Intro to encryption and data protection
The secure boot chain, system security, and app security capabilities all help to ensure that only trusted code and apps run on a device. Apple devices have additional encryption features to safeguard user data, even when other parts of the security infrastructure have been compromised (for example, if a device is lost or is running untrusted code). All of these features benefit both users and IT administrators, protecting personal and corporate information and providing methods for instant and complete remote wipe in the case of device theft or loss.
iOS and iPadOS devices used a file encryption methodology called Data Protection, whereas the data on an Intel-based Mac is protected with a volume encryption technology called FileVault. A Mac with Apple silicon uses a hybrid model that supports Data Protection, with two caveats: The lowest protection level Class (D) isn’t supported, and the default level (Class C) uses a volume key and acts just like the FileVault on an Intel-based Mac. In all cases, key management hierarchies are rooted in the dedicated silicon of the Secure Enclave, and a dedicated AES Engine supports line-speed encryption and helps ensure that long-lived encryption keys aren’t exposed to the kernel operating system or CPU (where they might be compromised). (An Intel-based Mac with a T1 or lacking a Secure Enclave doesn’t use dedicated silicon to protect its FileVault encryption keys.)
Besides using Data Protection and FileVault, Apple has an operating system kernel that prevents unauthorized access to data by enforcing access controls.. These controls most often take the form of sandboxing apps (which restrict what data an app can access), and protecting an app’s data in Data Vault. Think of a data vault as an inverted sandbox. Rather than restricting the calls an app can make, this mechanism restricts access to the protected data (again, enforced by the kernel independent of file encryption) regardless of whether the requesting app is itself sandboxed.