File-based encryption keys, which are 512-bit keys, are stored encrypted by another key (a 256-bit AES-GCM key) held in the TEE. To use this TEE key, three requirements must be met:

The auth token
The stretched credential
The “secdiscardable hash”