


iPhones and Macs with Touch ID or Face ID use a separate processor to handle your biometric information. It’s called the Secure Enclave, it’s basically an entire computer unto itself, and it offers a variety of security features.

具有Touch ID或Face ID的iPhone和Mac使用单独的处理器来处理您的生物特征信息。 它被称为Secure Enclave,基本上是一台完整的计算机,并提供多种安全功能。

The Secure Enclave boots separately from the rest of your device. It runs its own microkernel, which is not directly accessible by your operating system or any programs running on your device. There’s 4MB of flashable storage, which is used exclusively to store 256-bit elliptic curve private keys. These keys are unique to your device, and are never synced to the cloud or even directly seen by your device’s primary operating system. Instead, the system asks the Secure Enclave to decrypt information using the keys.

Secure Enclave与其他设备分开引导。 它运行自己的微内核,您的操作系统或设备上运行的任何程序都无法直接访问该微内核。 有4MB的可闪存存储空间,专用于存储256位椭圆曲线私钥。 这些密钥对于您的设备是唯一的,并且永远不会同步到云,甚至不会被设备的主操作系统直接看到。 而是,系统要求安全区域使用密钥对信息解密。

为什么安全飞地存在? (Why Does The Secure Enclave Exist?)

The Secure Enclave makes it very difficult for hackers to decrypt sensitive information without physical access to your device. Because the Secure Enclave is a separate system, and because your primary operating system never actually sees the decryption keys, it’s incredibly difficult to decrypt your data without proper authorization.

Secure Enclave使黑客在不物理访问设备的情况下很难解密敏感信息。 由于Secure Enclave是一个单独的系统,并且由于您的主操作系统实际上从未看到过解密密钥,因此在没有适当授权的情况下解密数据非常困难。

It’s worth noting that your biometric information itself is not stored on the Secure Enclave; 4MB isn’t enough storage space for all that data. Instead, the Enclave stores encryption keys used to lock down that biometric data.

值得注意的是,您的生物识别信息本身并未存储在Secure Enclave上。 4MB的存储空间不足以容纳所有数据。 相反,安全区存储用于锁定该生物特征数据的加密密钥。

Third party programs can also create and store keys in the enclave to lock down data but the apps never have access to the keys themselves. Instead, apps make requests for the Secure Enclave to encrypt and decrypt data. This means any information encrypted using the Enclave is incredibly difficult to decrypt on any other device.

第三方程序还可以在飞地中创建和存储密钥以锁定数据,但是应用程序本身无法访问密钥 。 相反,应用程序会请求Secure Enclave加密和解密数据。 这意味着使用Enclave加密的任何信息都很难在其他任何设备上解密。

To quote Apple’s documentation for developers:


When you store a private key in the Secure Enclave, you never actually handle the key, making it difficult for the key to become compromised. Instead, you instruct the Secure Enclave to create the key, securely store it, and perform operations with it. You receive only the output of these operations, such as encrypted data or a cryptographic signature verification outcome.

当您将私钥存储在Secure Enclave中时,您实际上从未处理过该密钥,这使得密钥很难被泄露。 取而代之的是,您指示安全防护区创建密钥,安全地存储密钥并对其执行操作。 您仅收到这些操作的输出,例如加密数据或加密签名验证结果。

It’s also worth noting that the Secure Enclave cannot import keys from other devices: it’s designed exclusively to create and use keys locally. This makes it very difficult to decrypt information on any device but the one on which it was created.

还值得注意的是,Secure Enclave无法从其他设备导入密钥:它专门用于在本地创建和使用密钥。 这使得解密除设备上的信息以外的任何设备上的信息非常困难。

等一下,安全区域是否遭到黑客入侵? (Wait, Wasn’t The Secure Enclave Hacked?)

The Secure Enclave is an elaborate setup, and makes life very difficult for hackers. But there’s no such thing as perfect security, and it’s reasonable to assume someone will compromise all of this eventually.

Secure Enclave是精心设计的设置,使黑客的生活非常困难。 但是,没有完美的安全性,因此可以合理地假设有人最终会破坏所有这一切。

In the summer of 2017, enthusiastic hackers revealed that they’d managed to decrypt the firmware of the Secure Enclave, potentially giving them insight into how the enclave works. We’re sure Apple would prefer this leak hadn’t happened, but it’s worth noting that hackers have not yet found a way to retrieve the encryption keys stored on the enclave: they’ve only decrypted the firmware itself.

在2017年夏天,热心的黑客透露他们设法解密了Secure Enclave的固件 ,从而可能使他们深入了解Enclave的工作原理。 我们确定苹果会更希望这种泄漏没有发生,但是值得注意的是,黑客还没有找到一种方法来检索存储在飞地中的加密密钥:他们只是解密固件本身。

出售Mac之前先清理飞地 (Clean Out the Enclave Before Selling Your Mac)

Keys in the Secure Enclave on your iPhone are wiped when you perform a factory reset. In theory they should also be cleared out when you reinstall macOS, but Apple recommends you clear the Secure Enclave on your Mac if you used anything but the official macOS installer.

当您恢复出厂设置时,iPhone上的Secure Enclave中的键会被擦除。 从理论上讲,当您重新安装macOS时 ,也应清除它们,但是Apple建议您在Mac上使用官方macOS安装程序以外的任何方式清除Secure Enclave







