diff --git a/docs/en/security/flash-encryption.rst b/docs/en/security/flash-encryption.rst index bf636b76f7..cb4e5aafd7 100644 --- a/docs/en/security/flash-encryption.rst +++ b/docs/en/security/flash-encryption.rst @@ -17,17 +17,6 @@ Introduction Flash encryption is intended for encrypting the contents of the {IDF_TARGET_NAME}'s off-chip flash memory. Once this feature is enabled, firmware is flashed as plaintext, and then the data is encrypted in place on the first boot. As a result, physical readout of flash will not be sufficient to recover most flash contents. -With flash encryption enabled, the following types of data are encrypted by default: - -- Firmware bootloader -- Partition Table -- All "app" type partitions - -Other types of data can be encrypted conditionally: - -- Any partition marked with the ``encrypted`` flag in the partition table. For details, see :ref:`encrypted-partition-flag`. -- Secure Boot bootloader digest if Secure Boot is enabled (see below). - .. only:: esp32 :doc:`Secure Boot ` is a separate feature which can be used together with flash encryption to create an even more secure environment. @@ -40,6 +29,24 @@ Other types of data can be encrypted conditionally: Enabling flash encryption limits the options for further updates of {IDF_TARGET_NAME}. Before using this feature, read the document and make sure to understand the implications. +.. _encrypted-partitions: + +Encrypted Partitions +-------------------- + +With flash encryption enabled, the following types of data are encrypted by default: + +- Firmware bootloader +- Partition Table +- :ref:`nvs_encr_key_partition` +- Otadata +- All "app" type partitions + +Other types of data can be encrypted conditionally: + +- Any partition marked with the ``encrypted`` flag in the partition table. For details, see :ref:`encrypted-partition-flag`. +- Secure Boot bootloader digest if Secure Boot is enabled (see below). + .. _flash-encryption-efuse: Relevant eFuses diff --git a/docs/zh_CN/security/flash-encryption.rst b/docs/zh_CN/security/flash-encryption.rst index a1a60cd6cd..740789002f 100644 --- a/docs/zh_CN/security/flash-encryption.rst +++ b/docs/zh_CN/security/flash-encryption.rst @@ -17,17 +17,6 @@ flash 加密 flash 加密功能用于加密与 {IDF_TARGET_NAME} 搭载使用的片外 flash 中的内容。启用 flash 加密功能后,固件会以明文形式烧录,然后在首次启动时将数据进行加密。因此,物理读取 flash 将无法恢复大部分 flash 内容。 -启用 flash 加密后,系统将默认加密下列类型的 flash 数据: - -- 固件引导加载程序 -- 分区表 -- 所有 “app” 类型的分区 - -其他类型的数据将视情况进行加密: - -- 任何在分区表中标有“加密”标志的分区。详情请见 :ref:`encrypted-partition-flag`。 -- 如果启用了安全启动,则可以加密安全启动引导程序摘要(见下文)。 - .. only:: esp32 :doc:`安全启动` 是一个独立的功能,可以与 flash 加密一起使用,从而创建更安全的环境。 @@ -40,6 +29,24 @@ flash 加密功能用于加密与 {IDF_TARGET_NAME} 搭载使用的片外 flash 启用 flash 加密将限制后续 {IDF_TARGET_NAME} 更新。在使用 flash 加密功能前,请务必阅读本文档了解其影响。 +.. _encrypted-partitions: + +Encrypted Partitions +-------------------- + +启用 flash 加密后,系统将默认加密下列类型的 flash 数据: + +- 固件引导加载程序 +- 分区表 +- :ref:`nvs_encr_key_partition` +- Otadata +- 所有 “app” 类型的分区 + +其他类型的数据将视情况进行加密: + +- 任何在分区表中标有“加密”标志的分区。详情请见 :ref:`encrypted-partition-flag`。 +- 如果启用了安全启动,则可以加密安全启动引导程序摘要(见下文)。 + .. _flash-encryption-efuse: 相关 eFuses