Help Center

Local Navigation

Extending messaging security to attachments

The BlackBerry® Enterprise Server supports attachments in PGP® encrypted messages and S/MIME-encrypted messages. It also permits a user to view encrypted attachments on a BlackBerry device. For PGP-encrypted messages, the device supports OpenPGP format and PGP/MIME format. For S/MIME-encrypted messages, the BlackBerry device supports Triple DES, AES-128, AES-192 or AES-256.

You can use the S/MIME Allowed Encrypted Attachment Mode IT policy rule and the PGP Allowed Encrypted Attachment Mode IT policy rule to control whether users can view encrypted attachments on their devices. By default these rules permit a device to request decrypted attachment information from the BlackBerry Enterprise Server automatically when a user opens a protected message.

In a Microsoft® Exchange environment and with an upcoming version of BlackBerry® Device Software, you can use the S/MIME Attachment Support IT policy rule to control whether users can send and forward attachments in S/MIME-protected messages. This rule can include one of the following values:
  • None, which prevents the device from sending attachments in S/MIME-encrypted messages.
  • End-to-End, which permits the device to send attachments in S/MIME-encrypted messages if the attachments are located on the sender's device.
  • End-to-End or Trusted BES, which permits the device to send attachments in S/MIME-encrypted messages whether or not the attachments are located on the sender's device.

By default, this rule is configured as "End-to-End or Trusted BES".

Process flow: Viewing an attachment in a PGP encrypted message or S/MIME-encrypted message

The S/MIME Allowed Encrypted Attachment Mode IT policy rule or PGP® Allowed Encrypted Attachment Mode IT policy rule determines how a BlackBerry® device responds when it receives a PGP/MIME encrypted message or S/MIME-encrypted message that contains an attachment. These rules determine whether the following actions occur automatically when the user opens the email message, or whether the user must request the actions manually.

  1. A BlackBerry device sends the message key and a request for the data in the attachment header to the BlackBerry® Enterprise Server.
  2. The BlackBerry Enterprise Server uses the message key to decrypt the email message and access the data in the attachment header. The BlackBerry Enterprise Server sends the data in the attachment header to the BlackBerry device.
  3. The BlackBerry device processes the data in the attachment header with the email message and displays the associated attachment information so that the user can select the attachment for viewing.

Process flow: Viewing an attachment that is encrypted using S/MIME encryption, PGP/MIME encryption, or OpenPGP encryption

  1. The BlackBerry® device sends the message key and a request for the attachment data to the BlackBerry® Enterprise Server.
  2. The BlackBerry Enterprise Server uses the message key to decrypt the email message and access the attachment data that corresponds to the data in the attachment header. The BlackBerry Enterprise Server decrypts the attachment and sends the rendered attachment data to the BlackBerry device.
  3. The BlackBerry device displays the attachment.

To help protect the decrypted attachment data that the BlackBerry device stores, you can turn on content protection.


Was this information helpful? Send us your comments.