Conversation

Wipe and rotate hardware-backed keys rather than data: reddit.com/r/GrapheneOS/c Factory reset or profile deletion is the right way to prevent future access to data. Clearing app data or uninstalling works on a per-app basis if the app encrypts data with the keystore like Signal.
2
19
> How do you reliably erase an app-specific hardware-backed key without blowing away the entire profile? As stated in the comment, the app can reliably delete hardware-backed keys. Clearing the app data or uninstalling the app will also reliably delete hardware-backed keys too.
1
2
Unfortunately, that's not true. Rollback resistance is optional for StrongBox Keymaster, just like TEE. Titan M's StrongBox Keymaster does not implement rollback resistance. This is an area I'm working to improve -- along with increasing the number of devices with StrongBox.
1
1