kjwt-hardware-backed-processor/co.touchlab.kjwt.hardware/AndroidKeyStoreEncryptionKey

AndroidKeyStoreEncryptionKey

class AndroidKeyStoreEncryptionKey : JweProcessor(source)

A hardware-backed JweProcessor that wraps and unwraps content-encryption keys (CEKs) using RSA keys stored in the Android Keystore. The RSA private key never leaves the secure element (TEE or StrongBox); only the CEK — generated per-encrypt call — leaves the hardware boundary.

Use getInstance to look up an existing key, or getOrCreateInstance to obtain one and generate it on first use.

Types

Link copied to clipboard
object Companion

Properties

Link copied to clipboard
open override val algorithm: EncryptionAlgorithm
Link copied to clipboard
open override val keyId: String

Functions

Link copied to clipboard
open suspend override fun decrypt(aad: ByteArray, encryptedKey: ByteArray, iv: ByteArray, data: ByteArray, tag: ByteArray, contentAlgorithm: EncryptionContentAlgorithm): ByteArray

Unwraps encryptedKey using the hardware-backed RSA private key, then decrypts data with the recovered CEK using contentAlgorithm.

Link copied to clipboard
open suspend override fun encrypt(data: ByteArray, aad: ByteArray, contentAlgorithm: EncryptionContentAlgorithm): JweEncryptResult

Generates a random CEK for contentAlgorithm, encrypts it with the hardware-backed RSA public key using OAEP padding, then encrypts data with the CEK using contentAlgorithm.

Generated by Dokka
© 2026 Touchlab