How to add cert/key to Android keychain?

[doveman]

I note that the release announcement says "Android Keychain integration - OpenVPN profiles may reference a cert/key pair in the Android keychain."

I assume that there is a security benefit from holding the cert/key in the keychain, rather than having them sitting in /sdcard/openvpn? Is there a guide somewhere on how to add the cert/key to the keychain and then get OpenVPN Connect to reference them, as I can't find a way to do this?

Will OpenVPN Connect also store the passphrase for the key so that it doesn't have to be entered each time and if so, does it store it encrypted and only decrypt it temporarily when it needs to use it to connect to the server, or does it store it in plaintext and/or keep it in memory permanently?

[Nadu]

Hi doveman,
I'm no expert around here but I may have some information for you...

I assume that there is a security benefit from holding the cert/key in the keychain, rather than having them sitting in /sdcard/openvpn?

This is from the FAQ:

The most sensitive piece of data in a profile is the private key. Consider removing the client certificate and private key from the profile and save them in the device Keychain instead (this is discussed below).Use a strong device-level password. This is critical to protect data stored in the device Keychain. [...] Currently, the best options for security are to avoid saving passwords, and to use the Android Keychain as a repository for your private key (see below).The Android developers are in the process of implementing an API for secure storage of passwords that will leverage on the hardware-backed keystore and master device password, however this development is not complete as of Android 4.2. This approach will protect saved passwords even if the device is rooted. When this development is complete, we plan to support it in the app.

Is there a guide somewhere on how to add the cert/key to the keychain and then get OpenVPN Connect to reference them, as I can't find a way to do this?

Again from the FAQ:

Using the Android keychain to store your private key has the added security advantage of leveraging on the hardware-backed keystores that exist on many Android devices, allowing the key to be protected by the Android-level device password, and preventing key compromise even if the device is rooted.If you already have your client certificate and private key bundled into a PKCS#12 file (extension .p12 or .pfx), you can import it into the Android Keychain using either the Import menu or the Settings app.If you don't have a PKCS#12 file, you can convert your certificate and key files into PKCS#12 form using thisopenssl command (where cert, key, andca are your client certificate, client key, and root CA files).openssl pkcs12 -export -in cert -inkey key -certfile ca -name MyClient -out client.p12Then import the client.p12 file from the previous step into the app using the Import / Import PKCS#12 menu option.Once this is done, remove the ca, cert, and key directives from your .ovpn file and re-import it. When you connect the first time, the app will ask you to select a certificate to use for the profile. Just select the MyClient certificate and you should be able to connect normally.

Will OpenVPN Connect also store the passphrase for the key so that it doesn't have to be entered each time and if so, does it store it encrypted and only decrypt it temporarily when it needs to use it to connect to the server, or does it store it in plaintext and/or keep it in memory permanently?

You might want to have a look at the FAQ yourself - not sure if it's covered. Since I could't find them online I'll to post them in this forum...

EDIT: I posted th FAQ here.

[doveman]

Thanks Nadu, that's really helpful. Thanks for posting the FAQ as well