To protect the data that a BlackBerry® device stores on a media card, you can configure the External File System Encryption Level IT policy rule, or a user can configure the corresponding option on the BlackBerry device. You can use this rule or option to configure whether the BlackBerry device encrypts the data using a password that a user provides, a BlackBerry device key that is randomly generated and stored in the NV store, or both.
A media card can store a master key and the code-signing keys that are included in the header information of encrypted files. The code-signing keys permit only applications that signed the files to access the files. A BlackBerry device is designed to use the master key that is stored on the media card to decrypt and encrypt files on the media card. The master key and code-signing keys use AES encryption. The BlackBerry device is designed to check the code-signing keys when the BlackBerry device opens the input streams or output streams of an encrypted file and to use code-signing with RSA-1024 encryption to control access to objects on the media card.
When a user stores a file on a media card for the first time after you or the user turns on encryption of media cards, the BlackBerry device decrypts the encryption key for the media card file and uses it to encrypt the stored file. The BlackBerry device does not encrypt files that a user transfers to the media card using a USB mass storage device.
The BlackBerry device, a computer, and other devices that use the media card can modify encrypted files (for example, truncate files) on the media card. The BlackBerry device is not designed to perform integrity checks on data in encrypted files.
For more information, visit www.blackberry.com/go/serverdocs to read Enforcing encryption of internal and external file systems on BlackBerry devices Technical Overview.
Process flow: Generating an encryption key for a media card
- generates an AES-256 encryption key
- stores the encryption key in the NV store in RAM on the BlackBerry device
- XORs the AES-256 encryption key with another AES-256 encryption key that is encrypted with a password to generate the encryption key for the media card
- encrypts the encryption key for the media card using the AES-256 encryption key
- stores the encrypted encryption key for media cards on the media card