I am using the Secure Enclave to generate private keys with kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly and SecAccessControlCreateFlags.biometryCurrentSet. The public key is derived from the Secure Enclave private key at creation and stored in the Keychain for later retrieval.
During testing, I observed the following:
When the device's passcode is removed, the public key stored in the Keychain is deleted as expected.
However, the private key in the Secure Enclave can still be fetched using SecItemCopyMatching, despite being tied to the passcode for protection.
My questions are:
Is this behavior expected?
How does the Secure Enclave manage private keys in scenarios where the passcode is removed?
Is there a way to ensure that the Secure Enclave private key is deleted entirely (not just rendered inaccessible) when the passcode is removed?
Any clarification or relevant documentation references would be very helpful. Thank you!
yiliev
Users receive reputation points by contributing quality content to the forums.
Posts include post and replies published on the forums.
Post authors can mark replies as Accepted to indicate successful solutions.
Apple Developer Forums admins can mark replies as Apple Recommended to indicate an approved solution
Post
Replies
Boosts
Views
Activity
In our Enterprise account with Admin access, I can't see the option to create a DeviceCheck key needed for the App Attest functionality.
Is there a limitation preventing this key from being generated on Enterprise accounts?