It is possible to store key pairs unencrypted by omitting KeyPairGeneratorSpec.setEncryptionRequired(). In this case, the key pair is presumably stored in clear, rather than encrypted with a key derived from the device lock screen credentials.
It is also known that hardware-backed keys are not in fact stored in the TEE, but rather, in /data/misc/keystore/user_0.
If keys are stored in clear, wouldn't a root user with full access to the file system then be able to extract the private key material?
