Reading And Writing Data In Encrypted Flash - Espressif ESP32-S2 Programming Manual

Chapter 4. API Guides
espefuse.py -p PORT summary

4.13.7 Reading and Writing Data in Encrypted Flash

ESP32-S2 application
esp_flash_encryption_enabled(). Also, a device can identify the flash encryption mode by call-
ing esp_get_flash_encryption_mode().
Once flash encryption is enabled, be more careful with accessing flash contents from code.
Scope of Flash Encryption
Whenever the SPI_BOOT_CRYPT_CNT eFuse is set to a value with an odd number of bits, all flash content accessed
via the MMU's flash cache is transparently decrypted. It includes:
• Executable application code in flash (IROM).
• All read-only data stored in flash (DROM).
• Any data accessed via spi_flash_mmap().
• The firmware bootloader image when it is read by the ROM bootloader.
Important: The MMU flash cache unconditionally decrypts all existing data. Data which is stored unencrypted
in flash memory will also be "transparently decrypted"via the flash cache and will appear to software as random
garbage.
Reading from Encrypted Flash
To read data without using a flash cache MMU mapping, you can use the partition read function
esp_partition_read(). This function will only decrypt data when it is read from an encrypted partition.
Data read from unencrypted partitions will not be decrypted. In this way, software can access encrypted and non-
encrypted flash in the same way.
You can also use the following SPI flash API functions:
• esp_flash_read()
• esp_flash_read_encrypted()
The ROM function SPIRead() can read data without decryption, however, this function is not supported in esp-idf
applications.
Data stored using the Non-Volatile Storage (NVS) API is always stored and read decrypted from the perspective of
flash encryption. It is up to the library to provide encryption feature if required. Refer to
details.
Writing to Encrypted Flash
It is recommended to use the partition write function esp_partition_write(). This function will only encrypt
data when it is written to an encrypted partition. Data written to unencrypted partitions will not be encrypted. In this
way, software can access encrypted and non-encrypted flash in the same way.
You can also pre-encrypt and write data using the function
Also, the following ROM function exist but not supported in esp-idf applications:
• esp_rom_spiflash_write_encrypted pre-encrypts and writes data to flash
• SPIWrite writes unencrypted data to flash
Since data is encrypted in blocks, the minimum write size for encrypted data is 16 bytes and the alignment is also 16
bytes.
Espressif Systems
code can check if
to read raw (encrypted) data which will not be decrypted
to read and decrypt data
Submit Document Feedback
flash encryption is currently
esp_flash_write_encrypted()
1353
enabled by calling
NVS Encryption for more
Release v4.4