blob: bbbda67e6fd01c458525bcf8741413fdbebc7774 [file] [log] [blame]
page.title=Android Keystore System
<div id="qv-wrapper">
<div id="qv">
<h2>In this document</h2>
<li><a href="#WhichShouldIUse">Choosing Between a Keychain or the Android Keystore Provider</a></li>
<li><a href="#UsingAndroidKeyStore">Using Android Keystore Provider
<li><a href="#GeneratingANewPrivateKey">Generating a New Private Key</a></li>
<li><a href="#WorkingWithKeyStoreEntries">Working with Keystore Entries</a></li>
<li><a href="#ListingEntries">Listing Entries</a></li>
<li><a href="#SigningAndVerifyingData">Signing and Verifying Data</a></li>
<h2>Blog articles</h2>
<h4>Unifying Key Store Access in ICS</h4>
<p>The Android Keystore system lets you store private keys
in a container to make it more difficult to extract from the
device. Once keys are in the keystore, they can be used for
cryptographic operations with the private key material remaining
<p>The Keystore system is used by the {@link} API as well as the Android
Keystore provider feature that was introduced in Android 4.3
(API level 18). This document goes over when and how to use the
Android Keystore provider.</p>
<h2 id="WhichShouldIUse">Choosing Between a Keychain or the
Android Keystore Provider</h2>
<p>Use the {@link} API when you want
system-wide credentials. When an app requests the use of any credential
through the {@link} API, users get to
choose, through a system-provided UI, which of the installed credentials
an app can access. This allows several apps to use the
same set of credentials with user consent.</p>
<p>Use the Android Keystore provider to let an individual app store its own
credentials that only the app itself can access.
This provides a way for apps to manage credentials that are usable
only by itself while providing the same security benefits that the
{@link} API provides for system-wide
credentials. This method requires no user interaction to select the credentials.</p>
<h2 id="UsingAndroidKeyStore">Using Android Keystore Provider</h2>
To use this feature, you use the standard {@link}
and {@link} classes along with the
{@code AndroidKeyStore} provider introduced in Android 4.3 (API level 18).</p>
<p>{@code AndroidKeyStore} is registered as a {@link} type for use with the {@link KeyStore.getInstance(type)}
method and as a provider for use with the {@link, String)
KeyPairGenerator.getInstance(algorithm, provider)} method.</p>
<h3 id="GeneratingANewPrivateKey">Generating a New Private Key</h3>
<p>Generating a new {@link} requires that
you also specify the initial X.509 attributes that the self-signed
certificate will have. You can replace the certificate at a later
time with a certificate signed by a Certificate Authority.</p>
<p>To generate the key, use a {@link}
with {@link}:</p>
{@sample development/samples/ApiDemos/src/com/example/android/apis/security/ generate}
<h3 id="WorkingWithKeyStoreEntries">Working with Keystore Entries</h3>
<p>Using the {@code AndroidKeyStore} provider takes place through
all the standard {@link} APIs.</p>
<h4 id="ListingEntries">Listing Entries</h4>
<p>List entries in the keystore by calling the {@link} method:</p>
{@sample development/samples/ApiDemos/src/com/example/android/apis/security/ list}
<h4 id="SigningAndVerifyingData">Signing and Verifying Data</h4>
<p>Sign data by fetching the {@link} from the keystore and using the
{@link} APIs, such as {@link}:</p>
{@sample development/samples/ApiDemos/src/com/example/android/apis/security/ sign}
<p>Similarly, verify data with the {@link[])} method:</p>
{@sample development/samples/ApiDemos/src/com/example/android/apis/security/ verify}