ESP32 - Invalid Header after Flash encryption

Introduction

To see what is possible and to make my projects safer, I started activating flash encryption at my DEV systems. In this way, people with physical access to my devices can no longer read the data (e.g. WiFi password), especially for my devices that are not in my own four walls, this is a big jump towards security.

Unfortunately, the topic of encryption is also sometimes a bad topic, in which you have to look a bit. This post shows my mistake when I had just activated Flash Encryption and nothing left at once.

Main part

First of all, I would like to mention how to activate flash encryption at all.
Activation takes place via the so-called Menuconfig within esp-idf. For this, the following command is entered:

start idf.py menuconfig

As soon as you arrive in the menu, you will find the point Security Features the setting "Enable flash encryption on boot (READ DOCS FIRST)" - the latter is actually there and is also urgently recommended, even if this contribution directly summarizes a large part of the warnings.

Here it is important that the "Useage Mode" (directly below) is set to "Development (Not Secure)". That's only true when the board is meant to be for development. If it is intended for a production device, then naturally put it on "Release". Here it is important to know that the encryption can only be reset in the development mode! - And this also only 3x per device, because in order to deactivate the encryption an e-fuse must be processed after 3 times reset, the access to this is blocked and deactivating the encryption is no longer possible (justly the change of the encryption keys).

The problem

I would also like to come to the point, because the following has occupied me for several hours before I noticed that in the end my VSCode was due to the problems.

As soon as the encryption is activated, the ESP32 no longer accepts unencrypted images, i.e. it has to be flashed encrypted. Here the problem came to bear with me, because if you operate the normal GUI button in VS code, then the project will be built without any encryption. immediately flashed, which then leads to an invalid image in the microcontroller. As soon as the microcontroller wants to boot and decrypt the data using the key, it can of course not do this (it is not encrypted) and accordingly it cannot read the header of the image and the error message as with me, for example invalid header: 0xb7da73fc.

Solutions

In order to get either a usable unencrypted image or flash an encrypted binary, there are several possibilities.

1. Possibility - Try to flash an encrypted image

If you just activated the encryption, you should try using idf.py to flash the project as an encrypted binary. With me, this has solved my problem, because on the flash button only unencrypted can be set (although you can naturally adjust the command).
To flash encrypted, the following command must be used - this only goes when Flash Encryption is activated in the Dev Mode. In the release mode, an update is only possible via OTA.

idf.py encrypted-flash


Two. Possibility - Disable Flash Encryption with E-Fuse

As already written above, in Dev Mode there is the possibility to disable Flash Encryption up to three times per device. This can be done with the efusetool. The following command disables the Encryption again:

espefuse.py burnefuse FLASHCRYPT_CNT

It is important here, of course, that the Encryption mode in the Menu Config is deactivated beforehand!

3. Possibility - Delete Flash Memory (if the build is only faulty)

To delete the flash memory of the ESP, the following command can be used:

idf.py erase-flash