Secure Enclave with symmetric keys

Hi Folks,

I have a need to create and store a 256 bit symmetric key that I use to encrypt and decrypt data stored on disk. There is also a need to continue to do this both in the backgroud and in the application extensions.

As far as I know, SE does not work with symmetric key, but there is an option to encrypt the symmetric key with an SE-protected asymmetric key. The question arises, how is this different from just storing the key in Keychain, since I can't take advantage of SE's main advantage of not storing the key in memory, even for a short time. (Anyway, I can't not store the key in memory anyway, because the key is used by a third-party framework.)

Should I also use SE for this purpose, decrypt my symmetric key, give the symmetric key to the framework for a short time and then zeroize it?

Answered by DTS Engineer in 796864022

This isn’t the first time this issue has come up.

how is this different from just storing the key in Keychain

It isn’t, fundamentally. As you’ve noted, the key advantage of an SE-protected key is that the raw key bits never show up in your address space. That’s not an option when dealing with symmetric keys.

Anyway, I can't not store the key in memory anyway, because the key is used by a third-party framework.

OK.

Should I also use SE for this purpose, decrypt my symmetric key, give the symmetric key to the framework for a short time and then zeroize it?

That’s a question you’ll have to answer for yourself. I can explain how our APIs work, but what you should do depends on a variety of factors (your security goals, the complexity of adding more code, whether you’re subject to regulatory constraints, what you boss wants, and so on).

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Accepted Answer

This isn’t the first time this issue has come up.

how is this different from just storing the key in Keychain

It isn’t, fundamentally. As you’ve noted, the key advantage of an SE-protected key is that the raw key bits never show up in your address space. That’s not an option when dealing with symmetric keys.

Anyway, I can't not store the key in memory anyway, because the key is used by a third-party framework.

OK.

Should I also use SE for this purpose, decrypt my symmetric key, give the symmetric key to the framework for a short time and then zeroize it?

That’s a question you’ll have to answer for yourself. I can explain how our APIs work, but what you should do depends on a variety of factors (your security goals, the complexity of adding more code, whether you’re subject to regulatory constraints, what you boss wants, and so on).

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

If you reply as a reply rather than in the comments, I’m more likely to see it. See Quinn’s Top Ten DevForums Tips for this and other hints and tips.

Do I understand correctly that in this case there is no point

I’m reluctant to use a phrase like “no point” because that’s often a value judgement. That’s what I meant by my joking comment about “your boss”. If you boss says that you absolutely must do this, that’s a good enough reason (-:

You’re really asking whether there’s a security benefit, and I’m struggling to see one. Then again, I’m not a member of your red team, I’m a support person, so I’m not really the right person to offer opinions on that front.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Secure Enclave with symmetric keys
 
 
Q