I am using the Secure Enclave to generate private keys with kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly and SecAccessControlCreateFlags.biometryCurrentSet. The public key is derived from the Secure Enclave private key at creation and stored in the Keychain for later retrieval.
During testing, I observed the following:
-
When the device's passcode is removed, the public key stored in the Keychain is deleted as expected.
-
However, the private key in the Secure Enclave can still be fetched using
SecItemCopyMatching, despite being tied to the passcode for protection.
My questions are:
-
Is this behavior expected?
-
How does the Secure Enclave manage private keys in scenarios where the passcode is removed?
-
Is there a way to ensure that the Secure Enclave private key is deleted entirely (not just rendered inaccessible) when the passcode is removed?
Any clarification or relevant documentation references would be very helpful. Thank you!