Thanks for the quick response.
I've come up with a workaround, but I think it relies on a quirk in BKS. I have made my PrivateKey class return Format="RAW", and getEncoded returns the (unencoded) encrypted key. BKS then stores it happily. When I call getKey, it returns as a SecretKeySpec, which I can use to reconstruct my PrivateKey. Not pretty, but it works.
By the way, the device is "wrapping" the private key in hardware before exposing it outside the device, but the wrapping algorithm is proprietary, which is why I have to deal with the key as just a bunch of bytes. At the end of your discussion of EncryptedPrivateKeyInfo (on p181) you indicate that would be the correct way to deal with this situation, but I haven't found the right recipe to put all the pieces together !
Anyway, thanks for the help, and thanks also for a fantastic book. It's been absolutely invaluable in the project.
All the best, Tom.