# Storage security

Source: [https://docs.qualcomm.com/doc/80-70014-11/topic/secure-file-system.html](https://docs.qualcomm.com/doc/80-70014-11/topic/secure-file-system.html)

The secure file system (SFS) is used to store sensitive data, such as keys and
        biometric data.

## SFS

SFS provides confidentiality, integrity, and anti-rollback support to TA and securely
                stores sensitive data. Any file created or stored under SFS is covered by
                anti-rollback protection. The SFS feature:

- Uses an encryption key for each TA to ensure the confidentiality of the
                    files.
- Uses an HMAC key for each TA to verify the integrity of the files.

Both the encryption and HMAC keys are derived using a device unique key, which
                depends on the secure boot state of the device. The SFS anti-rollback protection is
                enabled by default.

When the devices are secure boot enabled, the SFS uses unique hardware keys for file
                data encryption and decryption to ensure they are secure from each other.

For information on enabling secure boot, see [Enable secure boot](https://docs.qualcomm.com/doc/80-70014-11/topic/enable-secure-boot.html).

## RPMB

RPMB is a physical partition on the UFS/eMMC flash. This partition is used to store
                sensitive information and is only accessible from Qualcomm TEE.

To read from and write to the RPMB partition, RPMB key provision is required. This is
                a one-time process that cannot be overwritten or erased when completed.

To provision and enable RPMB, see [RPMB-based SFS antirollback protection](https://docs.qualcomm.com/doc/80-70014-11/topic/configure.html#configure__section_hcf_rmm_q1c).

Every access to the RPMB is authenticated, allowing the host to store data in an
                authenticated and replay-protected manner.

**Parent Topic:** [Features](https://docs.qualcomm.com/doc/80-70014-11/topic/features.html)

Last Published: Aug 06, 2024

[Previous Topic
Secure boot](https://docs.qualcomm.com/bundle/publicresource/80-70014-11/topics/secure-boot.md) [Next Topic
Storage encryption](https://docs.qualcomm.com/bundle/publicresource/80-70014-11/topics/file-based-encryption.md)