Manualshelf

Installation guide

ManualsBrandsBlackberry ManualsComputer equipmentENTERPRISE SOLUTION SECURITY - SECURITY FOR DEVICES WITH BLUETOOTH WIRELESS TECHNOLOGY - TECHNICAL
31323334353637383940
BlackBerry Enterprise Solution 31
Protected storage of master encryption keys on a locked BlackBerry device
If the BlackBerry Enterprise Server administrator turns on content protection of master encryption keys, the
BlackBerry device uses the grand master key to encrypt the master encryption keys stored in flash memory and
encrypts the grand master key using the content protection key. When the BlackBerry device receives data
encrypted with a master encryption key while it is locked, it uses the decrypted grand master key to decrypt the
required master encryption key in flash memory, and uses the decrypted master encryption key to decrypt and
receive the data.
The BlackBerry device stores the decrypted master encryption keys and the decrypted grand master key in RAM
only. When the BlackBerry Enterprise Server administrator, the BlackBerry device user, or a set password timeout
locks the BlackBerry device, the wireless transceiver remains on and the BlackBerry device does not clear the
RAM associated with these keys. The BlackBerry device is designed to prevent the decrypted grand master keys
and the decrypted master encryption keys from appearing in flash memory.
For more information, see “Process for generating grand master keys” on page 15.
Enabling protected storage of master encryption keys on a locked BlackBerry device
The BlackBerry Enterprise Server administrator enables protected storage of master encryption keys on the
BlackBerry device by setting the Force Content Protection of Master Keys IT policy rule. When the BlackBerry
Enterprise Server administrator turns on content protection of master encryption keys, the BlackBerry device
uses the same ECC key strength that it uses to encrypt BlackBerry device user and application data when
encrypting the master encryption keys. For more information, see “Enabling protected storage of BlackBerry
device data” on page 30.
Protected storage of master encryption keys on a BlackBerry device during a reset
If the BlackBerry Enterprise Server administrator turns on content protection of master encryption keys, during a
BlackBerry device reset the BlackBerry device
turns off the wireless transceiver
turns off serial bypass
frees the memory associated with all data and encryption keys stored in RAM, including the decrypted
grand master key
locks
The wireless transceiver and serial bypass are designed to be turned off while the content protection key is not
available to decrypt the grand master key in flash memory. Until a user unlocks the BlackBerry device using the
correct BlackBerry device password the BlackBerry device cannot receive and decrypt data.
When the user unlocks the BlackBerry device after a reset, the BlackBerry device
uses the content protection key to decrypt the grand master key in flash memory
stores the decrypted grand master key in RAM again
re-establishes the wireless connection to the BlackBerry Infrastructure
resumes serial bypass
receives data from the BlackBerry Enterprise Server
Clearing the BlackBerry device memory
By default, the BlackBerry device continually runs a standard Java garbage collection process to reclaim
BlackBerry device memory that is no longer referenced.
If secure garbage collection is turned on, the BlackBerry device performs the following additional actions:
overwrites the memory reclaimed by the standard garbage collection process with zeroes
www.blackberry.com