Home Android KeyStore get raw bytes/string of stored key
Reply: 2

Android KeyStore get raw bytes/string of stored key

Kevin Ossia
Kevin Ossia Published in 2017-11-14 22:13:52Z

I can generate a key to be stored in the Android Keystore like so:

private static final String AndroidKeyStore = "AndroidKeyStore";
private static final String AES_MODE = "AES/GCM/NoPadding";
keyStore = KeyStore.getInstance(AndroidKeyStore);

if (!keyStore.containsAlias(KEY_ALIAS)) {
    KeyGenerator keyGenerator = KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES, AndroidKeyStore);
            new KeyGenParameterSpec.Builder(KEY_ALIAS,
                    KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
                    .setBlockModes(KeyProperties.BLOCK_MODE_GCM)                   .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)

Similarly, I can retrieve it like so:

keyStore.getKey(KEY_ALIAS, null);

I know that the getKey() function returns a Key object, but I haven't found a way to reveal the key itself. It does not seem to have a toString() or getBytes() or something like that.

How can I get the bytes of the key, or at least print out the string version of it? Is it even possible?

James K Polk
James K Polk Reply to 2017-11-14 23:31:51Z

The "AndroidKeyStore" is specifically designed to make this impossible or at least very difficult. There is a more complete discussion here, but in summary:

Android Keystore system protects key material from unauthorized use. Firstly, Android Keystore mitigates unauthorized use of key material outside of the Android device by preventing extraction of the key material from application processes and from the Android device as a whole.

Continuing along the lines of your example, the following additional lines of code:

Key key = keyStore.getKey(KEY_ALIAS, null);
String algorithm = key.getAlgorithm();
String format = key.getFormat();
byte[] encoded = key.getEncoded();

should cause key to be a valid non-null reference to Key object, algorithm should return "AES", but format should be null as should encoded.

Jeff.H Reply to 2017-11-14 22:35:43Z

The Key object returned has methods:


They return String, byte[], and String, respectively.

Click here for more info.

You need to login account before you can post.

About| Privacy statement| Terms of Service| Advertising| Contact us| Help| Sitemap|
Processed in 0.346993 second(s) , Gzip On .

© 2016 Powered by mzan.com design MATCHINFO