Update readmes to talk about plain keys instead of key shares

will-v-pi · will-v-pi · commit 444ba38a34c0 · 2025-07-16T17:54:25.000+01:00
diff --git a/bootloaders/encrypted/README.md b/bootloaders/encrypted/README.md
@@ -8,18 +8,18 @@ Your signing key must be for the _secp256k1_ curve, in PEM format. You can creat
 openssl ecparam -name secp256k1 -genkey -out private.pem
 ```
 
-The AES key is stored as a 4-way share in a 128 byte binary file - you can create one with
+The AES key is stored in a 32 byte binary file - you can create one with
 
 ```bash
-dd if=/dev/urandom of=privateaes.bin bs=1 count=128
+dd if=/dev/urandom of=privateaes.bin bs=1 count=32
 ```
 
 or in Powershell 7
 ```powershell
-[byte[]] $(Get-SecureRandom -Maximum 256 -Count 128) | Set-Content privateaes.bin -AsByteStream
+[byte[]] $(Get-SecureRandom -Maximum 256 -Count 32) | Set-Content privateaes.bin -AsByteStream
 ```
 
-The IV salt is just a 16 byte binary file - you can create it the same way, replacing `128` with `16` and `privateaes.bin` with `ivsalt.bin` in the commands above.
+The IV salt is just a 16 byte binary file - you can create it the same way, replacing `32` with `16` and `privateaes.bin` with `ivsalt.bin` in the commands above.
 
 You will need to program your OTP using the `otp.json` file generated by the build in your build folder
 NOTE: This will enable secure boot on your device, so only correctly signed binaries can then run, and will also lock down the OTP pages the AES key and IV salt are stored in.
diff --git a/encrypted/hello_encrypted/README.md b/encrypted/hello_encrypted/README.md
@@ -6,18 +6,18 @@ Your signing key must be for the _secp256k1_ curve, in PEM format. You can creat
 openssl ecparam -name secp256k1 -genkey -out private.pem
 ```
 
-The AES key is stored as a 4-way share in a 128 byte binary file - you can create one with
+The AES key is stored in a 32 byte binary file - you can create one with
 
 ```bash
-dd if=/dev/urandom of=privateaes.bin bs=1 count=128
+dd if=/dev/urandom of=privateaes.bin bs=1 count=32
 ```
 
 or in Powershell 7
 ```powershell
-[byte[]] $(Get-SecureRandom -Maximum 256 -Count 128) | Set-Content privateaes.bin -AsByteStream
+[byte[]] $(Get-SecureRandom -Maximum 256 -Count 32) | Set-Content privateaes.bin -AsByteStream
 ```
 
-The IV salt is just a 16 byte binary file - you can create it the same way, replacing `128` with `16` and `privateaes.bin` with `ivsalt.bin` in the commands above.
+The IV salt is just a 16 byte binary file - you can create it the same way, replacing `32` with `16` and `privateaes.bin` with `ivsalt.bin` in the commands above.
 
 You will need to program your OTP using the `otp.json` file generated by the build in your build folder
 NOTE: This will enable secure boot on your device, so only correctly signed binaries can then run, and will also lock down the OTP pages the AES key and IV salt are stored in.
