0

I have an app in Android and I've some certificates and public/private keys stored in the KeyStore. This KeyStore is protected by a password. The code is like this:

File keyStoreFile = new File(getContext().getFilesDir(), 
"TheKeyStoreFile.bks");
char[] keystorePassword = "S0m3Tr9ck9P4ss".toCharArray();
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(new FileInputStream(keyStoreFile), keystorePassword);

My qüestion is: where I should save my password "S0m3Tr9ck9P4ss"? Where is the safest place to save it? Should I use another KeyStore to store it?

Sorry it's not a duplicate. My question is where I should store safely the KeyStore password. Not any password or certificate or public/private key. These ones are stored in the KeyStore. But what about the password that protects the KeyStore itself? Where I should store this particular password.

Thanks in advance for your comments.

jherranzm
  • 135
  • 3
  • 10
  • 1
    Possible duplicate of [how to securely store encryption keys in android?](https://stackoverflow.com/questions/46578584/how-to-securely-store-encryption-keys-in-android) – pedrofb May 18 '19 at 19:13
  • Sorry it's not a duplicate. My question is where I should store safely the KeyStore password. Not any password or certificate or public/private key. These ones are stored in the KeyStore. But what about the password that protects the KeyStore itself? Where I should store this particular password. Thanks for your help! – jherranzm May 19 '19 at 05:09
  • 1
    I think that in the end it is the same question. Summarizing: store your private keys directly in the androidKeystore or generate there an encryption key to encrypt your current password. Then keying material in AndroidKeystore is only accesible to your app – pedrofb May 19 '19 at 15:04
  • Hi @pedrofb, thank you for your answer. Now I have all the secret keys in the KeyStore protected by password. I do not know if it is a good idea to store that precise password in the KeyStore itself with a particular alias but without password. I think that if the phone is rooted some attacker could have access to the keystore file and then get all the alias and info from it. Is that correct? Thank you for your answers. – jherranzm May 20 '19 at 04:16

0 Answers0