From fe0600b859ac2bddcdbff7aa23409f58ffa3d2f3 Mon Sep 17 00:00:00 2001
From: Marius Vikhammer <marius.vikhammer@espressif.com>
Date: Wed, 14 Jul 2021 18:14:33 +0800
Subject: [PATCH] docs: add note about PSRAM encryption

---
 docs/en/api-guides/external-ram.rst   | 10 ++++++++++
 docs/en/security/flash-encryption.rst |  9 +++++++++
 2 files changed, 19 insertions(+)

diff --git a/docs/en/api-guides/external-ram.rst b/docs/en/api-guides/external-ram.rst
index 949bcc0e6a..9cfeb0abb4 100644
--- a/docs/en/api-guides/external-ram.rst
+++ b/docs/en/api-guides/external-ram.rst
@@ -132,6 +132,16 @@ Failure to initialize
     If :ref:`CONFIG_SPIRAM_ALLOW_BSS_SEG_EXTERNAL_MEMORY` is enabled, the option to ignore failure is not available as the linker will have assigned symbols to external memory addresses at link time.
 
 
+.. only:: not esp32
+
+    Encryption
+    ==========
+
+    It is possible to enable automatic encryption for data stored in external RAM. When this is enabled any data read and written through the cache will automatically be encrypted/decrypted by the external memory encryption hardware.
+
+    This feature is enabled whenever flash encryption is enabled. For more information on how to enable and how it works see :doc:`Flash Encryption </security/flash-encryption>`.
+
+
 .. only:: esp32
 
     .. include:: inc/external-ram-esp32-notes.rst
diff --git a/docs/en/security/flash-encryption.rst b/docs/en/security/flash-encryption.rst
index 7068aefbe1..f2eaa95007 100644
--- a/docs/en/security/flash-encryption.rst
+++ b/docs/en/security/flash-encryption.rst
@@ -909,6 +909,15 @@ The file ``my-app-ciphertext.bin`` can then be flashed to offset 0x10000 using `
 
 The command ``espsecure.py decrypt_flash_data`` can be used with the same options (and different input/output files), to decrypt ciphertext flash contents or a previously encrypted file.
 
+
+.. only:: SOC_SPIRAM_SUPPORTED and not esp32
+
+  External RAM
+  ------------
+
+  When Flash Encryption is enabled any data read from and written to external SPI RAM through the cache will also be encrypted/decrypted. This happens the same way and with the same key as for Flash Encryption. If Flash Encryption is enabled then encryption for external SPI RAM is also always enabled, it is not possible to separately control this functionality.
+
+
 Technical Details
 -----------------