- I guess the CryptoConfig will be a stand-alone class which can be applied as a param to the existing ‘StoreConfig’ and ‘PipeConfig’ (later on), right?

// crypto configuration

CryptoConfig cryptoConfig = new PasswordProtectedKeystoreConfig();
cryptoConfig.setAlias("myalias");
cryptoConfig.setKeystoreFileName("app.keystore");
cryptoConfig.setPassword("somePassword");

// store configuration

StoreConfig config = new StoreConfig(); config.setType(ENCRYPTED_MEMORY); config.setName("encrypted”)

// apply crypto config

config.setCryptoConfig(cryptoConfig);

// build store

EncryptedStore = dataManager.store(config);

As I understand, the passphrase is used only to unlock the keystore and _not_ for encrypt/decrypt of data. Then the private/public keys are generated and stored in the keystore which can be accessed later. A benefit for this as I see is that you don’t need to reencrypt the data if the passphrase is changed. Only decrypt keystore (old-passphrase) and update keystore (with the new passphrase).

- apart from ‘PasswordKeyServices’ which unlocks the 'keystore based on a password, what other impls of KeyServices are in mind?

- apart from keys, IV is a param needed to encrypt, not shown yet but I guess this should be stored on the keystore too and be accessible from the client when does ‘encrypt’/‘decrypt’.

One of the things we briefly discussed on the chat was key generation
and secret storage.

For Android we want to combine the two in an "easy" API which follows
the Object/Factory/Config patterns of our other systems (Pipeline,
Authentication, Push).

Here is a high level code flavored example of what I am talking about.

https://gist.github.com/secondsun/d602d19255b1fd085ac8

Actual work is going forward here:
https://github.com/secondsun/aerogear-android/tree/security

wdyt?
_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev