Installation guide
BlackBerry Enterprise Solution Security
BlackBerry encryption keys 7
Master encryption key storage
The BlackBerry configuration database, the messaging server, and the BlackBerry device flash memory store
encryption keys, including the current BlackBerry device master encryption key (in other words, the master
encryption key that the BlackBerry device currently uses to encrypt and decrypt message keys).
Messaging server platform Messaging server
storage location
BlackBerry device
storage location
BlackBerry Enterprise
Server storage location
IBM Lotus® Domino®
server
the BlackBerry profiles
database
a key store database in
flash memory
the BlackBerry
configuration database
Microsoft® Exchange
server
the desktop email
program user mailbox
a key store database in
flash memory
the BlackBerry
configuration database
Novell® GroupWise® server not stored key store database in
flash memory
the BlackBerry
configuration database
It is critical to protect the BlackBerry configuration database and the platform-specific master encryption key
storage location on the messaging server. See “Messaging server to desktop email program connection” on page
33 and “Protecting the BlackBerry configuration database” on page 26 for information.
The BlackBerry configuration database, the messaging server, and the BlackBerry device flash memory can also
retain previous and pending master encryption keys.
Key state Description
previous key(s) The master encryption key(s) that the BlackBerry device used before the current key was
generated.
The BlackBerry device stores multiple previous keys in flash memory for 7 days, the
maximum amount of time that the BlackBerry Enterprise Server queues a pending
message for delivery, in case the user creates a new key on the BlackBerry device
multiple times while messages are still queued on the BlackBerry Enterprise Server.
The messaging server and the BlackBerry configuration database store only the most
recent previous key.
pending key The master encryption key that you generate in the BlackBerry Manager or the user
generates on the BlackBerry device to replace the current master encryption key.
Only the messaging server and the BlackBerry configuration database store the pending
key. The BlackBerry Desktop Software sends the pending key to the BlackBerry device
when the user connects the BlackBerry device to the desktop computer. The current key
then becomes the new previous key, and the pending key becomes the new current key.
Master encryption key generation
Both you and a user can generate and regenerate master encryption keys.
Key generation method Initial key generation Key regeneration
desktop-based (wired) When a user connects the BlackBerry
device to the desktop computer for the
first time, the BlackBerry Desktop
Software creates the master encryption
key and sends it to the BlackBerry device
and the messaging server.
When the user subsequently
connects the BlackBerry device to
the desktop computer, the user can
initiate regeneration of the master
encryption key. The BlackBerry
Desktop Software creates the master
encryption key and sends it to the
BlackBerry device and the
messaging server.
www.blackberry.com