# Storage security The secure file system (SFS) is used to store sensitive data, such as keys and biometric data. ## SFS SFS provides confidentiality, integrity, and anti-rollback support to the trusted applications and securely stores sensitive data. Any file created or stored under SFS is covered by anti-rollback protection. The SFS feature: - Uses an encryption key for each trusted application to ensure the confidentiality of the files. - Uses an HMAC key for each trusted application to verify the integrity of the files. Both the encryption and HMAC keys are derived using a device unique key, which depends on the secure boot state of the device. The SFS anti-rollback protection is enabled by default. When the devices are secure boot enabled, the SFS uses unique hardware keys for file data encryption and decryption to ensure they’re secure from each other. ## RPMB RPMB is a physical partition on the UFS/eMMC flash. This partition is used to store sensitive information and is only accessible from Qualcomm TEE. To read from and write to the RPMB partition, RPMB key provision is required. This is a one-time process that can’t be overwritten or erased when completed. Every access to the RPMB is authenticated, allowing the host to store data in an authenticated and replay-protected manner. ## Next steps - To learn about the next security feature, see [Storage encryption](https://docs.qualcomm.com/doc/80-70018-11/topic/file-based-encryption.html#file-based-encryption). - To learn about TrustZone and security framework, see [Security architecture](https://docs.qualcomm.com/doc/80-70018-11/topic/architecture.html#architecture). - To learn about APIs that can be used to interact with Linux and hardware, see [Security APIs](https://docs.qualcomm.com/doc/80-70018-11/topic/interfaces.html#interfaces). - To learn how to enable or disable the RPMB-based SFS anti-rollback protection, see [RPMB-based SFS anti-rollback protection](https://docs.qualcomm.com/doc/80-70018-11/topic/enable-device-devcfg-from-qtee.html#section-enable-rpmb-based-sfs-antirollback-protection-label) Last Published: Apr 10, 2025 [Previous Topic Secure boot](https://docs.qualcomm.com/bundle/publicresource/80-70018-11/topics/secure-boot.md) [Next Topic Storage encryption](https://docs.qualcomm.com/bundle/publicresource/80-70018-11/topics/file-based-encryption.md)