From your article: In reality, SE-protected keys are stored in the standard keychain database alongside all your other keychain items. The difference is that the key is wrapped in such a way that only the SE can use it. So, the key is protected by the SE, not stored in the SE. This is in line with the scenario we've been able to reproduce the issue with: Create a SE-protected key-pair on the app Backup the iPhone Erase and restore the iPhone from the backup The app is still able to find the key via SecItemCopyMatching but the key is not able to sign. I assume the the Keychain is restored but the key material is not, hence the unusable key-pair. My follow-up question is: How can I detect this situation and preemptively invalidate that unusable key pair? I want to avoid having the user signing on something and then prompt him to refresh the key on error. Ideally I would like to detect this situation in the background without having the user sign on something (i.e. use his Face Id since the key-pair is biometrics protected)