I am looking to understand Android keystore for the purpose of storing passwords on device. (https://developer.android.com/training/articles/keystore.html)

In this article it says "Use the Android Keystore provider to let an individual app store its own credentials that only the app itself can access." This is exactly what I want.

So I think the way this will work is like: 1) I will generate a RSA key

2) Store the PrivateKey in the KeyStore

3) Store the PublicKey in some SharePrefs

4) Encrypt Password using the PublicKey

5) Encrypt Password using the PrivateKey.

However I think I am misunderstanding something because this article does not show

1) How to save PrivateKey to KeyStore (I don't see any API showing how keystore added the key)

2) Does not show how to decrypt data with PrivateKey

Infant why is this article talking about "Use a PrivateKey in the KeyStore to create a signature over some data." What does it mean to create a Signature over some data ??? (I want to decrypt data with PrivateKey). And why does it want to verify "signature previously made by a PrivateKey".

So I am lost at this point ... this article started me of in the right place but then by the end I am confused what it is trying to achieve.

Can someone suggest if what I am trying to do makes any sense at all ? Or should I just save public and private key in my own db ? (not much security there but its the best I can do with given requirement of storing password on device).

Many thanks

Rgds !!!!

I am quoting this line from Using internal storage section of http://developer.android.com/training/articles/security-tips.html By default, files that you create on internal storage are accessible only to your app. This protection is implemented by Android and is sufficient for most applications.

Now about encryption: Keystore API is dealing with encryption of the data. And keys are used for secure communication and not for storing password. Passwords are usually irreversible hashes or maps. And do not require decryption but needs only matching.

For example: To communication if you send data encrypted other party involved in communication needs to know what the data is so required decryption key. So if you have sent "Hello I am Crypted" receiver must know you sent "Hello I am Crypted" as message.

For password if you enter some passphrase or passkey it needs to be matched with the stored counterpart. Like if "pass123" is your password stored as "rdi#$$+!@/b" then when you enter a password when process by checking algorithm it should match the stored value and you are authenticated it is not required to generate "pass123".

So, for your application you can use some mechanism(that generates almost unique and irreversible hash) to generate unique key/hash when password is entered and then store it in your app data.