> ## Documentation Index
> Fetch the complete documentation index at: https://docs.thistle.tech/llms.txt
> Use this file to discover all available pages before exploring further.
# Get Started: Encrypted OTA Update
> How to deliver an encrypted OTA file update with Thistle
This guide will show you how to deliver an encrypted OTA update using Thistle.
Encrypted OTA updates ensure that update artifacts are encrypted in the cloud
and in transit, so that only authorized devices can decrypt and install them. You may
run the update client directly on a desktop/laptop computer (Linux, macOS, or
Windows) as it will run in the same manner on an embedded device.
## Tools needed
* Version 1.8.0 (or above) of TUC and TRH for your platform
* The [Thistle Update Client](/binaries#thistle-update-client-tuc): A binary
to run on the device side to obtain the latest OTA update
* The [Thistle Release
Helper](/binaries#release-helper-trh): A CLI developer
tool to prepare and publish OTA releases
* One may also try out TUC and TRH on a web browser using
[Thistle OTA update demo](https://demo.thistle.tech)
* On the [Thistle Control Center App](https://app.thistle.tech/projects). Visit
the settings section of a project to obtain the API token ("Project Access
Token") to be used as `THISTLE_TOKEN` in the configuration step below.
In "Settings > General > Project Configuration", make sure the "Encrypted OTA"
feature is on.
## TRH configuration and initialization
Configure your Thistle project's access token for TRH
```bash theme={"dark"}
$ export THISTLE_TOKEN=$(cat)
(paste access token, press enter, then ctrl-d)
$ ./trh --signing-method="remote" init
```
```powershell theme={"dark"}
# Set up your project's access token - Windows PowerShell
$ $env:THISTLE_TOKEN = "[Access Token Obtained from Thistle App's Project Settings section]"
$ .\trh.exe --signing-method="remote" init
```
First we initialize the local development environment by executing the `init`
command. This creates a Cloud-KMS-backed OTA update bundle signing key pair on
the Thistle backend, and an OTA update manifest file `manifest.json` locally in
the current directory, if they do not exist. If they already exist, the public
key portion of the key pair and the latest manifest file will be obtained.
Your local working environment is now ready.
## What's in an encrypted update
We will now package our first encrypted update. For the purpose of this test,
the update will contain a single file called `my_app`, that will be installed
at path `/tmp/ota/my_app`. The `--encrypt-ota` flag instructs TRH to encrypt
the update artifacts so that only devices provisioned with the correct key
material can decrypt them. Because encrypted OTA operates on a zip archive
bundle, the `--encrypt-ota` flag must be used together with the `--zip-target`
flag.
```bash theme={"dark"}
$ mkdir -p ./release
$ echo "hello, encrypted world" > ./release/my_app
# my_app will be installed on target system at /tmp/ota/my_app
# Note the --encrypt-ota and --zip-target flags
$ ./trh --signing-method="remote" prepare \
--target="./release" \
--file-base-path="/tmp/ota" \
--encrypt-ota --zip-target
```
Upon success, `manifest.json` will be amended and signed for the encrypted OTA release.
## Upload and test deployed release
Now that we have prepared the encrypted update bundle, we can use the `trh` tool
to upload the release and its assets.
```bash theme={"dark"}
$ ./trh --signing-method="remote" release
```
With the encrypted OTA update artifacts and manifest uploaded to the Thistle
Backend, we are now ready to run the Thistle Update Client (TUC) to fetch,
decrypt, and install the OTA update on a device.
First, generate a device configuration file `tuc-config.json` for device
pre-enrollment (cf.
[Device Pre-enrollment](../device_provisioning#device-pre-enrollment)).
```bash theme={"dark"}
./trh --signing-method="remote" gen-device-config \
--device-name="my-demo-enc-ota-device" \
--enrollment-type="pre-enroll" \
--persist="${HOME}/thistle-ota" \
--config-path="./tuc-config.json"
```
The above command generates `tuc-config.json` in the current directory. It
configures the client to store persistent data between device reboots in path
`~/thistle-ota/`. Place `tuc-config.json` on a device to receive the OTA update,
and run TUC with this configuration. In this guide we will run TUC on the same
machine where TRH is run.
```bash theme={"dark"}
./tuc -c ./tuc-config.json
# by default the TUC continues running. Use ctrl-C to exit from it.
# verify installation below
$ cat /tmp/ota/my_app
hello, encrypted world
```
TUC automatically handles decryption of encrypted update artifacts. You can
confirm your file was installed as defined by looking at the install path
/tmp/ota/my\_app.
## Upload a new encrypted update bundle
To update the manifest we just released with newer content, re-run the
`prepare` and `release` commands. All the devices using the device
configuration file `tuc-config.json` will then receive this update.
```bash theme={"dark"}
echo "hello, new encrypted world" > ./release/my_app
./trh --signing-method="remote" prepare \
--target="./release" \
--file-base-path="/tmp/ota" \
--encrypt-ota --zip-target
./trh --signing-method="remote" release
```
## More options
In this get started guide, we explained the usage of the Thistle Update Client
alongside the Thistle Release Helper to perform encrypted OTA updates on a
single file - and many more use cases are supported!
* [File update](/update/get_started/file_update)
* [AI model update, with provenance](/update/get_started/ai_model_update_signed_model)
* [AI model update, end-to-end encrypted model](/update/get_started/ai_model_update_encrypted_model)
* [A/B tested Raspberry Pi 4 update support](/hardware/raspberry_pi/rpi4_ota_ab_update)
* Support for pre & post install scripts
* OTA bundle signing using external signing tools
* [With YubiKey-protected signing key](https://github.com/thistletech/trh-y)
* [With GCP-KMS-backed signing key](https://github.com/thistletech/trh-k)