# Storage security

The secure file system (SFS) is used to store sensitive data, such as
keys and biometric data.

## SFS

SFS provides confidentiality, integrity, and anti-rollback support to
the trusted applications and securely stores sensitive data. Any file
created or stored under SFS is covered by anti-rollback protection. The
SFS feature:

- Uses an encryption key for each trusted application to ensure the
confidentiality of the files.
- Uses an HMAC key for each trusted application to verify the integrity
of the files.

Both the encryption and HMAC keys are derived using a device unique key,
which depends on the secure boot state of the device. The SFS
anti-rollback protection is enabled by default.

When the devices are secure boot enabled, the SFS uses unique hardware
keys for file data encryption and decryption to ensure they are secure
from each other.

For information on enabling secure boot, see [Enable secure boot](https://docs.qualcomm.com/doc/80-70017-11/topic/enable-secure-boot.html#enable-secure-boot).

## RPMB

RPMB is a physical partition on the UFS/eMMC flash. This partition is
used to store sensitive information and is only accessible from Qualcomm
TEE.

To read from and write to the RPMB partition, RPMB key provision is
required. This is a one-time process that cannot be overwritten or
erased when completed.

To provision and enable RPMB, see [RPMB-based SFS anti-rollback protection](https://docs.qualcomm.com/doc/80-70017-11/topic/configure.html#section-hcf-rmm-q1c).

Every access to the RPMB is authenticated, allowing the host to store
data in an authenticated and replay-protected manner.

Last Published: Jan 30, 2025

[Previous Topic
Secure boot](https://docs.qualcomm.com/bundle/publicresource/80-70017-11/topics/secure-boot.md) [Next Topic
Storage encryption](https://docs.qualcomm.com/bundle/publicresource/80-70017-11/topics/file-based-encryption.md)