Fingerprint on Android and Master Key

matan129 · 2018-09-26 21:46:25 UTC

When using fingerprint authentication on Android, what happens to the master key?

The key is obviously needed for vault encryption/decryption, so how does it work?

kspearrin · 2018-09-27 04:42:53 UTC

It is stored in the android keystore on the device.

itsbruce · 2018-12-31 17:35:24 UTC

Any Android device which supports fingerprint recognition has a TEE (Trusted Execution Environment) that runs its own little operating system in memory not accessible by Android:

When you use fingerprint auth for Bitwarden, the master key does have to be stored on the phone. But it’s encrypted using a key that only the TEE has. So even if the master key is stored in the main phone storage, it has to be passed to the TEE to be decrypted - and the unencrypted version is not passed back out again. The encryption/decryption that the master key is used for is done within the TEE and only the results are passed back out to Android.