What is a Secure Enclave?#
A Secure Enclave is a Apple-specific hardware-based key manager integrated into
certain processors, designed to provide advanced security by isolating cryptographic
operations from the main processor. It's particularly crucial for enhancing the security
of sensitive operations such as those involving
passkeys and
WebAuthn.
The Secure Enclave ensures that:
- Encryption Keys are Managed Securely: Keys used for encrypting passkeys remain
within the Secure Enclave, making unauthorized access exceedingly difficult.
- Operations are Isolated: All cryptographic operations are performed within the
enclave, ensuring that the plain-text keys are never exposed to the rest of the system.
- Enhanced Integrity for Authentication: By handling operations internally, the Secure
Enclave offers a trustworthy platform for authentication processes, bolstering WebAuthn
protocols.
Become part of our Passkeys Community for updates & support.
Join
Key Takeaways#
- The Secure Enclave is a fortified component within certain processors that
securely manages cryptographic keys and operations.
- It supports passkeys and WebAuthn by ensuring cryptographic keys are never exposed
outside the secure hardware environment.
- The enclave is resistant to both physical and digital tampering, providing an added
layer of security for sensitive data like biometric information.
- Compatibility is hardware-dependent, with support limited to certain
iOS devices, Macs with T1 or later chips.
Subscribe to our Passkeys Substack for the latest news.
Subscribe
Understanding the Secure Enclave in Depth#
- Supported Operations: It is restricted to NIST P-256 elliptic
curve keys and can only be used for cryptographic signatures, key exchange, and by
extension, symmetric encryption.
- Key Generation: Keys must be generated within the Secure Enclave itself, as it does
not allow for the import or export of plain-text private key data.
- Integration with System Security: The enclave works in tandem with system security
measures like Touch ID or Face ID, managing the cryptographic operations behind user
authentication.
- Differentiation from Keychain: Unlike Keychain which is software-based and syncs
across devices, the Secure Enclave is a hardware feature that stores data on the device
itself.
Security Advantages#
- Tamper Resistance: Implements countermeasures against tampering, sometimes
destroying data to prevent unauthorized access.
- Encryption: Encrypts sensitive information like biometric data, making it unreadable
even in case of a breach.
- Limited Attack Surface: Due to its isolation, the Secure Enclave is less susceptible
to privilege escalation attacks.
- Relation to Other Security Measures: While it's a robust security tool, the Secure
Enclave complements but does not replace traditional security measures such as passwords
and multi-factor authentication.
Secure Enclave FAQs#
Does Android have Secure Enclave?#
Android devices do not have the Secure Enclave as
it is specific to Apple's hardware architecture. However, they have a comparable feature
known as the Trusted Execution Environment (TEE), which serves a similar purpose by
providing a secure area to handle sensitive data and cryptographic operations.
Are secure enclaves present in all modern operating systems?#
Secure enclaves are specific to Apple's iOS and macOS
systems . Other operating systems like Windows and Linux utilize a similar hardware-based
security feature called the
Trusted Platform Module (TPM).
Secure Enclave vs. TPM? What's the difference?#
- The Secure Enclave is a hardware feature specific to Apple devices that is designed to
handle cryptographic keys and protect sensitive data like biometrics. It's integrated
into the processor and offers a highly secure environment by isolating itself from the
main processor.
- The
Trusted Platform Module (TPM),
on the other hand, is a standard implemented by various manufacturers and used across
different operating systems, including Windows and Linux. TPMs are separate modules or
chips that can handle cryptographic operations and secure hardware functions like secure
boot and device authentication.
- Both provide hardware-based security but are implemented differently and have different
integration levels with the device's operating system and processor.
How does the Secure Enclave contribute to the security of passkeys and WebAuthn?#
The Secure Enclave provides a secure area for cryptographic operations related to passkeys
and WebAuthn, ensuring private keys are generated and stored away from the main processor,
which minimizes the risk of exposure to attackers.
Can the Secure Enclave be used with any type of cryptographic key?#
No, the Secure Enclave is designed to work only with NIST P-256
elliptic curve keys, which are used for creating and verifying cryptographic signatures
and key exchanges.

Ben Gould
Head of Engineering
I’ve built hundreds of integrations in my time, including quite a few with identity providers and I’ve never been so impressed with a developer experience as I have been with Corbado.
3,000+ devs trust Corbado & make the Internet safer with passkeys. Got questions? We’ve written 150+ blog posts on passkeys.
Join Passkeys Community
How does the Secure Enclave differ from Apple's Keychain?#
The Secure Enclave is a hardware-based security feature that manages encryption keys and
processes sensitive information. In contrast, Apple's Keychain is a software-based system
for storing encrypted data, such as passwords and notes, which can be synced across
devices.

Add passkeys to your app in <1 hour with our UI components, SDKs & guides.
Start for free