Does the Android Keystore make use of the Trusted Execution Environment (TEE) and Secure Element (SE) automatically if it is available?

Question

Does the Android Keystore make use of the Trusted Execution Environment (TEE) and Secure Element (SE) automatically if it is available? Or are any further steps required?

Answer 1

Generally yes.

There is no requirement for the Keystore to be hardware backed on all device, but if it is hardware backed and if that is by a TEE (the common case) then it will be used whenever Keystore backed keys are used.

See the current CDD document for requirements around this. Section 9.11. Keys and Credentials

You may also find this answer interesting, as it talks about the keymaster & TEE implementations.