2

I want to encrypt and decrypt with symmetrically with android Keystore KMS. I'm aware with Google cloud KMS, and AWS KMS, but I don't want to handle with that platform.

How to manage this generated Android Keystore private key for both (client, server) sides?

I have created a private key for encrypting and decrypting, but hard to manage for the store and share this key. I had stored that private key in Private SharedPreferences for reuse but There is one problem is that, this private SharedPreferences is not secured because all can observe this private SharedPreferences file in the rooted device.

Refer this link to get information about generating a private key for Android Keystore.

I'm new with tink, so please help me to out this. if there is a wrong thing in my idea then feel free to give your opinion.

Pankaj Savaliya
  • 121
  • 1
  • 2
  • 9

1 Answers1

1

Android Keystore is a client side KMS, you cannot use it on server side.

If you want to use Tink with Android Keystore on Android, please take a look at AndroidKeysetManager. Here's an example:

 String masterKeyUri = "android-keystore://my_master_key_id";
 AndroidKeysetManager manager = AndroidKeysetManager.Builder()
    .withSharedPref(getApplicationContext(), "my_keyset_name", "my_pref_file_name")
    .withKeyTemplate(SignatureKeyTemplates.ECDSA_P256)
    .withMasterKeyUri(masterKeyUri)
    .build();
 PublicKeySign signer = PublicKeySignFactory.getPrimitive(manager.getKeysetHandle());

This will read a keyset stored in the my_keyset_name preference of the my_pref_file_name preferences file. If the preference file name is null, it uses the default preferences file.

If the keyset is not found or invalid, and a valid KeyTemplate is set with AndroidKeysetManager.Builder.withKeyTemplate(com.google.crypto.tink.proto.KeyTemplate), a fresh keyset is generated and is written to the my_keyset_name preference of the my_pref_file_name shared preferences file.

On Android M or newer and if a master key URI is set with AndroidKeysetManager.Builder.withMasterKeyUri(java.lang.String), the keyset is encrypted with a master key generated and stored in Android Keystore. When Tink cannot decrypt the keyset it would assume that it is not encrypted.

The master key URI must start with android-keystore://. If the master key doesn't exist, a fresh one is generated. Usage of Android Keystore can be disabled with AndroidKeysetManager.Builder.doNotUseKeystore().

On Android L or older, or when the master key URI is not set, the keyset will be stored in cleartext in private preferences which, thanks to the security of the Android framework, no other apps can read or write.

Thai Duong
  • 149
  • 7
  • A link to a solution is welcome, but please ensure your answer is useful without it: [add context around the link](https://meta.stackexchange.com/a/8259) so your fellow users will have some idea what it is and why it’s there, then quote the most relevant part of the page you're linking to in case the target page is unavailable. [Answers that are little more than a link may be deleted.](https://stackoverflow.com/help/deleted-answers) – Alessio Sep 17 '19 at 20:31
  • 3
    Thanks for the tip. I edited my answer to add more info. – Thai Duong Sep 18 '19 at 21:05