Products, services, and OS functions
may not be available in this country.
  • Global Nav Open Menu Global Nav Close Menu
  • Apple
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • AirPods
  • TV & Home
  • Only on Apple
  • Support
  • Where to Buy
Apple Platform Security
Open Menu Close Menu
  • Communities
Table of Contents

Apple Platform Security

  • Welcome
  • Intro to Apple platform security
    • Hardware security overview
    • Apple SoC security
    • Secure Enclave
      • Biometric security
      • Magic Keyboard with Touch ID
      • Optic ID, Face ID, Touch ID, passcodes, and passwords
      • Optic ID matching security
      • Facial matching security
      • Uses for Optic ID, Face ID, and Touch ID
      • Secure intent and connections to the Secure Enclave
    • Hardware microphone disconnect
    • Express Cards with power reserve
    • System security overview
      • Boot process for iPhone and iPad devices
      • Memory safe iBoot implementation
        • Boot process
        • Boot modes
        • Paired recoveryOS restrictions
        • Startup Disk security policy control
        • LocalPolicy signing-key creation and management
        • Contents of a LocalPolicy file for a Mac with Apple silicon
        • Boot process
        • Boot modes
        • Startup Security Utility
        • Firmware password protection
        • recoveryOS and diagnostics environments
    • Signed system volume security
    • Secure software updates
    • Rapid Security Responses
    • Operating system integrity
      • Pairing model security
      • Activating data connections securely
      • Verifying accessories
      • iPhone Mirroring security
    • BlastDoor for Messages and IDS
    • Lockdown Mode security
      • Additional macOS system security capabilities
      • System Integrity Protection
      • Trust caches
      • Peripheral processor security
      • Rosetta 2 on a Mac with Apple silicon
      • Direct memory access protections
      • Securely extending the kernel
      • Option ROM security
      • UEFI firmware security in an Intel-based Mac
    • System security for watchOS
    • Random number generation
    • Apple Security Research Device
    • Encryption and Data Protection overview
    • Passcodes and passwords
      • Data Protection overview
      • Data Protection
      • Data Protection classes
      • Keybags for Data Protection
      • Protecting keys in alternate boot modes
      • Protecting user data in the face of attack
      • Sealed Key Protection (SKP)
      • Role of Apple File System
      • Keychain data protection
      • Volume encryption with FileVault
      • Managing FileVault
      • Protecting app access to user data
      • Protecting access to user’s health data
    • Digital signing and encryption
    • App security overview
    • App code signing process
      • Intro to app security for iOS, iPadOS, and visionOS
      • About App Store security
      • Security of runtime process
      • App protection and app groups
      • Intro to app security for macOS
      • App code signing process
      • Gatekeeper and runtime protection
      • Protecting against malware
      • Controlling app access to files
    • Supporting extensions
    • Secure features in the Notes app
    • Secure features in the Shortcuts app
    • Services security overview
      • Apple Account security
      • Managed Apple Account security
      • iCloud security overview
      • iCloud encryption
      • Advanced Data Protection for iCloud
      • Security of iCloud Backup
      • iCloud Private Relay security
      • Account recovery contact security
      • Legacy Contact security
      • Passcode security overview
      • Sign in with Apple security
      • Automatic strong passwords
      • Password AutoFill security
      • App access to saved passwords
      • Password security recommendations
      • Password Monitoring
      • Sending passwords
      • Credential provider extensions
        • iCloud Keychain security overview
        • Secure keychain syncing
        • Secure iCloud Keychain recovery
        • Escrow security for iCloud Keychain
      • Apple Pay security overview
      • Apple Pay component security
      • How Apple Pay keeps users’ purchases protected
        • Card provisioning security overview
        • Adding credit or debit cards to Apple Pay
      • Payment authorization with Apple Pay
      • Paying with cards using Apple Pay
      • Contactless passes in Apple Pay
      • Rendering cards unusable with Apple Pay
      • Apple Card security
      • Apple Cash security
      • Tap to Pay on iPhone
      • Access using Apple Wallet
      • Access key types
      • Car key security
      • Adding transit and eMoney cards to Apple Wallet
        • IDs in Apple Wallet
        • Security of IDs in Apple Wallet
      • iMessage security overview
      • How iMessage sends and receives messages
      • Check In security
      • Secure iMessage name and photo sharing
    • Secure Apple Messages for Business
    • FaceTime security
      • Find My security
      • Locating missing devices
      • Continuity security overview
      • Handoff security
      • iPhone cellular call relay security
      • iPhone Text Message Forwarding security
      • Instant Hotspot security
    • Network security overview
    • TLS security
    • IPv6 security
    • VPN security
      • Security features when connecting to wireless networks
      • Wi-Fi security with Apple devices
      • Privacy features when connecting to wireless networks
      • Wi-Fi privacy with Apple devices
    • Bluetooth security
    • Ultra Wideband security in iOS
    • Single sign-on security
    • AirDrop security
    • Wi-Fi password sharing security
    • Firewall security in macOS
    • Developer kit security overview
      • Communication security
      • Data security
      • Securing routers with HomeKit
      • Camera security
      • Security with Apple TV
    • SiriKit security
    • WidgetKit security
    • DriverKit security
    • ReplayKit security
    • ARKit security
    • NFC & SE Platform security
    • Secure device management overview
      • MDM security overview
      • Managed device attestation security
      • Configuration enforcement
      • Automated Device Enrollment
      • Activation Lock security
      • Managed Lost Mode and remote wipe
      • Shared iPad security
    • Apple Configurator security
    • Screen Time security
  • Glossary
  • Document revision history
  • Copyright
Data Protection overview.

The secure nonvolatile storage is used for all anti-replay services in the Secure Enclave. Anti-replay services on the Secure Enclave are used for revocation of data over events that mark anti-replay boundaries including, but not limited to, the following:

  • Passcode change

  • Enabling or disabling Optic ID, Face ID, or Touch ID

  • Adding or removing an Optic ID eye, a Face ID face, or a Touch ID fingerprint

  • Optic ID, Face ID, or Touch ID reset

  • Adding or removing an Apple Pay card

  • Erase All Content and Settings

On architectures that don’t feature a Secure Storage Component, EEPROM (electrically erasable programmable read-only memory) is utilized to provide secure storage services for the Secure Enclave. Just like the Secure Storage Components, the EEPROM is attached and accessible only from the Secure Enclave, but it doesn’t contain dedicated hardware security features nor does it guarantee exclusive access to entropy (aside from its physical attachment characteristics) nor counter lockbox functionality.

Secure Neural Engine

On Apple Vision Pro, the Secure Neural Engine converts images into a mathematical representation of a user’s eyes. On devices with Face ID (not Touch ID), the Secure Neural Engine converts 2D images and depth maps into a mathematical representation of a user’s face.

On A11 through A13 SoCs, the Secure Neural Engine is integrated into the Secure Enclave. The Secure Neural Engine uses direct memory access (DMA) for high performance. An input-output memory management unit (IOMMU) under the sepOS kernel’s control limits this direct access to authorized memory regions.

Starting with A14, M1, or later SoCs, the Secure Neural Engine is implemented as a secure mode in the Application Processor’s Neural Engine. A dedicated hardware security controller switches between Application Processor and Secure Enclave tasks, resetting Neural Engine state on each transition to keep Optic ID or Face ID data secure. A dedicated engine applies memory encryption, authentication, and access control. At the same time, it uses a separate cryptographic key and memory range to limit the Secure Neural Engine to authorized memory regions.

Power and clock monitors

All electronics are designed to operate within a limited voltage and frequency envelope. When operated outside this envelope, the electronics can malfunction and then security controls may be bypassed. To help ensure that the voltage and frequency stay in a safe range, the Secure Enclave is designed with monitoring circuits. These monitoring circuits are designed to have a much larger operating envelope than the rest of the Secure Enclave. If the monitors detect an illegal operating point, the clocks in the Secure Enclave automatically stop and don’t restart until the next SoC reset.

Secure Enclave feature summary

Note: A12, A13, S4, and S5 products first released in Fall 2020 have a 2nd generation Secure Storage Component, whereas while earlier products based on these SoCs have a 1st generation Secure Storage Component.

SoC

Memory Protection Engine

Secure Storage

AES Engine

PKA

A8

Encryption and authentication

EEPROM

Yes

No

A9

Encryption and authentication

EEPROM

DPA protection

Yes

A10

Encryption and authentication

EEPROM

DPA protection and lockable seed bits

OS-bound keys

A11

Encryption, authentication, and replay prevention

EEPROM

DPA protection and lockable seed bits

OS-bound keys

A12 (Apple devices released before Fall 2020)

Encryption, authentication, and replay prevention

Secure Storage Component gen 1

DPA protection and lockable seed bits

OS-bound keys

A12 (Apple devices released after Fall 2020)

Encryption, authentication, and replay prevention

Secure Storage Component gen 2

DPA protection and lockable seed bits

OS-bound keys

A13 (Apple devices released before Fall 2020)

Encryption, authentication, and replay prevention

Secure Storage Component gen 1

DPA protection and lockable seed bits

OS-bound keys and Boot Monitor

A13 (Apple devices released after Fall 2020)

Encryption, authentication, and replay prevention

Secure Storage Component gen 2

DPA protection and lockable seed bits

OS-bound keys and Boot Monitor

A14–A18

Encryption, authentication, and replay prevention

Secure Storage Component gen 2

DPA protection and lockable seed bits

OS-bound keys and Boot Monitor

S3

Encryption and authentication

EEPROM

DPA protection and lockable seed bits

Yes

S4

Encryption, authentication, and replay prevention

Secure Storage Component gen 1

DPA protection and lockable seed bits

OS-bound keys

S5 (Apple devices released before Fall 2020)

Encryption, authentication, and replay prevention

Secure Storage Component gen 1

DPA protection and lockable seed bits

OS-bound keys

S5 (Apple devices released after Fall 2020)

Encryption, authentication, and replay prevention

Secure Storage Component gen 2

DPA protection and lockable seed bits

OS-bound keys

S6–S9

Encryption, authentication, and replay prevention

Secure Storage Component gen 2

DPA protection and lockable seed bits

OS-bound keys

T2

Encryption and authentication

EEPROM

DPA protection and lockable seed bits

OS-bound keys

M1–M4

Encryption, authentication, and replay prevention

Secure Storage Component gen 2

DPA protection and lockable seed bits

OS-bound keys and Boot Monitor

Published Date: December 19, 2024
See alsoDownload this guide as a PDF

Helpful?
Character limit: 250
Maximum character limit is 250.
Thanks for your feedback.
Previous Apple SoC security Next Biometric security

Apple Footer

 Apple
  1. Support
  2. Apple Platform Security
  3. Secure Enclave
Belarus
Copyright © 2025 Apple Inc. All rights reserved.
Terms of Use Privacy Policy

Follow Lee on X/Twitter - Father, Husband, Serial builder creating AI, crypto, games & web tools. We are friends :) AI Will Come To Life!

Check out: eBank.nz (Art Generator) | Netwrck.com (AI Tools) | Text-Generator.io (AI API) | BitBank.nz (Crypto AI) | ReadingTime (Kids Reading) | RewordGame | BigMultiplayerChess | WebFiddle | How.nz | Helix AI Assistant