Thank you very much Quinn! That clarifies a lot... Using the system keychain is for sure the easiest path... The cryptographic secret I am trying to protect is in this case a local CA private key for developer security products to block malware etc... I suppose it shouldn't matter that the root user can access it as the CA is isolated and specific to that device, so not like there's a security risk there and I suppose if you have an attacker with root access that is not the user, I suppose you anyway have bigger issues than this... Also thank you for correcting me with the terminology.. So to recap? For a system extension, that has such a secret specific and only used by that extension (e.g. the ca private key), is the system keychain the recommended place to store this? Also a second question. I was trying to use the secure enclave to get a private key so that i can perhaps encrypt/decrypt data stored in the system extension app container but also here I was running into errors... Can you clarify Quinn if it is possible for a system extension to use/own a private (persistent) key via the secure enclave? As I keep running into one error after another? Are there official docs/examples on that?

Thank you very much Quinn "The Eskimo". Not sure how I will ever be able to repay you back with all the knowledge you shared and all the work you do here. I managed to make a witched Swift <-> Rust bridge and can now use SE within my secure extension... Allowing me to store a secret (encrypted using SE) within a system keychain... Seems to work great... Hopefully I did well.. Learned also a lot about XPC... Sadly cannot make use of Swift Protocols, but I made something similar enough so I can still make use of "Raw" XPC at least... All working as well... Couldn't have done it without your resources. Will ship it now :) https://github.com/plabayo/rama/pull/875 And all thanks to you. Thank you thank you thank you so much.

Thank you Quinn. That is probably as good of an answer I could ever hope for. Wish you well.