Security Technical Overview

Local Navigation

Encrypting the device transport key on a locked device

If you turn on content protection for device transport keys, a BlackBerry® device uses the principal encryption key to encrypt the device transport keys that are stored in flash memory. The device encrypts the principal encryption key using the content protection key. When a locked device receives data that is encrypted using the device transport key, it uses the decrypted principal encryption key to decrypt the device transport key in flash memory and then uses the decrypted device transport key to decrypt data.

When you, a user, or a password timeout locks the device, the wireless transceiver remains on and the device does not delete the memory that is associated with the principal encryption key or device transport key. The device is designed to prevent the decrypted principal encryption key and the decrypted device transport key from appearing in flash memory.

You can turn on content protection for device transport keys on the device when you configure the Force Content Protection of Master Keys IT policy rule. When you turn on content protection of device transport keys, the device uses the ECC key strength that you specified in the Content Protection Strength IT policy rule to encrypt the device transport keys.

What happens when a user resets a device after you turn on content protection for the device transport key

If you turn on content protection of device transport keys, a BlackBerry® device performs the following actions when a user resets the device by removing and reinserting the battery:
  • turns off the data connection over the wireless network
  • suspends serial bypass connections if your organization's environment includes an enterprise Wi-Fi® network and the device can connect directly to a BlackBerry Router
  • frees the memory that is associated with all data and keys, including the decrypted principal encryption key
  • locks itself

The device is designed to turn off the data connection and serial bypass connection while the content protection key is unavailable to decrypt the principal encryption key in flash memory. Until a user unlocks the device, the device cannot receive and decrypt data. The device does not turn off the wireless transceiver and can still receive phone calls, SMS text messages, and MMS messages.

When the user unlocks the device after resetting it, the device performs the following actions:
  • uses the content protection key to decrypt the principal encryption key in flash memory
  • stores the decrypted principal encryption key in flash memory
  • connects to the BlackBerry® Infrastructure
  • resumes serial bypass connections
  • receives data from the BlackBerry® Enterprise Server
Back To Top

Was this information helpful? Send us your comments.