AFAIK the storage is encrypted using (a key derived from) a unique device key in the secure enclave and thus the storage is tied to the physical device.
Further keys are generated using the Passphrase and the unique device key, so they are tied to the user and the device.
The application can chose per file:
* Encrypted when locked: NSFileProtectionComplete
* Encrypted until first unlock: NSFileProtectionCompleteUntilFirstUserAuthentication
* Encrypted unless used by the applications background tasks: NSFileProtectionCompleteUnlessOpen
I think the keys used for file encryption are unique per application and then again per file, but I didn’t find information on this.
I appreciate you both providing more info on this. It seems iOS is much more encrypted than I had thought it was. Still, if I resurrect the micro-journaling app, I'll probably keep an app-specific password and SQLCipher to add that extra layer of protection.
Full disk encryption (called Data Protection on iOS) is enabled as long as a passcode is set. This has been the case since what, iOS 4?