Encrypting Realm with key stored in KeyStore

Question

I am trying to setup an encrypted default realm instance in my app. The idea is to generate a key using a KeyPairGenerator with a given alias, store it in the AndroidKeyStore and use said key every time it is needed.

WHAT I DO

This is how i generate the key:

  KeyStore ks = KeyStore.getInstance("AndroidKeyStore");
        ks.load(null);

        if (!ks.containsAlias(KEY_ALIAS)) {

            Calendar start = Calendar.getInstance();
            Calendar end = Calendar.getInstance();
            end.add(Calendar.YEAR, 99);

            KeyPairGeneratorSpec spec = new KeyPairGeneratorSpec.Builder(this)
                    .setAlias(KEY_ALIAS)
                    .setSubject(new X500Principal("CN=Example, O=ExampleOrg"))
                    .setSerialNumber(BigInteger.ONE)
                    .setStartDate(start.getTime())
                    .setEndDate(end.getTime())
                    .build();

            KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA", "AndroidKeyStore");
            generator.initialize(spec);

            KeyPair keyPair = generator.generateKeyPair();
        }

I am using the KeyPairGenerator as i need to support api versions 18 and up.

Here is how i setup my default realm instance in my Application:

 RealmConfiguration config = null;
    try {
        config = new RealmConfiguration
                .Builder(this)
                .encryptionKey(ks.getKey(KEY_ALIAS, null).getEncoded())
                .name("dealmatrix.realm")
                .schemaVersion(1)
                .build();

where ks is a Keystore instance acquired like so:

Keystore ks = KeyStore.getInstance("AndroidKeyStore");
ks.load(null);

WHAT GOES WRONG

My problem is that this expression:

ks.getKey(KEY_ALIAS, null).getEncoded()

returns null, which understandably leads to an exception.

I have read online that this is the intended behaviour of the KeyStore system.

If indeed i am unable to get the stored encryption key's byte array, how am I supposed to encrypt my realm using said key?

Are there any other methods to securely store an encryption key so that i may use it in my realm configuration?

Answer 1

There is a WIP example project in feature/example/store_password branch in Realm repository which uses Android keystore.

https://github.com/realm/realm-java/tree/feature/example/store_password/examples/StoreEncryptionPassword

Core logic is written in Store.java

We need some more works(cleanup, adding comments, supporting old devices) before releasing this example project. But I think this project helps you.