Manualshelf

User guide

ManualsBrandsBlackberry ManualsOtherENTERPRISE SOLUTION SECURITY - ENFORCING ENCRYPTION OF INTERNAL AND EXTERNAL FILE SYSTEMS ON DEVICES
41424344454647484950
Encrypting the device transport key on a locked BlackBerry device
If you turn on content protection for device transport keys, a BlackBerry® device uses the principal encryption key to encrypt the
device transport keys that are stored in flash memory. The BlackBerry device encrypts the principal encryption key using the
content protection key. When a locked BlackBerry device receives data that is encrypted using the device transport key, it uses
the decrypted principal encryption key to decrypt the device transport key in flash memory and then uses the decrypted device
transport key to decrypt data.
When you, a user, or a password timeout locks the BlackBerry device, the wireless transceiver remains on and the BlackBerry
device does not delete the memory that is associated with the principal encryption key or device transport key. The BlackBerry
device is designed to prevent the decrypted principal encryption key and the decrypted device transport key from appearing in
flash memory.
You can turn on content protection for device transport keys on the BlackBerry device when you configure the Force Content
Protection of Master Keys IT policy rule. When you turn on content protection of device transport keys, the BlackBerry device
uses the ECC key strength that you specified in the Content Protection Strength IT policy rule to encrypt the device transport keys.
What happens when a user resets a BlackBerry device after you turn on content protection
for the device transport key
If you turn on content protection of device transport keys, a BlackBerry® device performs the following actions when a user resets
the BlackBerry device by removing and reinserting the battery:
turns off the data connection over the wireless network
suspends serial bypass connections if your organization's environment includes an enterprise Wi-Fi® network and the
BlackBerry device can connect directly to a BlackBerry Router
frees the memory that is associated with all data and keys, including the decrypted principal encryption key
locks itself
The BlackBerry device is designed to turn off the data connection and serial bypass connection while the content protection key
is unavailable to decrypt the principal encryption key in flash memory. Until a user unlocks the BlackBerry device, the BlackBerry
device cannot receive and decrypt data. The BlackBerry device does not turn off the wireless transceiver and can still receive
phone calls, SMS text messages, and MMS messages.
When the user unlocks the BlackBerry device after resetting it, the BlackBerry device performs the following actions:
uses the content protection key to decrypt the principal encryption key in flash memory
stores the decrypted principal encryption key in flash memory
connects to the BlackBerry® Infrastructure
resumes serial bypass connections
receives data from the BlackBerry® Enterprise Server
Security Technical Overview
Encrypting the device transport key on a locked BlackBerry device
48