danieldjewell
commented
3 years ago It might be possibile from an API perspective ... (see: https://developer.android.com/training/articles/keystore#ImportingEncryptedKeys)
But, doing so negates what is arguably the main/primary benefit of using the KeyStore in the first place: that a private key generated in the KeyStore can (hopefully) never be extracted. This is similar to how a (good) PKI/PIV smart card works ... the key is generated directly on the card and never ever leaves the card... all encryption/signing is done inside the security hardware. (Good PIV smart card enrollment has the card generate the key, submit it to a certificate server/CA for signing, and then installing the signed public key on the card. The private key never leaves the card.)
The act of importing a key means, categorically, that the key has existed somewhere other than inside the secure hardware (at some point). While it may not have been compromised, there is a chance. (Which is why the security hardware works the way it does ... ) If you ever see instructions on how to import a public/private keypair (e.g. stored in a PKCS12 file) to a smart card, YubiKey, whatever... you don't have security, you have a glorified flash drive that stores the key.
While it might be possible to import a key, in the interests of "secure by design" - I think it would be best to leave this out of the API.
see: https://developer.android.com/training/articles/keystore#ExtractionPrevention
@BlueDrink9 Is it possible to design your use case to generate the key on-device and then use the public key somehow?
BlueDrink9
Feature description
Currently, keystore will only add keys generated through it. It would be excellent to be able to add already-existing keys to it.
Background information
I'm making the assumption this is possible based on the fact that Keystore somehow manages to add the generated key. Forgive me if adding new ones is not permitted by the android api.