With keys generated inside the Android's internal keystore. Android ensures only Spring can access those keys, decryption is performed inside the keystore.