Skip to main content

Encryption & Keychain

PrismSecurity provides a full cryptographic toolkit built on CryptoKit — symmetric encryption, hashing, key derivation, keychain storage, Secure Enclave, and a high-level PrismSecureStore that combines encryption + keychain in one call.

Encryption

AES-GCM (Default)

let encryptor = PrismEncryptor()  // .aesGCM by default
let key = encryptor.generateKey()

let encrypted = try encryptor.encrypt(Data("secret".utf8), using: key)
let decrypted = try encryptor.decrypt(encrypted, using: key)

ChaChaPoly

let encryptor = PrismEncryptor(algorithm: .chaChaPoly)
let key = encryptor.generateKey()

let encrypted = try encryptor.encrypt(data, using: key)

Codable Values

struct Credentials: Codable, Sendable {
    let token: String
    let refreshToken: String
}

let encrypted = try encryptor.encrypt(credentials, using: key)
let decoded = try encryptor.decrypt(Credentials.self, from: encrypted, using: key)

Key Export / Import

let keyData = encryptor.exportKey(key)   // Data
let imported = encryptor.importKey(keyData)  // SymmetricKey

Hashing

SHA-256 / 384 / 512

let hasher = PrismHasher()
let hash = hasher.hash(Data("message".utf8))          // Data (SHA-256)
let hex = hasher.hashHex(Data("message".utf8))         // String

let sha384 = PrismHasher(algorithm: .sha384)
let sha512 = PrismHasher(algorithm: .sha512)

HMAC

let key = SymmetricKey(size: .bits256)
let mac = hasher.hmac(for: data, using: key)   // Data
let valid = hasher.verifyHMAC(mac, for: data, using: key)  // Bool

Key Derivation

HKDF

let derived = PrismKeyDerivation.deriveKey(
    from: sharedSecret,
    salt: salt,
    info: Data("context".utf8),
    outputByteCount: 32
)

Password-Based

let salt = PrismKeyDerivation.generateSalt()
let key = PrismKeyDerivation.deriveFromPassword("hunter2", salt: salt)

Keychain

Save and Load

let keychain = PrismKeychain()
let item = PrismKeychainItem(id: "apiKey", service: "MyApp")

// String
try keychain.save(string: "sk-secret-123", for: item)
let key = try keychain.loadString(for: item)

// Data
try keychain.save(data: rawData, for: item)
let data = try keychain.loadData(for: item)

// Codable
try keychain.save(codable: credentials, for: item)
let creds = try keychain.load(Credentials.self, for: item)

Access Control

let item = PrismKeychainItem(
    id: "sensitiveKey",
    accessControl: .biometricAny  // requires Face ID / Touch ID
)

// Presets: .default, .biometricAny, .biometricCurrentSet,
//          .devicePasscode, .biometricOrPasscode

Existence & Deletion

let exists = keychain.exists(item)
try keychain.delete(item)
try keychain.deleteAll(service: "MyApp")

Secure Enclave

Hardware-backed P256 key generation and signing — keys never leave the chip. 
let enclave = PrismSecureEnclave()

// Generate a key pair (stored in Secure Enclave)
let publicKey = try enclave.generateKeyPair(tag: "com.app.signing")

// Sign data
let signature = try enclave.sign(data: message, tag: "com.app.signing")

// Verify
let valid = try enclave.verify(
    signature: signature,
    for: message,
    tag: "com.app.signing"
)

// Delete
try enclave.deleteKeyPair(tag: "com.app.signing")
Secure Enclave is only available on devices with the T2 chip or later (iPhone 5s+, Apple Silicon Macs). Check availability before use.

Secure Store

High-level API that combines encryption + keychain — encrypt data with a managed key and store the ciphertext in the keychain, all in one call. 
let store = PrismSecureStore(configuration: .biometricProtected)

// Save
try store.save(myCredentials, forKey: "credentials")

// Load
let creds = try store.load(Credentials.self, forKey: "credentials")

// Delete
try store.delete(forKey: "credentials")

Configurations

PresetEncryptionAccess Control
.defaultAES-GCMStandard keychain
.biometricProtectedAES-GCMBiometric required
.highSecurityChaChaPolyBiometric (current set)
// Custom
let config = PrismSecureStoreConfiguration(
    service: "VaultApp",
    algorithm: .chaChaPoly,
    accessControl: .biometricOrPasscode
)
let store = PrismSecureStore(configuration: config)