Secure Enclave Key Storage (iOS) for Crypto Wallet

TRUETECH is engaged in the development, support and maintenance of iOS, Android, PWA mobile applications. We have extensive experience and expertise in publishing mobile applications in popular markets like Google Play, App Store, Amazon, AppGallery and others.
8+Years of work900+Completed projects100+In house employees19+Partners
Development and support of all types of mobile applications:
Information and entertainment mobile applications
News apps, games, reference guides, online catalogs, weather apps, fitness and health apps, travel apps, educational apps, social networks and messengers, quizzes, blogs and podcasts, forums, aggregators
E-commerce mobile applications
Online stores, B2B apps, marketplaces, online exchanges, cashback services, exchanges, dropshipping platforms, loyalty programs, food and goods delivery, payment systems.
Business process management mobile applications
CRM systems, ERP systems, project management, sales team tools, financial management, production management, logistics and delivery management, HR management, data monitoring systems
Electronic services mobile applications
Classified ads platforms, online schools, online cinemas, electronic service platforms, cashback platforms, video hosting, thematic portals, online booking and scheduling platforms, online trading platforms

These are just some of the types of mobile applications we work with, and each of them may have its own specific features and functionality, tailored to the specific needs and goals of the client.

Offered services
Showing 1 of 1 servicesAll 1735 services
Secure Enclave Key Storage (iOS) for Crypto Wallet
Complex
~3-5 business days
FAQ
Our competencies:
Development stages
Latest works
  • image_mobile-applications_feedme_467_0.webp
    Development of a mobile application for FEEDME
    756
  • image_mobile-applications_xoomer_471_0.webp
    Development of a mobile application for XOOMER
    624
  • image_mobile-applications_rhl_428_0.webp
    Development of a mobile application for RHL
    1052
  • image_mobile-applications_zippy_411_0.webp
    Development of a mobile application for ZIPPY
    947
  • image_mobile-applications_affhome_429_0.webp
    Development of a mobile application for Affhome
    862
  • image_mobile-applications_flavors_409_0.webp
    Development of a mobile application for the FLAVORS company
    445
Show more works

Secure Key Storage in Secure Enclave (iOS) for Crypto Wallet

Secure Enclave — separate processor inside Apple SoC, isolated from main CPU and RAM. Private key generated in Secure Enclave physically never leaves chip — even your code has no direct access. Signing operation happens inside SE, outside returns only result.

Limitations to Know Before Starting

Secure Enclave supports only P-256 (secp256r1, aka NIST P-256). This not secp256k1 used by Bitcoin and Ethereum. So SE unsuitable for directly storing ETH/BTC private keys. Typical use for crypto wallet — store in SE encryption key that encrypts secp256k1 private key in Keychain. Or use SE for biometric protection of Keychain entry via SecAccessControlCreateWithFlags.

If app works with blockchains using P-256 (some enterprise chains or NEAR protocol via ed25519 — don't confuse), SE can directly store and sign.

Creating Key in Secure Enclave

let accessControl = SecAccessControlCreateWithFlags(
    nil,
    kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
    [.privateKeyUsage, .biometryCurrentSet],
    nil
)!

let attributes: [String: Any] = [
    kSecAttrKeyType as String:        kSecAttrKeyTypeECSECPrimeRandom,
    kSecAttrKeySizeInBits as String:  256,
    kSecAttrTokenID as String:        kSecAttrTokenIDSecureEnclave,
    kSecPrivateKeyAttrs as String: [
        kSecAttrIsPermanent as String:    true,
        kSecAttrApplicationLabel as String: "wallet-signing-key-v1",
        kSecAttrAccessControl as String:  accessControl
    ]
]

var error: Unmanaged<CFError>?
guard let privateKey = SecKeyCreateRandomKey(attributes as CFDictionary, &error) else {
    throw error!.takeRetainedValue()
}

kSecAttrTokenIDSecureEnclave — tells system to create key in SE. biometryCurrentSet invalidates key if biometry changes (new fingerprint or Face ID change). For wallet, correct behavior — requires explicit re-authentication.

Signing Data via SE Key

let publicKey = SecKeyCopyPublicKey(privateKey)!
let algorithm: SecKeyAlgorithm = .ecdsaSignatureMessageX962SHA256

guard SecKeyIsAlgorithmSupported(privateKey, .sign, algorithm) else {
    throw WalletError.algorithmNotSupported
}

var signError: Unmanaged<CFError>?
guard let signature = SecKeyCreateSignature(
    privateKey,
    algorithm,
    dataToSign as CFData,
    &signError
) else {
    throw signError!.takeRetainedValue()
}

Signing executes async from UI perspective — while SE processes (and if biometry needed — user authenticates), main thread doesn't block. Entire call should be in Task or dispatch queue.

Scheme for ETH/BTC Wallets

Since SE doesn't work with secp256k1 directly, use following scheme:

  1. Generate ephemeral P-256 key in SE — this is "encryption key"
  2. Generate secp256k1 private key in memory
  3. Encrypt secp256k1 key via ECIES with SE public key: SecKeyCreateEncryptedData with algorithm eciesEncryptionStandardX963SHA256AESGCM
  4. Save encrypted blob in Keychain with kSecAttrAccessibleWhenUnlockedThisDeviceOnly
  5. On transaction signing: decrypt via SE (requires biometry), use secp256k1 key for signing, immediately zero from memory

More complex than single Keychain storage, but key never lives on disk in plaintext.

Process

Requirements audit (P-256 direct or encryption scheme for secp256k1), implementation, real hardware testing — simulator unsupported. Separately test behavior on biometry change, app deletion and reinstall.

Timeline — 3–5 days. Simulator sufficient for most development, but final testing only on device.