Reputation: 1403
Tink is preferring to use AWS KMS system instead of Android keystore to storing keys
I am new to Tink and have a question as to why Tink is preferring external KMS like AWS KMS instead of using native Android Keystore.
There could be use cases where we don`t want to take keys outside the app/device.
Upvotes: 0
Views: 58
Answers (1)
Reputation: 10181
I'm sure there are use cases where you would want your keys next to your application, in a file next to it for example. I'll assume you already had the lecture about the security controls needed around your use case.
You can use AndroidKeystoreKmsClient with Tink to use the native Android KMS. I can't test, but this SO answer should get you started.
Tink even supports plaintext keys in a file out of the box. Creating an unencrypted keyset with:
python cleartext_keyset_cli.py --mode generate --keyset_path danger.tink
Will produce the following keyset:
"primaryKeyId": 686006127,
"key": [
{
"keyData": {
"typeUrl": "type.googleapis.com/google.crypto.tink.AesGcmKey",
"value": "GhCkKaBgscB8+eobbIkIjgRT",
"keyMaterialType": "SYMMETRIC"
},
"status": "ENABLED",
"keyId": 686006127,
"outputPrefixType": "TINK"
}
]
}
Upvotes: 0
Related Questions
- How to avoid reverse engineering of an APK file
- What is the simplest and most robust way to get the user's current location on Android?
- Mipmap drawables for icons
- Google Play app description formatting
- How Do I manage Android Keystore KMS for symmetric encryption and decryption?
- Can we extract public/private keys from the Android Keystore?