Espressif ESP32-S2 Programming Manual page 1360

Chapter 4. API Guides
espsecure.py generate_flash_encryption_key my_flash_encryption_key.bin
else if Size of generated AES-XTS key
espsecure.py generate_flash_encryption_key --keylen
encryption_key.bin
→
3. Before the first encrypted boot, burn the key into your device's eFuse using the command below. This
action can be done only once.
espefuse.py --port PORT burn_key BLOCK
KEYPURPOSE
→
where BLOCK is a free keyblock between BLOCK_KEY0 and BLOCK_KEY5. And KEYPURPOSE is ei-
ther AES_256_KEY_1, XTS_AES_256_KEY_2, XTS_AES_128_KEY. See
Reference Manual for a description of the key purposes.
For AES-128 (256-bit key) - XTS_AES_128_KEY:
espefuse.py --port PORT burn_key BLOCK my_flash_encryption_key.bin XTS_
AES_128_KEY
→
For AES-256 (512-bit key) - XTS_AES_256_KEY_1 and XTS_AES_256_KEY_2. espefuse.
py supports burning both these two key purposes together with a 512 bit key to two separate key
blocks via the virtual key purpose XTS_AES_256_KEY. When this is used espefuse.py will burn
the first 256 bit of the key to the specified BLOCK and burn the corresponding block key purpose to
XTS_AES_256_KEY_1. The last 256 bit of the key will be burned to the first free key block after
BLOCK and the corresponding block key purpose to XTS_AES_256_KEY_2
espefuse.py --port PORT
AES_256_KEY
→
If you wish to specify exactly which two blocks are used then it is possible to divide key into two 256
bit keys, and manually burn each half with XTS_AES_256_KEY_1 and XTS_AES_256_KEY_2 as
key purposes:
split -b 32 my_flash_encryption_key.bin my_flash_encryption_key.bin.
espefuse.py --port PORT
XTS_AES_256_KEY_1
→
espefuse.py --port PORT
XTS_AES_256_KEY_2
→
If the key is not burned and the device is started after enabling flash encryption, the ESP32-S2 will
generate a random key that software cannot access or modify.
4. In Project Configuration
• Enable flash encryption on boot
• Select encryption mode
• Select the appropriate bootloader log verbosity
• Save the configuration and exit.
Enabling flash encryption will increase the size of bootloader, which might require updating partition table offset.
See Bootloader Size.
5. Run the command given below to build and flash the complete images.
idf.py flash monitor
Note: This command does not include any user files which should be written to the partitions on the
flash memory. Please write them manually before running this command otherwise the files should be
Espressif Systems
is AES-256 (512-bit key):
burn_key BLOCK my_flash_encryption_key.bin XTS_
burn_key BLOCK
burn_key BLOCK+1
Menu, do the following:
(Development mode by default)
1349
Submit Document Feedback
512 my_flash_
my_flash_encryption_key.bin␣
my_flash_encryption_key.bin.aa␣
my_flash_encryption_key.bin.ab␣
ESP32-S2 Technical
Release v4.4