Key Generation Attributes

Use attribute dictionary keys during cryptographic key generation.

Overview

Use these dictionary keys in the parameter dictionary when you create new cryptographic keys with the SecKeyCreateRandomKey function. The type and size attributes are required, while all others are optional.

With the exception of kSecAttrTokenID, you can specify the optional keys in either the top-level parameter dictionary or in one of the key-specific sub-dictionaries specified by the kSecPrivateKeyAttrs and kSecPublicKeyAttrs attributes. In the latter case, the given attribute applies only to the private or public key, respectively.

Use these keys in exactly the same way for the parameter dictionary you supply to the legacy SecKeyGeneratePair function.

Topics

Required

kSecAttrKeyType

A key whose value indicates the item's algorithm.

kSecAttrKeySizeInBits

A key whose value indicates the number of bits in a cryptographic key.

Key Specific

kSecPrivateKeyAttrs

A key whose value is a dictionary of cryptographic key attributes specific to a private key.

kSecPublicKeyAttrs

A key whose value is a dictionary of cryptographic key attributes specific to a public key.

Optional

kSecAttrLabel

A key whose value is a string indicating the item's label.

kSecAttrTokenID

A key whose value indicates that a cryptographic key is in an external store.

kSecAttrIsPermanent

A key whose value indicates the item's permanence.

kSecAttrApplicationTag

A key whose value indicates the item's private tag.

kSecAttrEffectiveKeySize

A key whose value indicates the effective number of bits in a cryptographic key.

kSecAttrCanEncrypt

A key whose value is a Boolean that indicates whether the cryptographic key can be used for encryption.

kSecAttrCanDecrypt

A key whose value is a Boolean that indicates whether the cryptographic key can be used for decryption.

kSecAttrCanDerive

A key whose value is a Boolean that indicates whether the cryptographic key can be used for derivation.

kSecAttrCanSign

A key whose value is a Boolean that indicates whether the cryptographic key can be used for digital signing.

kSecAttrCanVerify

A key whose value is a Boolean that indicates whether the cryptographic key can be used for signature verification.

kSecAttrCanWrap

A key whose value is a Boolean that indicates whether the cryptographic key can be used for wrapping.

kSecAttrCanUnwrap

A key whose value is a Boolean that indicates whether the cryptographic key can be used for unwrapping.

See Also

Key Generation

Generating New Cryptographic Keys

Create both asymmetric and symmetric cryptographic keys.

Storing Keys in the Secure Enclave

Create an extra layer of security for your private keys.

SecKeyCreateRandomKey

Generates a new private/public key pair.

SecKeyCopyPublicKey

Gets the public key associated with the given private key.