# Storage security

Source: [https://docs.qualcomm.com/doc/80-70015-11/topic/secure-file-system.html](https://docs.qualcomm.com/doc/80-70015-11/topic/secure-file-system.html)

The secure file system (SFS) is used to store sensitive data, such as keys and
        biometric data.

## SFS

SFS provides confidentiality, integrity, and anti-rollback support to the trusted
                applications and securely stores sensitive data. Any file created or stored under
                SFS is covered by anti-rollback protection. The SFS feature:

- Uses an encryption key for each trusted application to ensure the
                    confidentiality of the files.
- Uses an HMAC key for each trusted application to verify the integrity of the
                    files.

Both the encryption and HMAC keys are derived using a device unique key, which
                depends on the secure boot state of the device. The SFS anti-rollback protection is
                enabled by default.

When the devices are secure boot enabled, the SFS uses unique hardware keys for file
                data encryption and decryption to ensure they are secure from each other.

For information on enabling secure boot, see [Enable secure boot](https://docs.qualcomm.com/doc/80-70015-11/topic/enable-secure-boot.html).

## RPMB

RPMB is a physical partition on the UFS/eMMC flash. This partition is used to store
                sensitive information and is only accessible from Qualcomm TEE.

To read from and write to the RPMB partition, RPMB key provision is required. This is
                a one-time process that cannot be overwritten or erased when completed.

To provision and enable RPMB, see [RPMB-based SFS anti-rollback protection](https://docs.qualcomm.com/doc/80-70015-11/topic/configure.html#configure__section_hcf_rmm_q1c).

Every access to the RPMB is authenticated, allowing the host to store data in an
                authenticated and replay-protected manner.

**Parent Topic:** [Features](https://docs.qualcomm.com/doc/80-70015-11/topic/features.html)

Last Published: Oct 14, 2024

[Previous Topic
Secure boot](https://docs.qualcomm.com/bundle/publicresource/80-70015-11/topics/secure-boot.md) [Next Topic
Storage encryption](https://docs.qualcomm.com/bundle/publicresource/80-70015-11/topics/file-based-encryption.md)