I want to store my secret keys using Android KeyStore Provider (on Android 6 and above). But I can't understand one thing: is the keys will be deleted when user change settings of lock screen?
In changes list to Android 6 described:
Keys which do not require encryption at rest will no longer be deleted when secure lock screen is disabled or reset (for example, by the user or a Device Administrator). Keys which require encryption at rest will be deleted during these events.
But what is the keys which do not require encryption? Is it mean that I should choose between store keys unsafely (without encryption) or it will be erased when user changes settings?
Keys that require user authentication are generated using setAuthenticationRequired on the KeyGenParameterSpec on API 23+:
KeyGenParameterSpec
.Builder(...)
.setUserAuthenticationRequired(requiresAuth)
...
.build()
and using setEncryptionRequired on the KeyPairGeneratorSpec on API 19-22:
specBuilder = KeyPairGeneratorSpec.Builder(context)
if (requiresAuth) {
specBuilder.setEncryptionRequired()
}