From fb01b75f3d3d44b1f9d747d71fb15c8374d5cf5e Mon Sep 17 00:00:00 2001
From: Leendert de Borst <ldeborst@xivisoft.com>
Date: Fri, 24 Oct 2025 21:25:04 +0200
Subject: [PATCH] Persist encryption key when enabling biometrics on Android
 (#520)

---
 .../aliasvault/app/vaultstore/VaultStore.kt   | 32 ++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/apps/mobile-app/android/app/src/main/java/net/aliasvault/app/vaultstore/VaultStore.kt b/apps/mobile-app/android/app/src/main/java/net/aliasvault/app/vaultstore/VaultStore.kt
index d233a3c81..25942313f 100644
--- a/apps/mobile-app/android/app/src/main/java/net/aliasvault/app/vaultstore/VaultStore.kt
+++ b/apps/mobile-app/android/app/src/main/java/net/aliasvault/app/vaultstore/VaultStore.kt
@@ -582,10 +582,40 @@ class VaultStore(
      * @param authMethods The auth methods
      */
     fun setAuthMethods(authMethods: String) {
+        val previousAuthMethods = getAuthMethods()
+        val wasBiometricEnabled = previousAuthMethods.contains(BIOMETRICS_AUTH_METHOD)
+        val isBiometricEnabled = authMethods.contains(BIOMETRICS_AUTH_METHOD)
+
         storageProvider.setAuthMethods(authMethods)
 
+        // If biometrics were just enabled and we have an encryption key in memory, persist it to the keystore
+        if (!wasBiometricEnabled && isBiometricEnabled && encryptionKey != null && keystoreProvider.isBiometricAvailable()) {
+            val base64Key = Base64.encodeToString(encryptionKey, Base64.NO_WRAP)
+            val latch = java.util.concurrent.CountDownLatch(1)
+            var error: Exception? = null
+
+            keystoreProvider.storeKey(
+                key = base64Key,
+                object : KeystoreOperationCallback {
+                    override fun onSuccess(result: String) {
+                        Log.d(TAG, "Encryption key persisted to biometric storage after enabling biometrics")
+                        latch.countDown()
+                    }
+
+                    override fun onError(e: Exception) {
+                        Log.e(TAG, "Error persisting encryption key to biometric storage", e)
+                        error = e
+                        latch.countDown()
+                    }
+                },
+            )
+
+            latch.await()
+            error?.let { throw it }
+        }
+
         // If the new auth methods no longer include biometrics, clear the biometric key.
-        if (!authMethods.contains(BIOMETRICS_AUTH_METHOD)) {
+        if (wasBiometricEnabled && !isBiometricEnabled) {
             keystoreProvider.clearKeys()
         }
     }