Secure enclaves: The key to data security

Not every modern operating system has a secure enclave. Windows and Linux support a secure chip called the Trusted Platform Module (TPM), which is designed to generate and store cryptographic keys.

Secure enclave and secure enclave processor (SEP) are similar terms, so to differentiate, let’s take a closer look at what we talk about when we mention Apple’s secure enclave.

The secure enclave is a secure storage component integrated into Apple’s systems on chip (SoC). It uses AES encryption and is available in a variety of Apples devices:

• iOS devices (iPhone 5s or later, iPad Air or later)
• MacBook Pros with the Apple T1 Chip
• Intel-based Mac computers that contain the Apple T2 Security Chip
• Mac computers with Apple silicon
• Apple TV HD or later
• Apple Watch Series 1 or later
• HomePod and HomePod mini

Apple’s secure enclave is isolated from the main processor to protect it and even has its own dedicated power source, the secure enclave processor.

As you can see, Apple’s secure enclave is completely separated from the main processor. But how does it all connect together?

When not in use, your data is stored in NAND flash storage. If you select a file or an image, the application processor finds the data and transfers it to the right place. For example, a quick check on your photo will warrant bringing it to the DRAM, a type of temporary storage. But if you decide to make changes to your picture, the changes will be carried back to the NAND flash storage.

When you’re unlocking a device or making a payment, the process also involves a secure enclave. For example, the application data will be taken from your NAND flash storage, but the authentication process will have to pass the secure enclave to ensure the encryption key or your Face ID fits the data in the storage.

Having a hard time separating a secure enclave and Apple’s Keychain? Here’s a simple way to think about them. You already know that encryption keys stored in the secure enclave are shielded from direct access by the user. Keychain, on the other hand, is software for storing encrypted data such as your passwords and notes. Also, while Keychain is shared between your devices via iCloud, secure enclave data is stored on the device.

Let’s take unlocking your device as an example. When you use Touch ID, the secure enclave verifies your fingerprint data and allows the system to decrypt and give you access to Keychain.

Whether we’re talking about secure enclaves on Macs and iPhones, the TEE on Android, or the TPM on Windows, they all provide significant security benefits for the device owner. Theoretically, any device can be taken apart and hacked into, but when it comes to secure enclaves, they’re designed to withstand various forms of physical and digital attacks. Here are some of the benefits of secure enclaves:

• Resistance to tampering. Secure enclaves are often equipped with countermeasures to prevent tampering. They may even destroy the data to prevent unauthorized access.
• Encryption. Apple’s secure enclave encrypts sensitive information such as Touch ID and Face ID biometric data, preventing anyone from reading the data even in the unlikely event of a data breach.
• Key storage. When you want to protect something on your device, the security key is created and stored inside the secure enclave, helping prevent it from being exposed elsewhere on the device.
• Limited attack surface. Because secure enclaves are isolated from the rest of the computer system, getting to the data through privilege escalation attacks becomes significantly harder.

The share of privacy-conscious users may be growing, but still too many choose to use weak passwords and reuse old ones. That’s one reason why secure enclaves are important — they’re not dependent on the user. Of course, how you protect your device matters a great deal. Weak security can leave your device vulnerable to various cyberthreats and in certain conditions, might even expose it to direct memory access attacks. But even if your password is “password,” a hacker would have a difficult time getting to the most sensitive data on your device if it’s in a secure enclave since it’s isolated and confidential.

Remote attestation is another important security benefit that could potentially stop a data breach. Essentially, it checks whether an application is running within a genuine enclave or a simulated environment. For example, a server can use this technology to ensure the integrity of the operation by verifying that a client is running on a secure device.

Secure enclaves provide a secure environment for network data, as well. For example, the cloud services have started to use secure enclave memory to protect customer data from insider threats. Because the data is processed inside a secure enclave, even server administrators can’t access it. When it comes to software vulnerabilities, the hardware-based security component ensures that data can’t be hacked remotely.

While secure enclaves are an important security tool, they are not a replacement for traditional security measures such as passwords, multi-factor authentication, software-based encryption, antiviruses, and firewalls.

For example, secure enclaves use encryption, protect your sensitive data from various attacks, and can detect tampering. But all of these security measures only apply to the data in the enclaves, such as biometric data or encryption keys. Everything else on your device like your pictures, messages, and even passwords can be up for grabs for whoever gets their hands on it.

Always use the best security measures available and never underestimate the lifting that an antivirus, a firewall, or a security tool like Threat Protection does to keep you safe.