A continuously updated collection of Android attestation keyboxes. Every entry is checked in real time — valid keys first, revoked ones archived below, all free to download.
Sorted best-first by attestation grade, then newest. Revoked keys are kept at the bottom for reference and testing.
checking Google revocation list…
Stop updating by hand
Tired of replacing keyboxes manually?
Every time a key gets revoked you shouldn’t have to hunt for a new one and copy it over yourself. AlwaysStrong is a drop-in Magisk / KernelSU module that pulls the newest strong keybox from this repository onto your device — automatically. Set it once, stay strong.
Grading
What the statuses mean
Strong
Hardware-backed attestation — the strongest verdict
The dots on each channel post encode the attestation result. Google’s revocation list can override any grade to “Revoked”.
Strong Strong
Three green — passes hardware-backed (STRONG) attestation. Banking apps, Google Wallet and Play Integrity’s strongest verdict all work.
Soft-banned Soft-banned
Two green — still functional but flagged on some services. Good as a fallback when no strong key is available.
Basic integrity Basic
One green — only passes BASIC integrity. Enough for light root hiding, not for strong-attestation apps.
Revoked Revoked
Listed by Google as compromised. It will fail attestation regardless of its certificate expiry — kept here only for reference.
ad slot — paste your ad code here
Install guide
Using a keybox with TrickyStore
You’ll need a rooted device (Magisk / KernelSU / APatch) with the TrickyStore module installed.
1
Download a valid keybox
Pick the top entry marked Strong above and tap Download. You’ll get a keybox.xml file.
2
Place it in the TrickyStore folder
Copy the file to the path below (any root file manager works):
# replace the existing keybox
/data/adb/tricky_store/keybox.xml
3
Enable “valid keybox” mode
Make sure TrickyStore is set to use a custom keybox. Some builds auto-detect it; others need security patch spoofing enabled in the config.
4
Reboot & verify
Reboot, then check with an attestation tester (e.g. Play Integrity API Checker). A strong key returns STRONG / DEVICE + STRONG. If it fails, the key may have just been revoked — grab a newer one.
FAQ
Frequently asked
Why did a “Strong” keybox stop working?
Google periodically revokes leaked keyboxes. A key that graded Strong yesterday can be added to the revocation list at any time — this page re-checks on every visit and moves revoked keys to the archive automatically. When that happens, just download the newest valid one.
Is “valid” the same as “not expired”?
No — and this is the most common mistake. A keybox’s certificates can be valid for years yet already be revoked by Google for key compromise. Validity here means not on Google’s revocation list plus the attestation grade from testing, not the certificate expiry date.
How often is the repository updated?
Whenever a new keybox is posted to the Telegram channel, it appears here within about a minute. Revocation status, however, is evaluated live every time you load the page.
Is this safe / where do the keyboxes come from?
Keyboxes are community-sourced and shared for research and root-hiding on your own devices. The files are provided as-is; verify anything important yourself. This project only mirrors and grades them — it doesn’t generate keys.
What is a keybox, exactly?
It’s an XML file holding a device attestation key and its certificate chain. TrickyStore uses it to answer hardware-attestation challenges so Play Integrity and similar checks pass on a rooted device.