generateKey
Generates a new master key in the Keystore.
Tries StrongBox first. If StrongBox is unavailable for this algorithm/key size, falls back to TEE. The key is configured with per-use authentication — every encrypt/decrypt requires a fresh biometric or device credential.
Return
true if StrongBox was used, false if TEE fallback
Throws
if a key already exists (call deleteKey first)