Android: Store SecretKey in KeyStore
WRONG
java.security.KeyStore can store both symmetric and asymmetric keys. You just need to instantiate KeyStore.SecretKeyEntry passing it your SecretKey in the constructor and then use the KeyStore#setEntry method to save it:
keyStore.setEntry(
"key1",
new KeyStore.SecretKeyEntry(secretKey),
new KeyProtection.Builder(KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
.setBlockMode(KeyProperties.BLOCK_MODE_GCM)
.setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
.build());
To get it back out use:
SecretKey keyStoreKey = (SecretKey) keyStore.getKey("key1", null);
UPDATE
After some research I was surprised to find out, that AndroidKeyStore doesn't support symmetric keys. (see the discussion: https://groups.google.com/forum/#!topic/android-developers/gbmIRKRbfq8)
Related videos on Youtube
02 : 21
15 : 09
17 : 51
05 : 47
08 : 34
18 : 41
06 : 23
Comments
-
Rajkiran almost 2 years
I use a SecretKey to encrypt sensitive data in my application. Currently I am storing my SecretKey in Base64 encoded format in DB or SharedPrefs which is not a safe place to store Secret on a rooted phone. Hence, I want to move my SecretKey to Android KeyStore. The problem I am facing is when I try this sample code from Google, it expects a PrivateKey instead of SecretKey. I couldn't figure out a way to store my SecretKey in KeyStore and fetch it for later use. I tried this:
private static void writeSecretKeyToKeystore(SecretKey secretKey, Context context) { KeyStore keyStore = null; try { keyStore = KeyStore.getInstance("AndroidKeyStore"); keyStore.load(null); KeyStore.SecretKeyEntry secretKeyEntry = new KeyStore.SecretKeyEntry(secretKey); keyStore.setKeyEntry("Key", secretKeyEntry.getSecretKey().getEncoded(), null); } catch (KeyStoreException e) { e.printStackTrace(); } catch (CertificateException e) { e.printStackTrace(); } catch (NoSuchAlgorithmException e) { e.printStackTrace(); } catch (IOException e) { e.printStackTrace(); }When I try above code, it throws an exception
Operation not supported because encoding is unknown.Any sample code would be of great help.
-
Rajkiran about 8 yearsDamn! I changed it to
setEntrynow and I see this exceptionjava.security.KeyStoreException: Entry must be a PrivateKeyEntry or TrustedCertificateEntry; was SecretKeyEntry: algorithm - AES
-
-
Rajkiran about 8 yearsI don't see any method on KeyStore which accepts SecretKeyEntry object. Also, your answer mentions how to get entry, more than how to set entry. Please check my updated question.
-
dev.bmax about 8 yearsboth methods (getEntry and setEntry) deal with the KeyStore.Entry interface (see: developer.android.com/reference/java/security/…). KeyStore.SecretKeyEntry implements this interface, so you can use it everywhere that KeyStore.Entry is expected. -
Rajkiran about 8 yearsThis won't work on API < 23. I am developing an app starting with Lollipop. I use this code keyStore.setEntry( "key1", new KeyStore.SecretKeyEntry(secretKey), new KeyStoreParameter.Builder(context).setEncryptionRequired(true).build()); but it wouldn't work. Upvoted your answer though.
-
eastwater over 5 yearsI tried API 28, getting SecretKeyEntry from a keystore, returns null. Java SE: no problem.
