How to create masterKey after MasterKeys deprecated in Android

Question

I am using the following code to store some information encrypted in my app.

    val masterKey = MasterKeys.getOrCreate(MasterKeys.AES256_GCM_SPEC)

    val sharedPreferences = EncryptedSharedPreferences.create(
        "secret_shared_prefs",
        masterKey,
        this,
        EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
        EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
    )

Since the MasterKeys class deprecated in Android, I should use the MasterKey class and but I cannot figure out what is the right method to get the same mastery defined.

Could somebody show the exact match with the available MasterKey and MasterKey.Builder classes?

The below solution worked like this:

val spec = KeyGenParameterSpec.Builder(
        "_androidx_security_master_key_",
        KeyProperties.PURPOSE_ENCRYPT or KeyProperties.PURPOSE_DECRYPT
    )
        .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
        .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
        .setKeySize(256)
        .build()

    val masterKey: MasterKey = MasterKey.Builder(this)
        .setKeyGenParameterSpec(spec)
        .build()

    val sharedPreferences = EncryptedSharedPreferences.create(
        this,
        "secret_shared_prefs",
        masterKey, // masterKey created above
        EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
        EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM);

Hey, instead of using the hard coded Maste key alias and key size of 256, you should use `MasterKey.DEFAULT_MASTER_KEY_ALIAS` and `MasterKey.DEFAULT_AES_GCM_MASTER_KEY_SIZE` — Takeya, Aug 12 '20 at 11:14

score 51 · Answer 1 · edited Jul 28 '20 at 08:41

51

try this one


MasterKey masterKey = new MasterKey.Builder(context, MasterKey.DEFAULT_MASTER_KEY_ALIAS)
        .setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
        .build();

SharedPreferences sharedPreferences = EncryptedSharedPreferences.create(
        context,
        SHARED_PREF_NAME,
        masterKey,
        EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
        EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM);

edited Jul 28 '20 at 08:41

Alex Art.

8,711
3
29
47

answered Jun 23 '20 at 12:42

yohannes seifu

609
5
5

2

Why do I see a warning in the logs of "keyset not found, will generate a new one" ? – android developer Oct 27 '20 at 13:52
1

@androiddeveloper developer Got any solution for this warning? – Ameer Nov 19 '20 at 08:17
@Ameer I think it is ok to ignore those warnings. – android developer Nov 19 '20 at 10:02
I implement this solution but getting this error https://stackoverflow.com/questions/68825081/androidx-security-crypto-encrypted-prefs-key-keyset-does-not-exist Can you please help me Thanks – Viks Aug 18 '21 at 03:07

score 34 · Accepted Answer · answered Jun 21 '20 at 21:51

34

I had exactly the same problem today. See below for fix/workaround (example is in Java code but you can easily do the same in Kotlin)

Use MasterKey.Builder to create MasterKey (instead of MasterKeys). Build it with "manually" created KeyGenParameterSpec:

 // this is equivalent to using deprecated MasterKeys.AES256_GCM_SPEC
 KeyGenParameterSpec spec = new KeyGenParameterSpec.Builder(
         MASTER_KEY_ALIAS,
         KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
         .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
         .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
         .setKeySize(KEY_SIZE)
         .build();

 MasterKey masterKey = new MasterKey.Builder(MainActivity.this)
         .setKeyGenParameterSpec(spec)
         .build();

Create EncryptedSharedPreferences using slightly different version of "create" method:

 EncryptedSharedPreferences.create(
         MainActivity.this,
         "your-app-preferences-name",
         masterKey, // masterKey created above
         EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
         EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM);

That should do the trick :)

Reference and more details: https://devmainapps.blogspot.com/2020/06/android-masterkeys-deprecated-how-to.html

answered Jun 21 '20 at 21:51

xproph

1,171
11
7

Thanks, Sir! I was close, but the documentations are not really clear for this. :) I have added the code in my question. – Endre Olah Jun 23 '20 at 05:48
1

This is great, thanks. how can you return an existing Master Key? – darkknightsds Jun 30 '20 at 17:07
4

this requires min API 23 – Abhilash Maurya Aug 08 '20 at 14:19
1

Where is `KEY_SIZE` ? – android developer Oct 27 '20 at 08:48
2

@xproph for ```MASTER_KEY_ALIAS``` and ```KEY_SIZE```, Can we use ```DEFAULT_MASTER_KEY_ALIAS``` and ```DEFAULT_AES_GCM_MASTER_KEY_SIZE``` – Kousalya Mar 23 '21 at 08:08
MasterKey is not found !!! – Stevie Dec 23 '22 at 03:00
what is `MASTER_KEY_ALIAS` no one tells that! Does it have to be the alias for App's Keystore file or just any random name? – sud007 Jun 16 '23 at 11:28

score 15 · Answer 3 · answered Sep 29 '20 at 07:57

My version to get secret shared preference :

private fun getSecretSharedPref(context: Context): SharedPreferences {
    val masterKey = MasterKey.Builder(context)
            .setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
            .build()

    return EncryptedSharedPreferences.create(context,
            "secret_shared_prefs",
            masterKey,
            EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
            EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
    )
}

score 11 · Answer 4 · edited Aug 16 '20 at 04:53

you can use either of the way

KeyGenParameterSpec spec = new KeyGenParameterSpec.Builder(
     MASTER_KEY_ALIAS,
     KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
     .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
     .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
     .setKeySize(KEY_SIZE)
     .build();

MasterKey masterKey = new MasterKey.Builder(MainActivity.this)
     .setKeyGenParameterSpec(spec)
     .build();

or

MasterKey masterKey = new 
              MasterKey.Builder(context,MasterKey.DEFAULT_MASTER_KEY_ALIAS).
              setKeyScheme(MasterKey.KeyScheme.AES256_GCM).build();

MasterKey.KeyScheme.AES256_GCM internally use same key generatespec as stated above.

score 3 · Answer 5 · answered Aug 10 '20 at 20:07

You can use it like this below

//Creating MasterKey
            val masterKey = MasterKey.Builder(context)
                .setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
                .build()

            val fileToRead = "your_file_name.txt"
            val encryptedFile = EncryptedFile.Builder(context,
                File(context.filesDir, fileToRead),
                masterKey,
                EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB
            ).build()

score 1 · Answer 6 · answered Dec 07 '22 at 22:24

Kotlin version based on responses here with dependency on Security kotlin version androidx.security:security-crypto-ktx

class EncryptedPrefsImpl(context: Context) { 
    private companion object {    
        const val PREFERENCES_NAME = "some_file_name_here"
    }

    private val spec = KeyGenParameterSpec.Builder(
        MasterKey.DEFAULT_MASTER_KEY_ALIAS,
        KeyProperties.PURPOSE_ENCRYPT or KeyProperties.PURPOSE_DECRYPT
    ).apply {
        setBlockModes(KeyProperties.BLOCK_MODE_GCM)
        setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
        setKeySize(MasterKey.DEFAULT_AES_GCM_MASTER_KEY_SIZE)
    }.build()

    private val masterKey = MasterKey.Builder(context).apply {
        setKeyGenParameterSpec(spec)
    }.build()

    val preferences: SharedPreferences by lazy {
        EncryptedSharedPreferences(
            context,
            PREFERENCES_NAME,
            masterKey
        )
    }
}

Wow, something new. First time saw someone just for example at least mentioned `MasterKey.DEFAULT_MASTER_KEY_ALIAS` — sud007, Jun 16 '23 at 11:29

score 0 · Answer 7 · edited Dec 07 '22 at 22:18

0

If you're using the -ktx version of androidx.security:security-crypto you can reduce some of the boilerplate to just this:

val encryptedSharedPrefs = EncryptedSharedPreferences(
    context,
    ENCRYPTED_STORAGE_FILENAME,
    MasterKey(context)
)

edited Dec 07 '22 at 22:18

mtrakal

6,121
2
25
35

answered Sep 21 '22 at 14:45

Matt Robertson

2,928
5
34
62

How to create masterKey after MasterKeys deprecated in Android

7 Answers7

Linked