eDB ships AES-XTS at-rest encryption — even on 64 KB devices

The constraint

eDB targets every EoS device, and the smallest one in scope ships with 64 KB of flash and 16 KB of RAM. There was room for exactly 6 KB of code for the encryption layer — including the AES core, key schedule, page format, and the integration shim with the existing storage manager.

Why AES-XTS

AES-XTS is the modern standard for storage encryption: deterministic per-block, no IV management, no nonce reuse risk, and well-suited to fixed-size pages. The downside — two AES keys per tweak — is irrelevant on devices where the hardware accelerator handles round operations in parallel.

Hardware key offload

On supported MCUs (STM32 with PKA, NXP CAAM, RP2040 PIO+PIO-AES), the page key never enters CPU-accessible memory. It's loaded into a key slot at boot and referenced by handle thereafter. The fallback software path (constant-time AES-NI-style on Cortex-M) costs roughly 8 cycles/byte on M7.

// eDB page write (simplified)
status = aes_xts_encrypt(
    page_key_handle,    // hardware key slot
    page->lba,          // tweak = logical block address
    plaintext, page_size,
    ciphertext);
flash_write(page->phys_addr, ciphertext, page_size);

What we cut

Authenticated encryption (XTS is not). The threat model assumes the storage medium is honest-but-curious: an attacker can read pages but cannot inject. Devices needing AEAD should use the larger eDB-S build, which adds GCM at the cost of an additional 11 KB of code.

Filed under:Security & Boot