简体繁体 English

启用iOS On-Disk加密

[英]Enable iOS On-Disk Encryption

原文 2013-02-28 15:26:18 4 2 iphone/ cocoa/ encryption/ ios6/ data-protection

For my iOS 6+-only app, I would like to enable the On-Disk Encryption offered from iOS. 对于我的iOS 6 + -only应用程序，我想启用iOS提供的On-Disk Encryption。

I read this guide and I saw the "Protecting the User's Data" video of the WWDC 2012 (Session 714). 我阅读了本指南，并看到了WWDC 2012的“保护用户数据”视频（会话714）。 However, I could not make it work. 但是，我无法使其发挥作用。

Here are the steps I followed: 以下是我遵循的步骤：

1- In the iOS Dev Center , I created a new App ID with: 1-在iOS开发人员中心，我创建了一个新的App ID：

启用数据保护

2- In Xcode, I added an Entitlements file with the key: 2-在Xcode中，我添加了一个带有密钥的Entitlements文件：

Xcode权利

3- On the device, I activated a passcode lock. 3-在设备上，我激活了密码锁。

If I'm not wrong, this should be all. 如果我没错，那应该就是全部。 I now expect that while the device (in my case: an iPhone 5) is locked, protected files are inaccessible. 我现在期望在设备（在我的情况下：iPhone 5）被锁定时，受保护的文件无法访问。 But... if I use iExplorer , I can easily access the files created by my app, even when the device is locked. 但是......如果我使用iExplorer ，即使设备被锁定，我也可以轻松访问我的应用创建的文件。 But this is exactly what I want to avoid. 但这正是我想要避免的。 Did I forgot something? 我忘记了什么吗？

2 个解决方案

The reason you can access files without unlocking your device is that an escrow keybag has been created. 您可以在不解锁设备的情况下访问文件的原因是已创建了托管密钥包。 This is explained in Apple's iOS Security Guide (pdf) : Apple的iOS安全指南（pdf）中对此进行了解释：

Escrow keybag is used for iTunes syncing and Mobile Device Management (MDM). 托管密钥包用于iTunes同步和移动设备管理（MDM）。 This keybag allows iTunes to back up and sync without requiring the user to enter a passcode, and it allows an MDM server to remotely clear a user's passcode. 这个密钥包允许iTunes备份和同步，而无需用户输入密码，它允许MDM服务器远程清除用户的密码。 It is stored on the computer that's used to sync with iTunes, or on the MDM server that manages the device. 它存储在用于与iTunes同步的计算机上，或存储在管理设备的MDM服务器上。

The Escrow keybag improves the user experience during device synchronization, which potentially requires access to all classes of data. Escrow密钥包可改善设备同步期间的用户体验，这可能需要访问所有类别的数据。 When a passcode-locked device is first connected to iTunes, the user is prompted to enter a passcode. 当密码锁定设备首次连接到iTunes时，将提示用户输入密码。 The device then creates an Escrow keybag and passes it to the host. 然后，设备会创建一个Escrow密钥包并将其传递给主机。 The Escrow keybag contains exactly the same class keys used on the device, protected by a newly generated key. 托管密钥包包含与设备上使用的完全相同的密钥，受新生成密钥的保护。 This key is needed to unlock the Escrow keybag, and is stored on the device in the Protected Until First User Authentication class. 解锁托管密钥包需要此密钥，并在“受保护的直到第一个用户身份验证”类中存储在设备上。 This is why the device passcode must be entered before backing up with iTunes for the first time after a reboot. 这就是在重启后第一次使用iTunes备份之前必须输入设备密码的原因。

If you reboot your phone, you will not be able to access files without unlocking it once. 如果重新启动手机，则无法在未解锁文件的情况下访问文件。

If you want that files to be available only when device is unlocked(+about 10 seconds of grace period), set file protection to NSFileProtectionComplete. 如果您希望仅在设备解锁时（+约10秒的宽限期）才能使用该文件，请将文件保护设置为NSFileProtectionComplete。 Be sure to implement delegate methods to know when data will become [un]available. 确保实现委托方法以了解数据何时变为[un]可用。