Android - Hardware backed Credentials Storage on Galaxy Nexus

The "Hardware Backed Credential Storage" aka "Android Key Store" is only hardware backed when the hardware on the device has the necessary hardware components in it. When there isn't the necessary hardware available it falls back to software storage.

Android also now supports hardware-backed storage for your KeyChain credentials, providing more security by making the keys unavailable for extraction. That is, once keys are in a hardware-backed key store (Secure Element, TPM, or TrustZone), they can be used for cryptographic operations but the private key material cannot be exported. Even the OS kernel cannot access this key material. While not all Android-powered devices support storage on hardware, you can check at runtime if hardware-backed storage is available

^{From Android 4.3 APIs - hardware credential storage. My emphasis.}

Finally, there is an API and even a system settings field that lets you check whether the credential store is hardware-backed (Nexus 4, Nexus 7) or software only (Galaxy Nexus)

^{From Credential storage enhancements in Android 4.3}

This a new feature and so it's likely that only newer, higher end devices have the hardware in them. According to that, the Galaxy Nexus doesn't have the necessary hardware. The Nexus 4 does have full hardware support for this;

As you may now (sic), the Nexus 4 is based on Qualcomm's Snapdragon S4 Pro APQ8064 SoC. Like most recent ARM SoC's it is TrustZone-enabled and Qualcomm implement their Secure Execution Environment (QSEE) on top of it.

^{From Credential storage enhancements in Android 4.3}

The ARM TrustZone technology is analogous to the TPM hardware used on Intel x86 PC compatible hardware to provide a hardware secure credential storage area. And just like TPM when it was first introduced is taking a while to trickle into all new phones.

So, in the case of the Nexus 4, the 'hardware' is simply the ARM SoC. Are other implementations possible? Theoretically, a hardware-backed keymaster implementation does not need to be based on TrustZone. Any dedicated device that can generate and store keys securely can be used, the usual suspects being embedded secure elements (SE) and TPMs. However, there are no mainstream Android devices with dedicated TPMs and recent flagship devices have began shipping without embedded SEs

^{From Credential storage enhancements in Android 4.3}

So, no, the Galaxy Nexus is not capable of enabling hardware backed credential storage, because it doesn't have the necessary hardware in it.