diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index 3c82d4b4e..cfc6f7fbd 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -288,11 +288,3 @@ prebuilt_etc {
     relative_install_path: "selinux",
     installable: false,
 }
-
-prebuilt_etc {
-    name: "microdroid_keystore2_key_contexts",
-    filename: "plat_keystore2_key_contexts",
-    src: "system/private/keystore2_key_contexts",
-    relative_install_path: "selinux",
-    installable: false,
-}
diff --git a/microdroid/reqd_mask/access_vectors b/microdroid/reqd_mask/access_vectors
index 22f2ffa1d..0c33acaf5 100644
--- a/microdroid/reqd_mask/access_vectors
+++ b/microdroid/reqd_mask/access_vectors
@@ -691,61 +691,6 @@ class hwservice_manager
 	list
 }
 
-class keystore_key
-{
-	get_state
-	get
-	insert
-	delete
-	exist
-	list
-	reset
-	password
-	lock
-	unlock
-	is_empty
-	sign
-	verify
-	grant
-	duplicate
-	clear_uid
-	add_auth
-	user_changed
-	gen_unique_id
-}
-
-class keystore2
-{
-	add_auth
-	change_password
-	change_user
-	clear_ns
-	clear_uid
-	early_boot_ended
-	get_auth_token
-	get_state
-	list
-	lock
-	report_off_body
-	reset
-	unlock
-}
-
-class keystore2_key
-{
-	convert_storage_key_to_ephemeral
-	delete
-	gen_unique_id
-	get_info
-	grant
-	manage_blob
-	rebind
-	req_forced_op
-	update
-	use
-	use_dev_id
-}
-
 class drmservice {
 	consumeRights
 	setPlaybackStatus
diff --git a/microdroid/reqd_mask/security_classes b/microdroid/reqd_mask/security_classes
index 200b030cc..9fdb7c80e 100644
--- a/microdroid/reqd_mask/security_classes
+++ b/microdroid/reqd_mask/security_classes
@@ -154,14 +154,5 @@ class service_manager           # userspace
 # hardware service manager      # userspace
 class hwservice_manager
 
-# Legacy Keystore key permissions
-class keystore_key              # userspace
-
-# Keystore 2.0 permissions
-class keystore2                 # userspace
-
-# Keystore 2.0 key permissions
-class keystore2_key             # userspace
-
 class drmservice                # userspace
 # FLASK
diff --git a/microdroid/system/private/access_vectors b/microdroid/system/private/access_vectors
index 477f78f66..04cc453ac 100644
--- a/microdroid/system/private/access_vectors
+++ b/microdroid/system/private/access_vectors
@@ -691,61 +691,6 @@ class hwservice_manager
 	list
 }
 
-class keystore_key
-{
-	get_state
-	get
-	insert
-	delete
-	exist
-	list
-	reset
-	password
-	lock
-	unlock
-	is_empty
-	sign
-	verify
-	grant
-	duplicate
-	clear_uid
-	add_auth
-	user_changed
-	gen_unique_id
-}
-
-class keystore2
-{
-	add_auth
-	change_password
-	change_user
-	clear_ns
-	clear_uid
-	early_boot_ended
-	get_auth_token
-	get_state
-	list
-	lock
-	report_off_body
-	reset
-	unlock
-}
-
-class keystore2_key
-{
-	convert_storage_key_to_ephemeral
-	delete
-	gen_unique_id
-	get_info
-	grant
-	manage_blob
-	rebind
-	req_forced_op
-	update
-	use
-	use_dev_id
-}
-
 class diced
 {
 	demote
diff --git a/microdroid/system/private/binderservicedomain.te b/microdroid/system/private/binderservicedomain.te
deleted file mode 100644
index 99006bff8..000000000
--- a/microdroid/system/private/binderservicedomain.te
+++ /dev/null
@@ -1,5 +0,0 @@
-allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow binderservicedomain keystore:keystore2 { get_state };
-allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };
-
-use_keystore(binderservicedomain)
diff --git a/microdroid/system/private/crash_dump.te b/microdroid/system/private/crash_dump.te
index 90587fa4d..a636e9c4f 100644
--- a/microdroid/system/private/crash_dump.te
+++ b/microdroid/system/private/crash_dump.te
@@ -56,7 +56,6 @@ allow crash_dump {
   -crash_dump
   -init
   -kernel
-  -keystore
   -logd
   -ueventd
   -vendor_init
@@ -65,7 +64,6 @@ allow crash_dump {
 userdebug_or_eng(`
   allow crash_dump {
     apexd
-    keystore
     logd
   }:process { ptrace signal sigchld sigstop sigkill };
 ')
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 7f832b4f6..af06d98cb 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -111,7 +111,6 @@
 /system/bin/servicemanager.microdroid	u:object_r:servicemanager_exec:s0
 /system/bin/hwservicemanager	u:object_r:hwservicemanager_exec:s0
 /system/bin/init		u:object_r:init_exec:s0
-/system/bin/keystore2	u:object_r:keystore_exec:s0
 /system/bin/logcat	--	u:object_r:logcat_exec:s0
 /system/bin/logd        u:object_r:logd_exec:s0
 /system/bin/run-as	--	u:object_r:runas_exec:s0
@@ -138,7 +137,6 @@
 /system/etc/selinux/plat_property_contexts  u:object_r:property_contexts_file:s0
 /system/etc/selinux/plat_service_contexts  u:object_r:service_contexts_file:s0
 /system/etc/selinux/plat_hwservice_contexts  u:object_r:hwservice_contexts_file:s0
-/system/etc/selinux/plat_keystore2_key_contexts  u:object_r:keystore2_key_contexts_file:s0
 /system/etc/selinux/plat_file_contexts  u:object_r:file_contexts_file:s0
 /system/etc/selinux/plat_seapp_contexts  u:object_r:seapp_contexts_file:s0
 /system/etc/selinux/plat_sepolicy\.cil       u:object_r:sepolicy_file:s0
@@ -165,7 +163,6 @@
 /data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
 /data/local/tmp/ltp(/.*)?   u:object_r:nativetest_data_file:s0
 /data/local/traces(/.*)?	u:object_r:trace_data_file:s0
-/data/misc/keystore(/.*)?       u:object_r:keystore_data_file:s0
 /data/misc/authfs(/.*)?         u:object_r:authfs_data_file:s0
 /data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
 /data/vendor(/.*)?              u:object_r:vendor_data_file:s0
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index b8db74ad4..ff75f75b5 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -171,7 +171,6 @@ allow init {
 allow init {
   file_type
   -exec_type
-  -keystore_data_file
   -shell_data_file
   -system_file_type
   -vendor_file_type
@@ -181,7 +180,6 @@ allow init {
   file_type
   -apex_info_file
   -exec_type
-  -keystore_data_file
   -runtime_event_log_tags_file
   -shell_data_file
   -system_file_type
@@ -193,7 +191,6 @@ allow init tracefs_type:file { create_file_perms relabelfrom };
 allow init {
   file_type
   -exec_type
-  -keystore_data_file
   -shell_data_file
   -system_file_type
   -vendor_file_type
@@ -203,7 +200,6 @@ allow init {
   file_type
   -apex_mnt_dir
   -exec_type
-  -keystore_data_file
   -shell_data_file
   -system_file_type
   -vendor_file_type
@@ -356,11 +352,6 @@ allow init self:global_capability_class_set sys_boot;
 allow init self:global_capability_class_set kill;
 allow init domain:process { getpgid sigkill signal };
 
-# Init creates keystore's directory on boot, and walks through
-# the directory as part of a recursive restorecon.
-allow init keystore_data_file:dir { open create read getattr setattr search };
-allow init keystore_data_file:file { getattr };
-
 # Init creates /data/local/tmp at boot
 allow init shell_data_file:dir { open create read getattr setattr search };
 allow init shell_data_file:file { getattr };
diff --git a/microdroid/system/private/keystore.te b/microdroid/system/private/keystore.te
deleted file mode 100644
index ee109108c..000000000
--- a/microdroid/system/private/keystore.te
+++ /dev/null
@@ -1,20 +0,0 @@
-typeattribute keystore coredomain;
-
-init_daemon_domain(keystore)
-
-# talk to keymint
-hal_client_domain(keystore, hal_keymint)
-
-# Allow keystore to write to statsd.
-unix_socket_send(keystore, statsdw, statsd)
-
-# Keystore need access to the keystore_key context files to load the keystore key backend.
-allow keystore keystore2_key_contexts_file:file r_file_perms;
-
-# microdroid doesn't use keymaster HAL
-dontaudit keystore hal_keymaster_hwservice:hwservice_manager find;
-
-# microdroid isn't related to F2FS, but sqlite3 tries to query F2FS features.
-dontauditxperm keystore keystore_data_file:file ioctl F2FS_IOC_GET_FEATURES;
-
-set_prop(keystore, keystore_crash_prop)
diff --git a/microdroid/system/private/keystore2_key_contexts b/microdroid/system/private/keystore2_key_contexts
deleted file mode 100644
index 02cdd5e6c..000000000
--- a/microdroid/system/private/keystore2_key_contexts
+++ /dev/null
@@ -1,11 +0,0 @@
-# Keystore 2.0 key contexts.
-# This file defines Keystore 2.0 namespaces and maps them to labels.
-# Format:
-# <namespace> <label>
-#
-# <namespace> must be an integer in the interval [0 ...  2^31)
-
-# vm_payload_key is a keystore2_key namespace intended for microdroid VM payloads.
-# TODO(b/191843770): sort out a longer term policy
-140            u:object_r:vm_payload_key:s0
-
diff --git a/microdroid/system/private/logd.te b/microdroid/system/private/logd.te
index fa1cb4067..47e0140f3 100644
--- a/microdroid/system/private/logd.te
+++ b/microdroid/system/private/logd.te
@@ -13,8 +13,6 @@ allow logd init:file { getattr open read };
 allow logd kernel:dir search;
 allow logd kernel:file { getattr open read };
 allow logd kernel:system { syslog_mod syslog_read };
-allow logd keystore:dir search;
-allow logd keystore:file { getattr open read };
 allow logd linkerconfig_file:dir search;
 allow logd microdroid_manager:dir search;
 allow logd microdroid_manager:file { getattr open read };
diff --git a/microdroid/system/private/microdroid_app.te b/microdroid/system/private/microdroid_app.te
index de1c8d619..b71ae8d2f 100644
--- a/microdroid/system/private/microdroid_app.te
+++ b/microdroid/system/private/microdroid_app.te
@@ -9,17 +9,5 @@
 type microdroid_app, domain, coredomain, microdroid_payload;
 type microdroid_app_exec, exec_type, file_type, system_file_type;
 
-# Talk to binder services (for keystore)
+# Talk to binder services (for diced)
 binder_use(microdroid_app);
-
-# Allow payloads to use keystore
-use_keystore(microdroid_app);
-
-# Allow payloads to use and manage their keys
-allow microdroid_app vm_payload_key:keystore2_key {
-    delete
-    get_info
-    manage_blob
-    rebind
-    use
-};
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index f063e2186..754a914b1 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -52,7 +52,6 @@ ro.boottime.init.cold_boot_wait       u:object_r:boottime_prop:s0 exact int
 ro.boottime.init.first_stage          u:object_r:boottime_prop:s0 exact int
 ro.boottime.init.modules              u:object_r:boottime_prop:s0 exact int
 ro.boottime.init.selinux              u:object_r:boottime_prop:s0 exact int
-ro.boottime.keystore2                 u:object_r:boottime_prop:s0 exact int
 ro.boottime.logd                      u:object_r:boottime_prop:s0 exact int
 ro.boottime.logd-reinit               u:object_r:boottime_prop:s0 exact int
 ro.boottime.microdroid_manager        u:object_r:boottime_prop:s0 exact int
@@ -80,7 +79,6 @@ init.svc.apexd-vm           u:object_r:init_service_status_private_prop:s0 exact
 init.svc.apkdmverity        u:object_r:init_service_status_private_prop:s0 exact string
 init.svc.authfs_service     u:object_r:init_service_status_private_prop:s0 exact string
 init.svc.hwservicemanager   u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.keystore2          u:object_r:init_service_status_private_prop:s0 exact string
 init.svc.logd               u:object_r:init_service_status_private_prop:s0 exact string
 init.svc.logd-reinit        u:object_r:init_service_status_private_prop:s0 exact string
 init.svc.microdroid_manager u:object_r:init_service_status_private_prop:s0 exact string
@@ -128,10 +126,6 @@ ro.adb.secure                   u:object_r:build_prop:s0 exact bool
 
 ro.property_service.version u:object_r:property_service_version_prop:s0 exact int
 
-keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
-
-keystore.crash_count u:object_r:keystore_crash_prop:s0 exact int
-
 apex_config.done u:object_r:apex_config_prop:s0 exact bool
 
 microdroid_manager.apk_root_hash u:object_r:microdroid_manager_roothash_prop:s0 exact string
diff --git a/microdroid/system/private/security_classes b/microdroid/system/private/security_classes
index 0d3cc80ab..3890ff8f9 100644
--- a/microdroid/system/private/security_classes
+++ b/microdroid/system/private/security_classes
@@ -154,15 +154,6 @@ class service_manager           # userspace
 # hardware service manager      # userspace
 class hwservice_manager
 
-# Legacy Keystore key permissions
-class keystore_key              # userspace
-
-# Keystore 2.0 permissions
-class keystore2                 # userspace
-
-# Keystore 2.0 key permissions
-class keystore2_key             # userspace
-
 # Diced permissions
 class diced                     # userspace
 
diff --git a/microdroid/system/private/service_contexts b/microdroid/system/private/service_contexts
index 64994231d..adc79e4d5 100644
--- a/microdroid/system/private/service_contexts
+++ b/microdroid/system/private/service_contexts
@@ -3,20 +3,10 @@ android.hardware.security.keymint.IKeyMintDevice/default             u:object_r:
 android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
 android.hardware.security.secureclock.ISecureClock/default             u:object_r:hal_secureclock_service:s0
 android.hardware.security.sharedsecret.ISharedSecret/default             u:object_r:hal_sharedsecret_service:s0
-android.system.keystore2.IKeystoreService/default                    u:object_r:keystore_service:s0
 
 adb                                       u:object_r:adb_service:s0
-android.security.apc                      u:object_r:apc_service:s0
-android.security.authorization            u:object_r:authorization_service:s0
-android.security.compat                   u:object_r:keystore_compat_hal_service:s0
 android.security.dice.IDiceMaintenance    u:object_r:dice_maintenance_service:s0
 android.security.dice.IDiceNode           u:object_r:dice_node_service:s0
-android.security.identity                 u:object_r:credstore_service:s0
-android.security.keystore                 u:object_r:keystore_service:s0
-android.security.legacykeystore           u:object_r:legacykeystore_service:s0
-android.security.maintenance              u:object_r:keystore_maintenance_service:s0
-android.security.metrics                  u:object_r:keystore_metrics_service:s0
-android.security.remoteprovisioning       u:object_r:remoteprovisioning_service:s0
 apexservice                               u:object_r:apex_service:s0
 authfs_service                            u:object_r:authfs_binder_service:s0
 manager                                   u:object_r:service_manager_service:s0
diff --git a/microdroid/system/private/su.te b/microdroid/system/private/su.te
index 55b7308b7..1196262b6 100644
--- a/microdroid/system/private/su.te
+++ b/microdroid/system/private/su.te
@@ -6,7 +6,4 @@ userdebug_or_eng(`
   # su is also permissive to permit setenforce.
   permissive su;
 
-  # Do not audit accesses to keystore2 namespace for the su domain.
-  dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *;
-
 ')
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index 5b678ba0f..c32540d34 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -2,7 +2,6 @@ type system_linker_exec, file_type, system_file_type;
 
 # file types
 type adbd_socket, file_type, coredomain_socket;
-type apc_service, service_manager_type;
 type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 type apex_info_file, file_type;
 type apex_mnt_dir, file_type;
@@ -13,8 +12,6 @@ type cgroup_rc_file, file_type;
 type extra_apk_file, file_type;
 type file_contexts_file, file_type, system_file_type;
 type hwservice_contexts_file, file_type, system_file_type;
-type keystore2_key_contexts_file, file_type, system_file_type;
-type keystore_data_file, file_type, data_file_type, core_data_file_type;
 type linkerconfig_file, file_type;
 type logd_socket, file_type, mlstrustedobject, coredomain_socket;
 type logdr_socket, file_type, mlstrustedobject, coredomain_socket;
diff --git a/microdroid/system/public/keystore.te b/microdroid/system/public/keystore.te
deleted file mode 100644
index 295d3d9b1..000000000
--- a/microdroid/system/public/keystore.te
+++ /dev/null
@@ -1,26 +0,0 @@
-type keystore, domain;
-type keystore_exec, file_type, exec_type, system_file_type;
-
-# keystore daemon
-typeattribute keystore mlstrustedsubject;
-binder_use(keystore)
-binder_service(keystore)
-
-allow keystore keystore_data_file:dir create_dir_perms;
-allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
-allow keystore keystore_exec:file { getattr };
-
-add_service(keystore, keystore_service)
-add_service(keystore, remoteprovisioning_service)
-add_service(keystore, apc_service)
-add_service(keystore, keystore_compat_hal_service)
-add_service(keystore, authorization_service)
-add_service(keystore, keystore_maintenance_service)
-add_service(keystore, keystore_metrics_service)
-add_service(keystore, legacykeystore_service)
-
-# Check SELinux permissions.
-selinux_check_access(keystore)
-
-r_dir_file(keystore, cgroup)
-r_dir_file(keystore, cgroup_v2)
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index c62e091e8..9c792a131 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -34,8 +34,6 @@ type init_perf_lsm_hooks_prop, property_type;
 type init_service_status_private_prop, property_type;
 type init_service_status_prop, property_type;
 type init_svc_debug_prop, property_type;
-type keystore_crash_prop, property_type;
-type keystore_listen_prop, property_type;
 type libc_debug_prop, property_type;
 type log_tag_prop, property_type;
 type logd_prop, property_type;
diff --git a/microdroid/system/public/statsd.te b/microdroid/system/public/statsd.te
index 5da3ec9ed..dea7c6b18 100644
--- a/microdroid/system/public/statsd.te
+++ b/microdroid/system/public/statsd.te
@@ -15,10 +15,6 @@ allow statsd shell_exec:file rx_file_perms;
 allow statsd system_file:file execute_no_trans;
 allow statsd toolbox_exec:file rx_file_perms;
 
-# Allow statsd to interact with keystore to pull atoms
-allow statsd keystore_service:service_manager find;
-binder_call(statsd, keystore)
-
 # Allow logd access.
 read_logd(statsd)
 control_logd(statsd)
diff --git a/microdroid/system/public/su.te b/microdroid/system/public/su.te
index a440c21b7..b6eb544c5 100644
--- a/microdroid/system/public/su.te
+++ b/microdroid/system/public/su.te
@@ -42,8 +42,6 @@ userdebug_or_eng(`
   dontaudit su hwservice_manager_type:hwservice_manager *;
   dontaudit su servicemanager:service_manager list;
   dontaudit su hwservicemanager:hwservice_manager list;
-  dontaudit su keystore:keystore_key *;
-  dontaudit su keystore:keystore2 *;
   dontaudit su domain:drmservice *;
   dontaudit su unlabeled:filesystem *;
   dontaudit su domain:bpf *;
diff --git a/microdroid/system/public/type.te b/microdroid/system/public/type.te
index 63296564c..a82c75e1b 100644
--- a/microdroid/system/public/type.te
+++ b/microdroid/system/public/type.te
@@ -2,8 +2,6 @@
 type adb_service, system_server_service, system_api_service, service_manager_type;
 type apex_service, service_manager_type;
 type authfs_binder_service, service_manager_type;
-type authorization_service, service_manager_type;
-type credstore_service, app_api_service, service_manager_type;
 type default_android_hwservice, hwservice_manager_type, protected_hwservice;
 type default_android_service, service_manager_type;
 type dice_maintenance_service,  service_manager_type;
@@ -17,11 +15,6 @@ type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
 type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
 type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
 type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice;
-type keystore_compat_hal_service, service_manager_type;
-type keystore_maintenance_service, service_manager_type;
-type keystore_metrics_service, service_manager_type;
-type keystore_service, service_manager_type;
-type legacykeystore_service, service_manager_type;
 type remoteprovisioning_service, service_manager_type;
 type service_manager_service, service_manager_type;
 type system_linker;
diff --git a/microdroid/vendor/hal_keymint_default.te b/microdroid/vendor/hal_keymint_default.te
index 359ca602a..92d18c6c1 100644
--- a/microdroid/vendor/hal_keymint_default.te
+++ b/microdroid/vendor/hal_keymint_default.te
@@ -4,7 +4,6 @@ hal_server_domain(hal_keymint_default, hal_keymint)
 type hal_keymint_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_keymint_default)
 
-allow hal_keymint_default keystore:binder transfer;
 allow hal_keymint_default system_lib_file:file execute;
 
 allow logd hal_keymint_default:dir search;