Score:2

Crypto

Is Keystore a file, a database, a specification?

Finlay Weber

1/23/23, 6:13 AM

What exactly are keystores?

I understand they are used to store things like private keys, certificates etc. But how exactly is that done? Is it just an encrypted databases where you put all these things? Or is it a single file that keeps all these things? Or is it in more abstract term just a specification (which maybe includes how the file and storage is to be constructed?)

0 + 0

keys

terminology

Marc

1/23/23, 6:57 AM

It's just a term, not a specification or a description of how it should be implemented.

DannyNiu

1/23/23, 7:06 AM

It's just a component of key management. NIST-SP-800-57-* is a series of recommendations on key management practices, but I don't think it has anything specific on the implementation of a "keystore".

fgrieu

1/23/23, 7:21 AM

The "Android keystore" at least comes with an attempted [definition](https://developer.android.com/training/articles/keystore), even if the level of insurance it gives varies with devices and versions. Keystore definitions are like promises: they only bind those who believe in them.

Score:3

Crypto

Lothar

1/23/23, 7:59 PM

A Keystore is a concept how crytographic material like keys and certicates are stored. So everything that allows that can be considered to be one, e.g. a directory containing files (e.g. when using OpenSSL) or a database or a single file with a particular structure. There are standards for the latter, e.g PKCS#12 or standards defined by programming languages like the Java KeyStore format JKS (the good thing about standards is that there are plenty).

0 + 0

Maarten Bodewes

1/23/23, 8:59 PM

The bad thing about KeyStore standards is that they are pretty messed up, including PKCS#12. It however is more compatible and are less messed up than the JKS, which is why later versions of Java simply use PKCS#12 (using low iteration counts, multiple calls to PBKDF2 and interesting stuff such as 3DES and RC2 encryption - the latter fortunately just for the certificates.

Score:2

Crypto

Gilles 'SO- stop being evil'

1/23/23, 8:54 PM

A keystore is a computer subsystem that stores cryptographic keys. You can arrange for a key to be stored in it and use the key later in some way. That's the only characteristic you can always expect from something called a keystore.

A keystore may or may not have stronger protections than the rest of the system, such as preventing direct access to its memory or encrypting the data at rest.

A keystore may or may not offer some control over whether keys can be pulled out of it. A keystore may or may not be capable of generating keys itself. A system that can only store keys that it generated itself would be a bit of a stretch, but it would still be called a keystore. A keystore may or may not be able to perform cryptographic operations itself without extracting the key from it, and if so it may or may not associate some form of usage policy with the key.

A keystore may or may not be backed by persistent storage, and if so, that storage could be based on some more generally known database format or not.

A keystore usually associates some form of name to each key, but even that isn't universal (PKCS#11 is a notable exception: it's a keystore interface where keys don't have to have names, and if they do they don't have to identify a key uniquely.).

Of course, in a given context, the use of the word “keystore” may imply some of these properties. But that would be specific to this particular context.

0 + 0