[e28eta]

> they must cache the plaintext value in some temp storage to be able to provide it while the device is locked.

From what I remember, no, they definitely don't save it in plaintext.

It's late, and I don't remember the exact details, but there are places where Apple talks about how it works.

Here's the gist, I think: When the user unlocks the phone, several encryption keys are generated using the pass code. One's used for Available After First Unlock, and that one's stored in RAM till the device reboots. Another is used for items that are only available when unlocked, and that's thrown away every time the phone is locked. Items that are restricted to the device use a key that is also derived from a private device identifier.

So not plaintext, but the decryption key is hanging around in the device.

You're definitely on target with the suggestion for a background task token though.