keybag

A data structure used to store a collection of class keys. Each type (user, device, system, backup, escrow or iCloud Backup) has the same format.

A header containing: Version (set to four in iOS 12 or later), Type (system, backup, escrow or iCloud Backup), Keybag UUID, an HMAC, if the keybag is signed, and the method used for wrapping the class keys — tangling with the UID or PBKDF2, along with the salt and iteration count.

A list of class keys: Key UUID, Class (which file or Keychain Data Protection class), wrapping type (UID-derived key only; UID-derived key and passcode-derived key), wrapped class key and a public key for asymmetric classes.