Manualshelf

User guide

ManualsBrandsBlackberry ManualsOtherENTERPRISE SOLUTION SECURITY - ENFORCING ENCRYPTION OF INTERNAL AND EXTERNAL FILE SYSTEMS ON DEVICES
21222324252627282930
Process flow: Generating a principal encryption key
When you or a user turns on content protection for device transport keys on a BlackBerry® device for the first time, the BlackBerry
device performs the following actions:
1. generates a principal encryption key, which is an AES-256 encryption key
2. stores the decrypted principal encryption key in RAM
3. uses the existing content protection key to encrypt the principal encryption key
4. stores the encrypted principal encryption key in flash memory
When the BlackBerry device locks, the BlackBerry device uses the decrypted principal encryption key to encrypt the device
transport keys that are stored in the flash memory of the BlackBerry device.
PIN encryption keys
A PIN identifies each BlackBerry® device and BlackBerry enabled device on the wireless network. If a user knows the PIN of
another BlackBerry device, the user can send a PIN message to the BlackBerry device. Unlike a message that a user sends to an
email address, a PIN message bypasses the BlackBerry® Enterprise Server and your organization’s network.
The BlackBerry device scrambles PIN messages using the PIN encryption key. By default, each BlackBerry device uses a global
PIN encryption key, which allows the BlackBerry device to decrypt every PIN message that the BlackBerry device receives. Your
organization can use a global PIN encryption key, a PIN encryption key that is specific to your organization, or both.
During the manufacturing process, Research In Motion adds a global PIN encryption key to the BlackBerry device. To permit a
BlackBerry device to receive and decrypt PIN messages in your organization only, you can generate a PIN encryption key that is
specific to your organization. A BlackBerry device that has a PIN encryption key that is specific to your organization can send
and receive PIN messages with other BlackBerry devices on your organization’s network that use the same PIN encryption key.
The BlackBerry device scrambles the PIN messages using a PIN encryption key that is specific to your organization instead of
using the global PIN encryption key.
You can configure the Firewall Block Incoming Messages IT policy rule to limit the number of BlackBerry devices in your
organization that can receive PIN messages that use the PIN encryption key that is specific to your organization, the global PIN
encryption key, or both.
You can generate a new PIN encryption key using the BlackBerry Administration Service if you know that the current PIN
encryption key is compromised. You can update the PIN encryption key and send it to user accounts using the BlackBerry
Administration Service.
Security Technical Overview
PIN encryption keys
28