How does SDP secure the cryptographic keys used for data encryption?

With the SDP APIs, you can use either a device unlock password or an app-specific password to generate cryptographic keys for data encryption and decryption. Cryptographic keys used by Knox are stored by the TIMA (TrustZone-based Integrity Measurement Architecture) keystore. The keys are further encrypted with a device-unique hardware key that can only be decrypted by the hardware from within the ARM TrustZone. All cryptographic operations are performed only within ARM TrustZone, and are disabled if the system is compromised.