Document when encrypted AndroidKeyStore keys are wiped.

This also drops the boolean parameter from
KeyGeneratorSpec.Builder.setEncryptionRequired to match the already
launched KeyPairGeneratorSpec.Builder.setEncryptionRequired.

Bug: 18088752
Change-Id: I91a3e8c77958971b1bda8329319f1a0d8043b669

1 files changed, 6 insertions, 7 deletions

diff --git a/keystore/java/android/security/KeyGeneratorSpec.java b/keystore/java/android/security/KeyGeneratorSpec.java
index 5a10a0a3f109..97e3a676fe96 100644
--- a/keystore/java/android/security/KeyGeneratorSpec.java
+++ b/keystore/java/android/security/KeyGeneratorSpec.java
@@ -306,16 +306,15 @@ public class KeyGeneratorSpec implements AlgorithmParameterSpec {
          * secure lock screen credential (e.g., password, PIN, or pattern).
          *
          * <p>Note that this feature requires that the secure lock screen (e.g., password, PIN,
-         * pattern) is set up. Otherwise key generation will fail.
+         * pattern) is set up, otherwise key generation will fail. Moreover, this key will be
+         * deleted when the secure lock screen is disabled or reset (e.g., by the user or a Device
+         * Administrator). Finally, this key cannot be used until the user unlocks the secure lock
+         * screen after boot.
          *
          * @see KeyguardManager#isDeviceSecure()
          */
-        public Builder setEncryptionRequired(boolean required) {
-            if (required) {
-                mFlags |= KeyStore.FLAG_ENCRYPTED;
-            } else {
-                mFlags &= ~KeyStore.FLAG_ENCRYPTED;
-            }
+        public Builder setEncryptionRequired() {
+            mFlags |= KeyStore.FLAG_ENCRYPTED;
             return this;
         }