Skip to content

Glossary

Secure Enclave (SEP)

A separate ARM core on every modern Apple device, running its own OS, holding cryptographic keys the main CPU never sees.

The Secure Enclave — SEP for "Secure Enclave Processor" — is a separate ARM core on every Apple device shipped since the iPhone 5s (and every Mac since the T2 / Apple Silicon transition). It has its own RAM, runs its own OS (a stripped-down L4-family microkernel called SEPOS), and is the root of trust for every key on the device.

What lives in SEP:

  • The device UID — a 256-bit AES key fused into the chip at manufacture. Every other device key is derived from it.
  • Keychain items marked biometry-protected (Touch ID / Face ID-gated secrets).
  • The FileVault disk-encryption key (wrapped by user-password derivation).
  • The keys backing Apple Pay tokens.
  • Attestation keys for App Attest and DeviceCheck.

The main CPU talks to SEP over a dedicated mailbox interface. Requests are bounded — "decrypt this", "sign this challenge", "unwrap the FileVault key after the user types their password". The SEP enforces every policy and never returns the raw key material; everything happens inside the SEP and only the output crosses the boundary.

This is why a kernel exploit on the main CPU doesn't automatically compromise FileVault: the disk key never lives in main-CPU-addressable memory. The SEP unwraps it and holds it in dedicated hardware-isolated SRAM.

See also: code signing, SIP, the security architecture article.