Installation guide

ManualsBrandsBlackberry ManualsComputer equipmentENTERPRISE SOLUTION SECURITY - SECURITY FOR DEVICES WITH BLUETOOTH WIRELESS TECHNOLOGY - TECHNICAL

BlackBerry Enterprise Solution 10

Messaging server platform Messaging server

storage location

BlackBerry device

storage location

BlackBerry Enterprise

Server storage location

IBM® Lotus® Domino® the BlackBerry profiles

database

a key store database in

flash memory

the BlackBerry

Configuration Database

Microsoft® Exchange the computer email

application user mailbox

a key store database in

flash memory

the BlackBerry

Configuration Database

Novell® GroupWise® not stored a key store database in

flash memory

the BlackBerry

Configuration Database

The BlackBerry Configuration Database stores master encryption keys alongside the BlackBerry device user data

that they protect. The BlackBerry Configuration Database, the messaging server, and the BlackBerry device flash

memory can also retain previous and pending master encryption keys. It is critical to protect the BlackBerry

Configuration Database and the platform-specific master encryption key storage location on the messaging

server. For more information, see “Messaging server to computer email application connection” on page 42 and

“Protecting the BlackBerry Configuration Database” on page 34.

Key storage on the BlackBerry device

On the BlackBerry device, the shared key is stored in a database in flash memory (the key store). This key storage

method is designed to prevent an attacker from extracting the key data from flash memory successfully by

backing up the data from the BlackBerry device onto a computer.

Key state Description

previous key(s) The master encryption key(s) that the BlackBerry device used before the current key was

generated.

The BlackBerry device stores multiple previous keys in flash memory for 7 days, the

maximum amount of time that the BlackBerry Enterprise Server queues a pending

message for delivery, in case the BlackBerry device user creates a new key on the

BlackBerry device multiple times while messages are still queued on the BlackBerry

Enterprise Server.

The messaging server and the BlackBerry Configuration Database store only the most

recent previous key.

pending key The master encryption key that the BlackBerry Enterprise Server administrator

generates in the BlackBerry Manager to replace the current master encryption key.

Only the messaging server and the BlackBerry Configuration Database store the

pending key. The BlackBerry Desktop Software sends the pending key to the BlackBerry

device when the BlackBerry device user connects the BlackBerry device to the computer.

The current key then becomes the new previous key, and the pending key becomes the

new current key.

How the messaging server storage location stores the master encryption keys

The Microsoft Exchange server stores the master encryption keys in a hidden folder named

BlackBerryHandheldInfo within a root folder of the BlackBerry device user's computer email application mailbox.

The BlackBerryHandheldInfo folder stores the following data:

• a message of class RIM.BlackBerry.Handheld.Config containing the BlackBerry device user's configuration

information, including the master encryption key data

• the master encryption keys in binary form with tags that indicate their state: 0x6002 (pending), 0x6003

(current), and 0x6004 (previous)

The IBM Lotus Domino server stores the master encryption keys in a database named BlackBerryProfiles.nsf that

contains configuration information for every BlackBerry device user within the /Data directory. The BlackBerry