From 5418393c58d1d80fe37a209ab931f6d56bd46a86 Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Fri, 8 May 2015 15:25:48 -0700
Subject: Document when encrypted AndroidKeyStore keys are wiped.

This also drops the boolean parameter from
KeyGeneratorSpec.Builder.setEncryptionRequired to match the already
launched KeyPairGeneratorSpec.Builder.setEncryptionRequired.

Bug: 18088752
Change-Id: I91a3e8c77958971b1bda8329319f1a0d8043b669
---
 keystore/java/android/security/KeyStoreParameter.java | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

(limited to 'keystore/java/android/security/KeyStoreParameter.java')

diff --git a/keystore/java/android/security/KeyStoreParameter.java b/keystore/java/android/security/KeyStoreParameter.java
index ea5ca7110f40..7332332be408 100644
--- a/keystore/java/android/security/KeyStoreParameter.java
+++ b/keystore/java/android/security/KeyStoreParameter.java
@@ -305,7 +305,7 @@ public final class KeyStoreParameter implements ProtectionParameter {
      *
      * <pre class="prettyprint">
      * KeyStoreParameter params = new KeyStoreParameter.Builder(mContext)
-     *         .setEncryptionRequired()
+     *         .setEncryptionRequired(true)
      *         .build();
      * </pre>
      */
@@ -338,12 +338,15 @@ public final class KeyStoreParameter implements ProtectionParameter {
         }
 
         /**
-         * Indicates that this {@link java.security.KeyStore} entry must be encrypted at rest. This
-         * will protect the entry with the secure lock screen credential (e.g., password, PIN, or
-         * pattern).
+         * Sets whether this {@link java.security.KeyStore} entry must be encrypted at rest.
+         * Encryption at rest will protect the entry with the secure lock screen credential (e.g.,
+         * password, PIN, or pattern).
          *
          * <p>Note that enabling this feature requires that the secure lock screen (e.g., password,
-         * PIN, pattern) is set up. Otherwise setting the {@code KeyStore} entry will fail.
+         * PIN, pattern) is set up, otherwise setting the {@code KeyStore} entry will fail.
+         * Moreover, this entry will be deleted when the secure lock screen is disabled or reset
+         * (e.g., by the user or a Device Administrator). Finally, this entry cannot be used until
+         * the user unlocks the secure lock screen after boot.
          *
          * @see KeyguardManager#isDeviceSecure()
          */
-- 
cgit v1.2.3