Help Center

Local Navigation

BlackBerry Manuals & Help   Administrator Documentation   BlackBerry Enterprise Server 5 Security   Security Technical Overview BlackBerry Enterprise Server - 5.0.2

Principal encryption keys

When you or a user turns on content protection for device transport keys, a BlackBerry® device generates a principal encryption key and stores it in flash memory. The BlackBerry device uses the principal encryption key to encrypt the device transport keys that are stored on the BlackBerry device in flash memory and the PIN encryption key that is specific to your organization. The BlackBerry device encrypts the principal encryption key using the content protection key. When the BlackBerry device receives data that the device transport key encrypts while the BlackBerry device is locked, the BlackBerry device uses the principal encryption key to decrypt the device transport key that is in flash memory.

Process flow: Generating a principal encryption key

When you or a user turns on content protection for device transport keys on a BlackBerry® device for the first time, the BlackBerry device performs the following actions:
  1. generates a principal encryption key, which is an AES-256 encryption key
  2. stores the decrypted principal encryption key in RAM
  3. uses the existing content protection key to encrypt the principal encryption key
  4. stores the encrypted principal encryption key in flash memory

When the BlackBerry device locks, the BlackBerry device uses the decrypted principal encryption key to encrypt the device transport keys that are stored in the flash memory of the BlackBerry device.

Next topic: PIN encryption keys
Previous topic: Process flow: Deriving an ephemeral key that protects a content protection key and ECC private key

Was this information helpful? Send us your comments.