The escrow keybag is used for iTunes syncing and mobile device management (MDM). This keybag allows iTunes to back up and sync without requiring the user to enter a passcode, and it allows an MDM solution to remotely clear a user’s passcode. It is stored on the computer that’s used to sync with iTunes, or on the MDM solution that remotely manages the device.
The escrow keybag improves the user experience during device synchronization, which potentially requires access to all classes of data. When a passcode-locked device is first connected to iTunes, the user is prompted to enter a passcode. The device then creates an escrow keybag containing the same class keys used on the device, protected by a newly generated key. The escrow keybag and the key protecting it are split between the device and the host or server, with the data stored on the device in the Protected Until First User Authentication class. This is why the device passcode must be entered before the user backs up with iTunes for the first time after a reboot.
In the case of an over-the-air (OTA) software update, the user is prompted for their passcode when initiating the update. This is used to securely create a one-time Unlock Token, which unlocks the user keybag after the update. This token can’t be generated without entering the user’s passcode, and any previously generated token is invalidated if the user’s passcode changed.
One-time Unlock Tokens are either for attended or unattended installation of a software update. They are encrypted with a key derived from the current value of a monotonic counter in the Secure Enclave, the UUID of the keybag, and the Secure Enclave’s UID.
For devices with SoCs earlier than the A9, incrementing the one-time Unlock Token counter in the Secure Enclave invalidates any existing token. The counter is incremented when a token is used, after the first unlock of a restarted device, when a software update is canceled (by the user or by the system), or when the policy timer for a token has expired.
On A9 (and newer) SoCs, one-time Unlock token no longer relies on counters or Effaceable Storage. Instead, it’s protected by Secure Enclave controlled anti-replay nonce.
The one-time Unlock Token for attended software updates expires after 20 minutes. Prior to iOS 13, this token is exported from the Secure Enclave and is written to Effaceable Storage. A policy timer increments the counter if the device hasn’t rebooted within 20 minutes. In iOS 13 and iPadOS 13.1, the token is stored in a locker protected by the Secure Enclave.
Unattended software updates occur when the system detects an update is available and:
Automatic updates are configured in iOS 12 (or later)
The user chooses “Install Later” when notified of the update
After the user enters their passcode, a one-time Unlock Token is generated and can remain valid in Secure Enclave for up to 8 hours. If the update hasn’t yet occurred, this one-time Unlock Token is destroyed on every lock and recreated on every subsequent unlock. Each unlock restarts the 8 hour window. After 8 hours a policy timer invalidates the one-time Unlock Token.