Question regarding DE keys for user profiles

mdi

TL;DR: I'm wondering if pressing "End Session" on a user profile purges both CE and DE keys, or just CE keys.

Additional context:
My understanding is that each user has separate CE and DE keys (source). The Graphene FAQ also states that the End Session button "fully purges the encryption keys" for a user profile. I cannot tell whether this refers just to CE keys or DE keys as well. If both are purged, does this put that profile in a state which is theoretically more secure than a default BFU state, in which DE keys are available? And if this is the case, does that mean that things like alarms cannot run from that profile while it's at rest? (this last point is something I will dynamically test later if I have the time)

MyIdentityIsntImportant

mdi I cannot tell whether this refers just to CE keys or DE keys as well.

Ending a session on a secondary user profile purges only the Credential Encrypted (CE) storage keys tied to that specific profile from memory, essentially putting that specific profile to a Before First Unlock (BFU) state.

mdi If both are purged

Device Encrypted (DE) storage keys cannot be purged from memory if you want to keep the phone on. They are required for the OS to gain access to its own data that it needs to operate.

mdi does that mean that things like alarms cannot run from that profile while it's at rest?

If the app you wish to use for alarms supports Direct Boot (i.e. doing things when the phone/profile is in the BFU state) like as the default Clock app does, it should work. I've gotten my alarms from my user profiles even after a total system reboot when I've set them through the default Clock app. However, given the amount of bugs in the AOSP profile system, I'd suggest testing things out before relying on them. They might or might not work for you, even if you've done everything right.

mdi

MyIdentityIsntImportant thanks for the answer! This makes sense.