp-idf exampel) the Bootloader with “ menuconfig”:
  • “Enable flash encryption on boot” in Development Mode.

  • Maybe change “Potentially insecure options”: I do not know which configuration I needed in “Potentially insecure options” (maybe all on?)

  • Maybe change Partition Table, to prevent errors because the bigger bootloader? But i am not sure how this work

  1. Flash with “ flash monitor” the “Hello World” sketch

  2. Generate with PlattformIO the bin-file for flashing of my arduino Sketch (Is this possible???)

  3. Encrypt with “ encrypt_flash_data” and the key the bin-file

  4. Flash with “ encrypted-app-flash monitor” the bin-file (this should be flash only the app, not the bootloader

  5. Now should be the a bootloader with “flash encryption on” and my arduino sketsh on the esp-32. Done!

I did not try anything of this! Is only a consideration. What do you think?

Picture to Point 4:

Picture to Point 4:

Picture to Point 4 - Partition Table:

I think I need a custom partition with the settings of the arduino default.csv.

But I am missing the “phy_init”. I think this is the size of the bootloader…

Hello Tom, It’s exactly what i try to do too !
i have tried this way, without success…
Did you have any news, try, advice, experience to share ?
Thanks !

Hello everyone,

I am also trying to do this, but using the esp-idf framework.

Are there any updates about this topic? I see the github issue is still open.


After days of trials I have realized that the easiest solution is just to do as explained in this post:

Basically with esp idf you just need to create a bootloader that suits your esp32 (select the flash frequency and the flash size) with the crypt flag enabled as relase (and ‘none’ set as bootloader log info) and replace the file in the Arduino bootloader folder you find at:
Upload your sketch with Arduino as normal and after wait 2min 30s and you will see the flash will be encrypted with a randomly generated key.
Be careful when you do the bootloader file renaming, make sure you always restore the old bootloader when you have done the encrytion.
To check if the flash is encrypted include the following condition in your Arduino project in the setup function.
#include “esp_flash_encrypt.h” //encryption check

    Serial.println("Flash encryption enabled");
  } else {
    Serial.println("Flash encryption disabled");

Can I do a fota update if flash in encrypted? Thanks @pedros89

Yes of course. I do it myself with this repo all ready:

But you cannot update anymore via serial USB, it will brick the esp32, only OTA will work for updates.

1 Like

Ok @pedros89 thanks for sharing… Do you have some example about how to encrypt the flash or spiff with the arduino framework?

Thanks again

To encrypt the flash of esp32 it is enought that you programme the esp32 with a bootloader that encrypts
See this guide.

It will not encrypt spiffs or virtual EEPROM

dear @pedros89 ok but once the flash is encrypted can i use the previous project you posted for updating the flash ?
I don’t know if it is clear what i mean

Yes you can. Your app updated via OTA will update and still be encrypted with your new firmware version.

1 Like

@pedros89 great work really… last question … when you encrypt the flash where is stored the key that is used for the encryption… thanks again for your amazing work

Unfortunately if you do like this the boot will automatically create a random key to encrypt the flash when you flash the esp from USB, it will take around 2 min to encrypt, and at the end of the process if you power up again your flash will be encrypted, but you will not know the key. From IDF console you can digit COM5 summary
Obviously putting your com and you will see the line with all ??? That is the key but it is not showed. Nobody will know it. You will only be able to update via OTA, if you’ll try from USB you will brick your esp.

1 Like

Dear @pedros89 thanks a lot for explain
when you say
You will only be able to update via OTA,.
so when the time to update the firmware comes it is able to automatic decrypt the flash and starting the update?
When you say that the random key is generated ok it is clear but then where is stored this key used for encrypting the flash?
the point is if someone tries to retrieve the key used for encryption is it possible to get it or not?