Comment by watusername

1 day ago

From the Advanced Data Protection whitepaper [0], it appears the keys are stored in the iCloud Keychain domain, so not the Secure Enclave:

> Conceptually, Advanced Data Protection is simple: All CloudKit Service keys that were generated on device and later uploaded to the available-after-authentication iCloud Hardware Security Modules (HSMs) in Apple data centers are deleted from those HSMs and instead kept entirely within the account’s iCloud Keychain protection domain. They are handled like the existing end-to-end encrypted service keys, which means Apple can no longer read or access these keys.

[0]: https://support.apple.com/guide/security/advanced-data-prote...

4 comments

watusername

jiveturkey 1 day ago

wrapped by a key hierarchy ultimately rooted by a key stored in the secure enclave.

watusername 1 day ago
Well yes, the entire storage is. I was trying to explain how it's extractable.
- jiveturkey 1 day ago
  
  fair!

calliduspavonis 10 hours ago

[dead]