User guide
To generate an encryption key, the BlackBerry device performs the following actions:
1. generates an AES-256 encryption key
2. stores the encryption key in the NV store in RAM on the BlackBerry device
3. XORs the AES-256 encryption key with another AES-256 encryption key that is encrypted with a password to generate
the encryption key for the media card
4. encrypts the encryption key for the media card using the AES-256 encryption key
5. stores the encrypted encryption key for media cards on the media card
How the BlackBerry Attachment Service
protects data on a device
A BlackBerry device uses the BlackBerry Attachment Service to process an attachment in an email message or calendar
entry so that the user can view the attachment on the device. The BlackBerry Attachment Service is designed to prevent a
potentially malicious application from accessing data on the device by using binary format parsing to open the attachment
and process it.
After the BlackBerry Attachment Service processes the attachment, the BlackBerry Router sends the attachment to the
device for rendering. If the attachment in the email message or calendar entry is an application, the device does not run
the application.
For more information about the attachment file formats that the BlackBerry Enterprise Server supports, see the BlackBerry
Enterprise Server Feature and Technical Overview.
Best practice: Protecting the BlackBerry Attachment
Service
To help prevent the spread of potential attacks from the computer that hosts the BlackBerry Attachment Service to other
computers in your organization’s network, consider the following guidelines:
• Install the BlackBerry Attachment Service on a computer that is separate from the computer that hosts the BlackBerry
Enterprise Server.
• Place the computer that hosts the BlackBerry Attachment Service in its own network segment.
Security Technical Overview Protecting data on a device
70