Manualshelf

User guide

ManualsBrandsBlackberry ManualsOtherENTERPRISE SOLUTION SECURITY - ENFORCING ENCRYPTION OF INTERNAL AND EXTERNAL FILE SYSTEMS ON DEVICES
51525354555657585960
generate random passwords that are designed to improve password strength
copy passwords and paste them into an application or password prompt for a web site
Protecting data that a BlackBerry device stores on a media card
To protect the data that a BlackBerry® device stores on a media card, you can configure the External File System Encryption Level
IT policy rule, or a user can configure the corresponding option on the BlackBerry device. You can use this rule or option to
configure whether the BlackBerry device encrypts the data using a password that a user provides, a BlackBerry device key that
is randomly generated and stored in the NV store, or both.
A media card can store a master key and the code-signing keys that are included in the header information of encrypted files.
The code-signing keys permit only applications that signed the files to access the files. A BlackBerry device is designed to use
the master key that is stored on the media card to decrypt and encrypt files on the media card. The master key and code-signing
keys use AES encryption. The BlackBerry device is designed to check the code-signing keys when the BlackBerry device opens
the input streams or output streams of an encrypted file and to use code-signing with RSA-1024 encryption to control access to
objects on the media card.
When a user stores a file on a media card for the first time after you or the user turns on encryption of media cards, the BlackBerry
device decrypts the encryption key for the media card file and uses it to encrypt the stored file. The BlackBerry device does not
encrypt files that a user transfers to the media card using a USB mass storage device.
The BlackBerry device, a computer, and other devices that use the media card can modify encrypted files (for example, truncate
files) on the media card. The BlackBerry device is not designed to perform integrity checks on data in encrypted files.
For more information, visit www.blackberry.com/go/serverdocs to read Enforcing Encryption of Internal and External File Systems
on BlackBerry Devices Technical Overview.
Process flow: Generating an encryption key for a media card
When you or a user turns on encryption of media cards for the first time, a BlackBerry® device generates an encryption key (also
known as a session key) for a media card.
To generate an encryption key, the BlackBerry device performs the following actions:
1. generates an AES-256 encryption key
2. stores the encryption key in the NV store in RAM on the BlackBerry device
3. XORs the AES-256 encryption key with another AES-256 encryption key that is encrypted with a password to generate the
encryption key for the media card
4. encrypts the encryption key for the media card using the AES-256 encryption key
5. stores the encrypted encryption key for media cards on the media card
Security Technical Overview
Protecting data that a BlackBerry device stores on a media card
51