Apple Platform Security
-
Welcome
-
Introduction
-
-
Services security overview
-
-
Apple Pay overview
-
Apple Pay components
-
Secure Element and NFC controller
-
Payment authorisation
-
Transaction-specific dynamic security code
-
Pay with credit and debit cards in stores
-
Pay with credit and debit cards within apps
-
Paying with credit and debit cards on the web
-
Contactless passes
-
Render cards unusable
-
Suspending, removing and erasing cards
-
Apple Cash
-
Public transport cards
-
Credit and debit cards for public transport
-
Student ID cards
-
-
Business Chat
-
FaceTime
-
-
-
Developer Kits overview
-
-
HomeKit identity
-
Communication with HomeKit accessories
-
Local data storage
-
Data synchronisation between devices and users
-
Home data and apps
-
HomeKit and Siri
-
HomeKit IP cameras
-
HomeKit routers
-
iCloud remote access for HomeKit accessories
-
HomeKit TV Remote accessories
-
Apple TV profiles for HomeKit homes
-
-
CloudKit
-
SiriKit
-
DriverKit
-
Camera and ARKit
-
-
-
Secure device management overview
-
Pairing model
-
Passcode and password settings management
-
Configuration enforcement
-
Mobile device management (MDM)
-
Automated Device Enrolment
-
Apple Configurator 2
-
Device supervision
-
Device restrictions
-
Activation Lock
-
Lost Mode, remote wipe and remote lock
-
Screen Time
-
-
Glossary
-
Document Revision History
-
Copyright

Data Protection overview
In iOS and iPadOS, Apple uses a technology called Data Protection to protect data stored in flash storage on the device. Data Protection allows the device to respond to common events, such as incoming phone calls, but also enables a high level of encryption for user data. Key system apps, such as Messages, Mail, Calendar, Contacts, Photos and Health data values use Data Protection by default, and third-party apps installed on iOS 7 or later and iPadOS 13.1 receive this protection automatically.
Implementation
Data Protection is implemented by constructing and managing a hierarchy of keys, and builds on the hardware encryption technologies built into each iOS and iPadOS device. Data Protection is controlled on a per-file basis by assigning each file to a class; accessibility is determined according to whether the class keys have been unlocked. With the advent of the Apple File System (APFS), the file system is now able to further subdivide the keys into a per-extent basis (where portions of a file can have different keys).
Architecture
In iOS and iPadOS, storage is divided into two APFS volumes:
System volume: System content is stored on the System volume and user data is stored on the Data volume.
Data volume: Every time a file on the data volume is created, Data Protection creates a new 256-bit key (the per-file key) and gives it to the hardware AES engine, which uses the key to encrypt the file as it is written to flash storage. The encryption uses AES128 in XTS mode where the 256-bit per-file key is split to provide a 128-bit tweak and a 128-bit cipher key.