Hardware Key Operations

Perform secure signing and encryption using hardware-backed private keys.

Overview

GetTrusted leverages Secure Enclave (Apple) and StrongBox (Android) to generate and store non-exportable private keys. All cryptographic operations (signing, decryption) happen inside hardware, ensuring the private key is never exposed.

Process Flow

flowchart LR
  subgraph iOS / macOS [Secure Enclave]
    A1[Biometric Auth - Face ID or Touch ID] --> B1[Create Key kSecAttrToken=SecureEnclave]
    B1 --> C1[Non-exportable P-256 Keypair]
    C1 --> D1[Store Identity - Private Key + Certificate]
    D1 --> E1[Sign / Decrypt Operation - Private Key stays in enclave]
  end

  subgraph Android [StrongBox]
    A2[Biometric Auth• Fingerprint or Face] --> B2[Create Key in StrongBox]
    B2 --> C2[Non-exportable P-256 Keypair]
    C2 --> D2[Store Identity - Android Keystore]
    D2 --> E2[Sign / Decrypt Operation - Private Key stays in hardware]
  end

Cryptographic Summary

Component
Platform
Algorithm
Key Size
Exportable
Notes

Secure Enclave

iOS/macOS

ECDSA P-256

256 bit

Biometric-protected

StrongBox

Android

ECDSA P-256

256 bit

Biometric-protected

Signing

SHA256withECDSA

256 bit

N/A

In-hardware execution

Encryption

AES-GCM

256 bit

N/A

Session encryption

Security Guarantees

  • Private keys are generated and remain inside secure hardware.

  • Biometric gates prevent unauthorized use.

  • Hardware attestation ensures key provenance.

  • Keys persist securely across app reinstalls but cannot be extracted.

Strategic Implications

GetTrusted’s hardware integration makes cryptographic identity human-verifiable and hardware-rooted. Even physical compromise typically cannot reveal secrets security extends from silicon to software.

PreviousSDK Implementation OverviewNextLocal Data Encryption

Last updated