Keytool's -storepass vs. -keypass -- Why 2 passwords?

ef2011 picture ef2011 · May 10, 2011 · Viewed 25.7k times · Source

I understand that the -keypass option is for "the password for the key" and that the -storepass option is for "a password for the keystore".

I don't understand, however, why two passwords are needed.

What scenarios are there for requiring 2 passwords: One for the store (file, in my case) and one for the key.

Answer

Andrew White picture Andrew White · May 10, 2011

This is due to how Java handles keystores so it's not an Android specific issue. The reason though is because access to a store such as adding/viewing trust relationships is a separate task from creating and signing keys/certs.

In short, you may trust someone to view/update your keystore but not sign things with a key you store in the keystore. Plus, keys could be stored in multiple keystores and you want your keys locked down individually.