Menu
How does Android protect the keystore in 4.4 and beyond? How does it encrypt/decrypt it? Are there any good tutorials that describe the internals of how the keystore works on the device?
819
The encryption/decryption of the keystore is handled by the keystore service, which in turn links with a Hardware Abstraction Layer module called "keymaster". The AOSP provides a sofware ("softkeymaster") implementation, but device vendors can offer support for hardware based protected storage, if available. On ARM architectures, this linked to the ARM "TrustZone".
The upper level layers remain entirely agnostic of the implementation: The keymaster HAL exports methods to generate or remove keypairs, sign data, etc, but does not actually provide exposure to any private keys.
Tutorial wise, there's nothing. But book-wise, there are two great books. The first is Nikolay Elenkov's "Android Security Internals". He also writes a blog, called Android Explorations, which describes (in several posts) the keystore in depth. The second is "Android Internals" by Jonathan Levin, which discusses the keystore daemon.
155
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
