# Key Store Service - [API reference](https://docs.qualcomm.com/doc/80-41102-2/topic/_doxygen_rst_file__doxygen_sources_taf_ks_interface_h.html#file-taf-ks-interface-h) Key Store is an access control-based service with access to trusted hardware bound cryptography. It ensures that all cryptographic keys generated are bound to the device cryptographically and all cryptographic operations run in a trusted execution environment. Key Store service provides APIs to applications for key management, key access control, and cryptographic operations. It has a built-in reliable and secure backend storage to save cryptographic keys created by client applications. It also supports client authentication which means only the key owner has the permission to access or use the key for certain purposes. ## IPC interfaces binding The functions of this API are provided by the **tafKeyStoreSvc** application service. The following example illustrates how to bind to the Key Store service. bindings: { clientExe.clientComponent.taf_ks -> tafKeyStoreSvc.taf_ks } Copy to clipboard ## Key management The key is identified by key ID which is a unique string within an application. Key ID shall follow POSIX portable file name format, that is only characters in [A-Za-z0-9.\_-] are allowed to be used. A new key can be created using API [taf\_ks\_CreateKey()](https://docs.qualcomm.com/doc/80-41102-2/topic/function_a00527_1afb8a3a75921dd79005f9f34a97730d81.html#Documentationa00527_1afb8a3a75921dd79005f9f34a97730d81) with the desired key ID and key usage as input parameters. A key reference is then returned to the calling application for subsequent operations. The key name passed to API [taf\_ks\_GetKey()](https://docs.qualcomm.com/doc/80-41102-2/topic/function_a00527_1a6c0fff202dc72f20150b06a0be1b4433.html#Documentationa00527_1a6c0fff202dc72f20150b06a0be1b4433) shall follow the format of “[appName::]<keyId>”, where the “[appName::]” is optional and only needed when the calling application wants to get another application’s key if the key owner application has shared that key to the calling application. For example, if the calling application gets its own key ID “myKey1”, the key name is “myKey1”. If the calling application gets the Key ID “myKey2” of TelAF application “app2”, the key name is “app2::myKey2”. If the calling application gets the Key ID “myKey3” of the legacy application “/bin/app3”, the key name is “/bin/app3::myKey3”. New keys initially have no value and cannot be used for any cryptographic operations. Applications shall call taf\_ks\_ProvisionXXX() API to provision or import the key value and save the key into backend storage. The following key provision/import APIs are supported. - [taf\_ks\_ProvisionRsaEncKeyValue()](https://docs.qualcomm.com/doc/80-41102-2/topic/function_a00527_1a5477f6196f51bedde187d7a5beca015b.html#Documentationa00527_1a5477f6196f51bedde187d7a5beca015b) — Provisions or imports a RSA encryption key value. - [taf\_ks\_ProvisionRsaSigKeyValue()](https://docs.qualcomm.com/doc/80-41102-2/topic/function_a00527_1a58a12d0d38961134cbd6bf7cf83f520f.html#Documentationa00527_1a58a12d0d38961134cbd6bf7cf83f520f) — Provisions or imports a RSA signing key value. - [taf\_ks\_ProvisionAesKeyValue()](https://docs.qualcomm.com/doc/80-41102-2/topic/function_a00527_1ab0f1756ba240c645b16e3e4900755747.html#Documentationa00527_1ab0f1756ba240c645b16e3e4900755747) — Provisions or imports an AES key value. - [taf\_ks\_ProvisionEcdsaKeyValue()](https://docs.qualcomm.com/doc/80-41102-2/topic/function_a00527_1afc42a6a0c8b2fd8095a42d821b143c89.html#Documentationa00527_1afc42a6a0c8b2fd8095a42d821b143c89) — Provisions or imports an ECDSA key value. - [taf\_ks\_ProvisionHmacKeyValue()](https://docs.qualcomm.com/doc/80-41102-2/topic/function_a00527_1ac4b9dd554d479ab3041a54bff6ccaa24.html#Documentationa00527_1ac4b9dd554d479ab3041a54bff6ccaa24) — Provisions or imports a HMAC key value. The following example illustrates how to create and provision an AES GCM key. const char keyId[] = "MyAesGcmKey"; taf_ks_KeyRef_t keyRef; if (LE_NOT_FOUND == taf_ks_GetKey(keyId, &keyRef)) { if (LE_OK == taf_ks_CreateKey(keyId,TAF_KS_AES_ENCRYPT_DECRYPT, &keyRef)) { if (LE_OK != taf_ks_ProvisionAesKeyValue(keyRef, TAF_KS_AES_SIZE_256, TAF_KS_AES_MODE_GCM, NULL, 0)) { // Error handling for unsucessful taf_ks_ProvisionAesKeyValue call } } else { // Error handling for unsuccessful taf_ks_CreateKy call } } Copy to clipboard **NOTE:** A key only allows one-shot provisioning after creation. Call [taf\_ks\_GetKey()](https://docs.qualcomm.com/doc/80-41102-2/topic/function_a00527_1a6c0fff202dc72f20150b06a0be1b4433.html#Documentationa00527_1a6c0fff202dc72f20150b06a0be1b4433) to get a key reference by the key name and call [taf\_ks\_GetKeyUsage()](https://docs.qualcomm.com/doc/80-41102-2/topic/function_a00527_1a4352644d0147db066d0b1115beb804d5.html#Documentationa00527_1a4352644d0147db066d0b1115beb804d5) to get the key usage by the key reference. **NOTE:** [taf\_ks\_GetKey()](https://docs.qualcomm.com/doc/80-41102-2/topic/function_a00527_1a6c0fff202dc72f20150b06a0be1b4433.html#Documentationa00527_1a6c0fff202dc72f20150b06a0be1b4433) returns LE\_NOT\_FOUND if the key is created but not provisioned. Call [taf\_ks\_ExportKey()](https://docs.qualcomm.com/doc/80-41102-2/topic/function_a00527_1a2726e1e01722b2d2da63c5a760857dda.html#Documentationa00527_1a2726e1e01722b2d2da63c5a760857dda) to export the x.509 DER format public key. Call [taf\_ks\_DeleteKey()](https://docs.qualcomm.com/doc/80-41102-2/topic/function_a00527_1a5888fe7cd6a0d1b59110afbdf1c589a0.html#Documentationa00527_1a5888fe7cd6a0d1b59110afbdf1c589a0) to delete a key from the backend storage. ## Cryptographic operation The typical use cases are data encryption/decryption and message signing/verification. Each cryptographic operation must be processed within a context. A cryptographic session bound to the context must be created to use a key for certain cryptographic operations. ### Create and start context session Call [taf\_ks\_CryptoSessionCreate()](https://docs.qualcomm.com/doc/80-41102-2/topic/function_a00527_1adf7bb40933b3beb48876fcb466db5722.html#Documentationa00527_1adf7bb40933b3beb48876fcb466db5722) to create a session and get the session reference for subsequent operations. Call [taf\_ks\_CryptoSessionSetAesNonce()](https://docs.qualcomm.com/doc/80-41102-2/topic/function_a00527_1a68eca21a83c0f33dfb68328ad4486bc2.html#Documentationa00527_1a68eca21a83c0f33dfb68328ad4486bc2) to set the NONCE specifically for the AES CBC/CTR/GCM key. Call [taf\_ks\_CryptoSessionStart()](https://docs.qualcomm.com/doc/80-41102-2/topic/function_a00527_1a6d7fa499b68a0c5cf450b526f11cfb0a.html#Documentationa00527_1a6d7fa499b68a0c5cf450b526f11cfb0a) to start the session. The following example illustrates how to create a cryptographic session and start the session for data encryption. taf_ks_CryptoSessionRef_t sessionRef; const uint8_t nonce[12] = {"abcdefghijk"}; // Shall be customized and filled by application. if (LE_OK == taf_ks_CryptoSessionCreate(keyRef, &sessionRef)) { if (LE_OK == taf_ks_CryptoSessionSetAesNonce(sessionRef, nonce, sizeof(nonce))) { if (LE_OK != taf_ks_CryptoSessionStart(sessionRef, TAF_KS_CRYPTO_ENCRYPT)) { // Error handling for unsucessful taf_ks_CryptoSessionStart call } } else { // Error handling for unsucessful CryptoSessionSetAesNonce call } } else { // Error handling for unsucessful taf_ks_CryptoSessionCreate call } Copy to clipboard ### Process data within the session Call [taf\_ks\_CryptoSessionProcess()](https://docs.qualcomm.com/doc/80-41102-2/topic/function_a00527_1a0becd59597037a9dccaeab6cd8a60d3b.html#Documentationa00527_1a0becd59597037a9dccaeab6cd8a60d3b) to process the input data and get the output data in a running crypto session started with [taf\_ks\_CryptoSessionStart()](https://docs.qualcomm.com/doc/80-41102-2/topic/function_a00527_1a6d7fa499b68a0c5cf450b526f11cfb0a.html#Documentationa00527_1a6d7fa499b68a0c5cf450b526f11cfb0a). It shall be called for multiple times if the input data size is greater than TAF\_KS\_MAX\_PACKET\_SIZE, which means the input data shall be split into small pieces with the size of each piece less than TAF\_KS\_MAX\_PACKET\_SIZE. **NOTE:** For AES GCM keys, [taf\_ks\_CryptoSessionProcessAead()](https://docs.qualcomm.com/doc/80-41102-2/topic/function_a00527_1af41026112d309c69f17fcf2f51dc8f2a.html#Documentationa00527_1af41026112d309c69f17fcf2f51dc8f2a) must be called one or multiple times to pass the AEAD before calling [taf\_ks\_CryptoSessionProcess()](https://docs.qualcomm.com/doc/80-41102-2/topic/function_a00527_1a0becd59597037a9dccaeab6cd8a60d3b.html#Documentationa00527_1a0becd59597037a9dccaeab6cd8a60d3b). [taf\_ks\_CryptoSessionAbort()](https://docs.qualcomm.com/doc/80-41102-2/topic/function_a00527_1a4a05e7f6e73daba582a36fd7bf5776d4.html#Documentationa00527_1a4a05e7f6e73daba582a36fd7bf5776d4) is used to abort a running session, if needed. Call [taf\_ks\_CryptoSessionEnd()](https://docs.qualcomm.com/doc/80-41102-2/topic/function_a00527_1a4aa75917c2c13b52b88e8aee3e648267.html#Documentationa00527_1a4aa75917c2c13b52b88e8aee3e648267) to normally finish the cryptographic operation in the running session after all input data is processed by [taf\_ks\_CryptoSessionProcess()](https://docs.qualcomm.com/doc/80-41102-2/topic/function_a00527_1a0becd59597037a9dccaeab6cd8a60d3b.html#Documentationa00527_1a0becd59597037a9dccaeab6cd8a60d3b). The following example illustrates how to process the input plain text and get the encrypted data, the encrypted data will be saved in the byte array of **encryptedData** with size of **totalEncSize**. const uint8_t plainText[] = "Keystore service for AES GCM test messages."; uint8_t encryptedData[TAF_KS_MAX_PACKET_SIZE] = {0}; size_t encryptedDataSize = sizeof(encryptedData); const uint8_t aead[] = {"123456789"}; // Shall be customized and filled by application. if (LE_OK == taf_ks_CryptoSessionProcessAead(sessionRef, aead, sizeof(aead))) { if (LE_OK == taf_ks_CryptoSessionProcess(sessionRef, plainText, sizeof(plainText), encryptedData, &encryptedDataSize)) { size_t totalEncSize = encryptedDataSize; encryptedDataSize = sizeof(encryptedData) - totalEncSize; if (LE_OK == taf_ks_CryptoSessionEnd(sessionRef, NULL, 0, encryptedData + totalEncSize, &encryptedDataSize)) { totalEncSize = totalEncSize + encryptedDataSize; } else { // Error handling for unsucessful taf_ks_CryptoSessionEnd call } } else { // Error handling for unsucessful taf_ks_CryptoSessionProcess call } } else { // Error handling for unsucessful taf_ks_CryptoSessionProcessAead call } Copy to clipboard **NOTE:** The crypto session is automatically deleted after [taf\_ks\_CryptoSessionAbort()](https://docs.qualcomm.com/doc/80-41102-2/topic/function_a00527_1a4a05e7f6e73daba582a36fd7bf5776d4.html#Documentationa00527_1a4a05e7f6e73daba582a36fd7bf5776d4) or [taf\_ks\_CryptoSessionEnd()](https://docs.qualcomm.com/doc/80-41102-2/topic/function_a00527_1a4aa75917c2c13b52b88e8aee3e648267.html#Documentationa00527_1a4aa75917c2c13b52b88e8aee3e648267) is called, or when any error occurs in [taf\_ks\_CryptoSessionStart()](https://docs.qualcomm.com/doc/80-41102-2/topic/function_a00527_1a6d7fa499b68a0c5cf450b526f11cfb0a.html#Documentationa00527_1a6d7fa499b68a0c5cf450b526f11cfb0a) and [taf\_ks\_CryptoSessionProcess()](https://docs.qualcomm.com/doc/80-41102-2/topic/function_a00527_1a0becd59597037a9dccaeab6cd8a60d3b.html#Documentationa00527_1a0becd59597037a9dccaeab6cd8a60d3b). Last Published: Jun 09, 2026 [Previous Topic Sensor Management Service](https://docs.qualcomm.com/bundle/publicresource/80-41102-2/topics/page_c_tafsensor.md) [Next Topic Location services](https://docs.qualcomm.com/bundle/publicresource/80-41102-2/topics/location_services.md)