Fingerprint on Android and Master Key


#1

When using fingerprint authentication on Android, what happens to the master key?

The key is obviously needed for vault encryption/decryption, so how does it work?


#2

It is stored in the android keystore on the device.


#3

Any Android device which supports fingerprint recognition has a TEE (Trusted Execution Environment) that runs its own little operating system in memory not accessible by Android:

When you use fingerprint auth for Bitwarden, the master key does have to be stored on the phone. But it’s encrypted using a key that only the TEE has. So even if the master key is stored in the main phone storage, it has to be passed to the TEE to be decrypted - and the unencrypted version is not passed back out again. The encryption/decryption that the master key is used for is done within the TEE and only the results are passed back out to Android.