Indeed I have been working on flash encryption support. It's the main reason I've been less active lately on other software.
When PJRC officially supports encrypted flash, we will begin selling a "lockable" version of Teensy 4.0. New "standard" Teensy 4.0 will also get a minor change so you can also use encryption, but it is not as secure. Older Teensy 4.0 boards, made before June 2021, will not support encrypted flash.
Both standard and lockable will allow you to encrypt the flash memory. If someone desolders the flash chip and reads it with other hardware, they will see only encrypted code, plus the plaintext header used to configure flash setting during boot, and the digital signature. All of the actual code will be encrypted.
Encryption alone doesn't mean your code is fully secure. There are other ways than removing the flash chip which a hacker may attempt to steal your code. On standard Teensy 4.0, the JTAG debug pins are always available and unsigned code can always boot. While you can try some tricks to mitigate these risks (like reconfiguring the JTAG pins as GPIO at startup), they always remain as a possible path for a hacker to obtain access to your code, either by debugging while it's running or by attempting to alter only a portion of the flash chip with their own code.
With the lockable version, you will have access to fuse settings which permanently disable the JTAG pins and permanently turn on a secure mode where only signed code can boot. Like any locking door, if you mistakenly lock it without having your keys, you are locked out. Unlike the door on your home, there is no locksmith who can break strong encryption to restore your access. I've been working on a process which will hopefully minimize the risk, but the upcoming lockable version of Teensy 4.0 can become permanently bricked if you make a mistake setting the secure mode or if you run special code which alters other critically important fuse settings. Of course if you lose your encryption key, you'll never be able to reprogram locked boards with that key permanently burned into their config fuses.
Standard Teensy 4.0 is permanently configured to always reliably give you a way to recover from mistakes (at least software mistakes - no config can protect against hardware damage) and you can always reprogram it with new code. Unfortunately there is no way to have both safety from mistakes and the ability to lock security to only booting signed code, which is why PJRC will soon offer a lockable version.
If you build a custom PCB with the
bootloader chip, your custom board is lockable. But the bootloader code currently shipping does not properly support secure mode. It will be updated when we release the lockable Teensy 4.0.