If you turn on content protection for device transport keys, a BlackBerry® device uses the principal encryption key to encrypt the device transport keys that are stored in flash memory. The BlackBerry device encrypts the principal encryption key using the content protection key. When a locked BlackBerry device receives data that is encrypted using the device transport key, it uses the decrypted principal encryption key to decrypt the device transport key in flash memory and then uses the decrypted device transport key to decrypt data.
When you, a user, or a password timeout locks the BlackBerry device, the wireless transceiver remains on and the BlackBerry device does not delete the memory that is associated with the principal encryption key or device transport key. The BlackBerry device is designed to prevent the decrypted principal encryption key and the decrypted device transport key from appearing in flash memory.
You can turn on content protection for device transport keys on the BlackBerry device when you configure the Force Content Protection of Master Keys IT policy rule. When you turn on content protection of device transport keys, the BlackBerry device uses the ECC key strength that you specified in the Content Protection Strength IT policy rule to encrypt the device transport keys.