Store Secrets with Keystore

Tradefed includes the concept of keystore, where secrets can be stored in a keystore service and requested at test run time for use during the test.

How to use the keystore

To use the keystore, you need to first define the source for the keystore in your global configuration.

Once done, you can then use the stored keys via: USE_KEYSTORE@{key}


The sample implementation in Tradefed core uses a JSON keystore, JSONFileKeyStoreClient. To use this keystore, you would define a JSON key file that has key to value mappings.

For example, you could define a /path/to/keystore.json file as

  "test_account": "",
  "test_account_pwd": "helloworld",
  "wifi_lab_ssid": "Google_private_AP",
  "wifi_lab_pwd": "secret123",

Then you would add the following lines in your TF global configuration file:

<key_store class="">
<option name="json-key-store-file" value="/path/to/keystore.json" />

When executing related tests, you can now pass in values as USE_KEYSTORE@test_account, which TF will then query the keystore for and use its value as part of the test.

Host-based keystore file

To define host-based key-value pairs, you may define a /path/to/keystore_ssid.json file as

  "host_a.*\\.corp\\.com": {
    "wifi_lab_ssid": "ssid_a",
    "wifi_lab_pwd": "secret_a"
  "host_b.*\\.corp\\.com": {
    "wifi_lab_ssid": "ssid_b",
    "wifi_lab_pwd": "secret_b"

The key of an entry in the file is a regular expression (regex) pattern for the hostname and the value is the set of key-value pairs for any host with a matching hostname.

Then update your TF global configuration file to include the host-based keystore file:

<key_store class="">
<option name="json-key-store-file" value="/path/to/keystore.json" />
<option name="host-based-key-store-file" value="/path/to/keystore-ssid.json" />

The value of a key defined in a host-based keystore file overrides that defined in the keystore file specified with json-key-store-file.

When multiple host-based keystore files are present in the keystore, the order matters. If the value for a key is defined in multiple files, the value in the last such file overrides the rest.