How to manage Secure Enclave card storage limits

AppleInsiderAppleInsider
Posted:
in iPhone

It's hard to hit, but Apple's Secure Enclave does have limits to how many cards can be stored in Apple Wallet. Here's what to do if you hit that limit.

Apple's T2 security chip on a wooded background
Apple's T2 chip



Apple's Secure Enclave is a protected area on Apple's devices which holds keys, encrypted data, cards, and other security information.

The idea behind Secure Enclave is that it's a separate subsystem on Apple devices so if the main processor or OS gets compromised, your secure data is still safe.

Secure Enclave was introduced with Apple's A7 and T2 chips and it uses AES cryptography to encode information so it's not plain-text readable without decryption. A separate System On-A-Chip (SoC) is included in Apple devices to manage the Secure Enclave.

Apple later added a second-gen Secure Enclave starting with A14 processors in the fall of 2020.

Secure Enclave is also built into all Apple Silicon-based systems.

Secure Enclave uses Public Key Infrastructure (PKI) internally to ensure only your security identifiers such as passwords, TouchID, and passkeys can be used to unlock your data. There's a hardware and a software component to Secure Enclave and they work together to keep your sensitive data safe on your Apple devices.

The Apple Cash app also uses the Secure Enclave.

Apple holds a patent on its Secure Enclave technology, but there are similar Trusted Computing systems such as ARM's TrustZone.

Secure Enclave, cards, and Apple Wallet



One of the major uses of Secure Enclave is to encode, store, and retrieve your sensitive data and passes in the Apple Wallet app for later use.

Apple Wallet, Apple Pay, and passes together are known as PassKit. Third-party developers can add PassKit to their apps to manage Apple Pay and passes in the user's Wallet.

In Apple terminology a "pass" is any card which you add to the Apple Wallet app on your device which requires a password or other security key to access.

Passes can include airline boarding passes, credit cards, bank cards, door lock keys for home and hotels, transit passes, loyalty cards, gift cards, IDs, and other types of passes. By adding passes digitally to Apple Wallet you can use your Apple device to pay for goods and services, and as an ID device where one is required.

Technically payment cards are separate and can be added to Apple Pay to make payments anywhere Apple Pay is accepted, but from a security and Enclave standpoint, they all function similarly.

Obviously, you don't want any of the secure details of your passes to be available to anyone who might gain access to your phone. Apple Wallet provides this security by encrypting your pass info and keys in the Secure Enclave where only you can retrieve them.

Apple Wallet limitations



Since Apple Wallet uses the Secure Enclave, and since the Enclave uses its own nonvolatile memory to encode and store your pass and key info, there's a limit to how many passes you can store on your Apple device before the Enclave's memory becomes full.

When that happens you won't be able to add any more cards and passes to your device until you remove some exiting ones.

In order to add or remove passes to Apple Wallet, you must have already set up an Apple account, and must have set up Apple Wallet on your device.

There is no Apple Wallet app on iPads. Those devices lack the Near-Field Communication (NFC) Bluetooth and hardware which Apple calls the Secure Element, which iPhones use to make wireless mobile payments at Point-Of-Sale (POS) checkout registers.

When you use your iPhone to pay at a register or transit point, it communicates with the other device using NFC standards and usually the Bluetooth device built-in to most iPhones.

Apple began shipping universal NFC hardware in iPhone 8 and later, but if you're in Japan, you'll need a GSM iPhone, or one sold in Japan because Japan has its own NFC standard called NFC-F which is based on Sony's NFC technology called FeliCa.

If you are in Japan you can also check transit card balances stored in your Wallet using Ryoga Tanaka's app Japan NFC Reader.

iPad does however have a Wallet and Apple Pay section in the Settings app which you can use to add and remove cards and passes, and check your Apple Pay and Apple Cash balances. So if you're on iPad you can at least see your balances even though it doesn't have the Apple Wallet App.

Apple doesn't publish a hard-limit on how many cards max you can have in your Apple Wallet, but most users seem to agree the current limit appears to be around twenty-five total. Let us know if you have a different experience.

Check Apple Wallet for existing cards



If you try to add a new card to Apple Wallet and you get an error saying no more cards can be added, it may be because you've added enough cards to fill up the Secure Enclave's internal memory and it has no more room to store additional card data.

In that case you only have one option. You'll have to remove some existing cards or passes from Apple Wallet in order to make space in the Secure Enclave to add new ones.

The decision as to which cards or passes to delete is up to you, but obviously you'll have to make some trade-offs by deleting less important or infrequently used passes.

Card metrics



If you tried to add a card and got a warning that it couldn't be added because space was full, you may have gotten an alert which said "Unable to Add Card" - along with a graph and metrics for each existing card or pass. If so, the warning also probably also told you how much space needed to be freed in order to add the card.

iOS provides a small graph in the warning showing total usage by card and pass type, as well a Check Usage row just below the graph.

If you tap the Check Usage row it will take you to a pane where you can view specific usage details about each card and pass on your device.

Also in the Add Card warning pane, you'll see a list of current cards and passes, with a percentage next to each. You can use the percentage indicators to help decide which cards to remove to free up space.

How to remove cards and passes from Apple Wallet



If you find your Secure Enclave is full, you can remove cards either from the Wallet & Apple Pay Settings pane, or you can remove them from Apple Wallet itself. You can remove existing passes in the Wallet app directly.

To remove cards from the Settings app, open that app, scroll down and tap Wallet & Apple Pay, then tap on an existing card under the Payment Cards section, then tap Remove Card.

PAYMENT CARDS section in the Settings app under Wallet & Apple Pay.
Payment Cards section in the Settings app.



You can remove existing passes from the Apple Wallet app by tapping a pass in the app, then tapping the button with three dots in it, then tapping Pass Details. From there tap Delete Pass and confirm you want to delete it.

You'll want to check the Wallet & Apple Pay settings pane and the Apple Wallet app from time to time to check how much Secure Enclave space each pass is using so you can keep a little extra space freed up for any new passes you may need to add.

Offloading Transit cards to iCloud



If you use a transit card for transportation such as rail or bus, you can store your transit card in iCloud using the iCloud backup feature in iOS Settings, remove it from the Apple Wallet app, then add it back to Apple Wallet on another iOS device by restoring from the backup.

Apple provides this ability because it includes what it calls Express Mode for transit cards, passes, and keys when using both your iPhone and Apple Watch.

The ability to sync transit cards to iCloud also keeps your transaction history for those cards in sync across all your devices that use them.

The Wallet app has to be turned on in the Settings->iCloud settings on your iPhone for this to work.



Read on AppleInsider

Comments

  • Reply 1 of 3
    iOS_Guy80iOS_Guy80 Posts: 814member
    Informative article. In addition to adding and removing cards and checking balances, you can use Apple Pay as a payment method on your iPad when making a purchase online.
  • Reply 2 of 3
    chadbagchadbag Posts: 2,000member
    Since around iPhone 8 all iPhones have been Japan compatible including US iPhones.  Previously you had to have a Japan compatible iPhone to use Japanese NFC based services.  I’ve happily used my virtual Suica and Pasmo cards in Japan with my iPhones for years now. 
  • Reply 3 of 3
    iOSDevSWEiOSDevSWE Posts: 27member

    Let’s go through some misconceptions in your articles:


    ”Apple's Secure Enclave is a protected area on Apple's devices which holds keys, encrypted data, cards, and other security information.”

    No! The Secure Enclave doesn’t hold anything else than Private keys. Those keys can’t even be retrieved from its protected space. The place where you “store” things is called the Keychain. Basically what you do is you create a private key in the Secure Enclave and use it (through its data representation as you can’t get the key out of Secure Enclave) and encrypt data into Keychain. People often do this mistake of confusing Keychain with Secure Enclave because they are using low level queries with Keychain to save passwords or sensitive data from their app. Instead the iOS developer should use CryptoKit. That way it is clear what you can and can’t do by simply using autocomplete in Xcode with “SecureEnclave.P256.” as a start. For the curious reader, P256 is the only type of elliptic curve used with Secure Enclave that enables NIST P-256 signatures and key agreements.


    “[…] it uses AES cryptography to encode information so it's not plain-text readable without decryption.“

    Encoding and encrypting are two completely different things. Encoding is to “write differently” something. For instance you can use ascii, utf8, utf16 etc… An example -> the following string has been encoded in base64: QXBwbGVJbnNpZGVy. I will let the reader choose whichever online base64 decoding tool to read what I encoded 😉. Anybody can “decode” that string to its original utf8 form, but if I encrypt it with my own Secure Enclave key on my iPhone 15 Pro, you will need exactly that key on my phone to read it without brute force. I would recommend you go through your article and replace all occurrences of “encode” to “encrypt”.


    “One of the major uses of Secure Enclave is to encode, store, and retrieve your sensitive data and passes in the Apple Wallet app for later use.”

    No, the major and only use of Secure Enclave is to encrypt or sign data. Nothing else.


    “Apple wallet limitations”

    Precisely! The limitations are on the Apple Wallet app, not Secure Enclave. However, if you’re like me, very intrigued about how Secure Enclave works, you should watch Ivan Krstic’s talk at Black Hat USA in 2016 (available on YouTube). It is possible to exhaust the number of private keys you can create in the Secure Enclave (listen particularly to the questions at the end of the video). But Apple doesn’t communicate what this limit is. The curious/intrepid developer could write an app that abuses Secure Enclave and creates many private keys until they exhaust. I have no idea what happens then, perform at your own risk…


    I hope that now people will understand more clearly what the Secure Enclave really is: it is not Keychain!

    Secure Enclave documentation: https://developer.apple.com/documentation/cryptokit/secureenclave

    CryptoKit documentation: https://developer.apple.com/documentation/cryptokit/


    Respite
Sign In or Register to comment.