Help Center

Local Navigation

Encrypting user data on a locked BlackBerry device

If you or a BlackBerry® device user turns on content protection, you or the user can configure a locked BlackBerry device to encrypt stored user data and data that the locked BlackBerry device receives. When you or a user turns on content protection, a locked BlackBerry device is designed to use AES-256 encryption to encrypt stored data and an ECC public key to encrypt data that the locked BlackBerry device receives.

For example, the locked BlackBerry device uses content protection to encrypt the following items:
  • subject, location, meeting organizer, attendees, and any notes in all appointments or meeting requests
  • all contact information in the contact list except for the contact title and category
  • subject, email addresses of intended recipients, message body, and attachments in all email messages
  • title and information that is included in the body of a note for all memos (also known as posted messages)
  • subject and all information that is included in the body of tasks (also known as posted all day appointments)
  • if you use software tokens, contents of the .sdtid file seed that is stored in flash memory
  • all data that is associated with third-party applications that a user installs on the BlackBerry device
  • in the BlackBerry® Browser, content that web sites or third-party applications push to the BlackBerry device, any web sites that the user saves on the BlackBerry device, and the browser cache
  • all text that replaces the text automatically that the user types on the BlackBerry device

You can change the Content Protection of Contact List IT policy rule to Required to prevent the user from turning off content protection for the contact list on the BlackBerry device. If you change the Content Protection of Contact List IT policy rule to Required, the BlackBerry device does not permit call display and does not share contacts over a Bluetooth® connection when the BlackBerry device is locked.

Configuring the encryption of BlackBerry device data on a locked device

You can turn on content protection of BlackBerry® device data on a locked BlackBerry device using the Content Protection Strength IT policy rule. You can choose a strength level that corresponds to the ECC key strength that your organization requires.

A user can turn on content protection in the security options, in the encryption options on the device. The user can change the content protection strength to the same level that you specify using the IT policy rule or to a higher level.

To make content protection optional or to prevent an administrator or a user from turning on content protection for a device that is running BlackBerry® Device Software 6.0 or later, you can use the Content Protection Usage IT policy rule.

After you or a user configures content protection, a device uses the ECC private key to decrypt an email message that it received when it was locked. The longer the ECC private key, the more time the device requires to decrypt messages. You must choose a strength level that optimizes the encryption strength or that optimizes the decryption process.

The device uses the device password to generate an ephemeral key that the device uses to encrypt the content protection key and ECC private key. If you change the content protection strength to Stronger so that the device uses a 283-bit ECC private key, you can consider changing the Minimum Password Length IT policy rule to enforce a minimum password length of 12 characters for the device password. If you change the content protection strength to Strongest so that the device uses a 571-bit ECC private key, you can consider changing the Minimum Password Length IT policy rule to enforce a minimum password length of 21 characters for the device password. These password lengths maximize the encryption strength that the longer ECC private keys are designed to provide. A shorter password length produces a weaker ephemeral key.

Process flow: Encrypting user data on a locked BlackBerry device

When a BlackBerry® device locks for the first time after you or a user turns on content protection, the BlackBerry device performs the following actions:

  1. uses the content protection key to automatically encrypt the bulk of its stored user data and application data
  2. frees the BlackBerry device memory that is associated with the decrypted content protection key and the decrypted ECC private key that is stored in RAM
  3. uses the ECC public key to encrypt data that it receives

Process flow: Decrypting user data on an unlocked BlackBerry device

  1. A user types the correct BlackBerry® device password to unlock a BlackBerry device.
  2. The BlackBerry device performs the following actions:
    1. uses the password to derive the ephemeral key
    2. uses the ephemeral key to decrypt the encrypted content protection key and ECC private key that are stored in flash memory
    3. stores the decrypted content protection key and ECC private key in RAM
    4. uses the decrypted content protection key to decrypt the user data when the user tries to access user data (for example, an email message) that the BlackBerry device received and encrypted while it was locked
    5. uses the decrypted ECC private key to decrypt the user data and access the ECC-encrypted items (for example, the message body, subject, or recipient) when the user tries to access user data that the BlackBerry device encrypted while it was locked

When the BlackBerry device opens ECC-128 encrypted items (usually less than 40 messages), the BlackBerry device uses the ECC private key to decrypt the ECC-encrypted items. The BlackBerry device re-encrypts the items with the content protection key the next time that the BlackBerry device locks. If the BlackBerry device does not complete the re-encryption process before the user unlocks the BlackBerry device, the BlackBerry device resumes re-encryption when it locks again.


Was this information helpful? Send us your comments.