Encrypting user data on a locked device
If you or a BlackBerry® device user turns on content protection, you or the user can configure a locked device to encrypt stored user data and data that the locked device receives. When you or a user turns on content protection, a locked device is designed to use AES-256 encryption to encrypt stored data and an ECC public key to encrypt data that the locked device receives.
- subject, location, meeting organizer, attendees, and any notes in all appointments or meeting requests
- all contact information in the contact list except for the contact title and category
- subject, email addresses of intended recipients, message body, and attachments in all email messages
- title and information that is included in the body of a note for all memos (also known as posted messages)
- subject and all information that is included in the body of tasks (also known as posted all day appointments)
- if you use software tokens, contents of the .sdtid file seed that is stored in flash memory
- all data that is associated with third-party applications that a user installs on the device
- in the BlackBerry® Browser, content that web sites or third-party applications push to the device, any web sites that the user saves on the device, and the browser cache
- all text that replaces the text automatically that the user types on the device
You can change the Content Protection of Contact List IT policy rule to Required to prevent the user from turning off content protection for the contact list on the device. If you change the Content Protection of Contact List IT policy rule to Required, the device does not permit call display and does not share contacts over a Bluetooth® connection when the device is locked.
Configuring the encryption of device data on a locked device
You can turn on content protection of BlackBerry® device data on a locked device using the Content Protection Strength IT policy rule. You can choose a strength level that corresponds to the ECC key strength that your organization requires.
A user can turn on content protection in the security options, in the encryption options on the device. The user can change the content protection strength to the same level that you specify using the IT policy rule or to a higher level.
To make content protection optional or to prevent an administrator or a user from turning on content protection for a device that is running BlackBerry® Device Software 6.0 or later, you can use the Content Protection Usage IT policy rule.
After you or a user configures content protection, a device uses the ECC private key to decrypt an email message that it received when it was locked. The longer the ECC private key, the more time the device requires to decrypt messages. You must choose a strength level that optimizes the encryption strength or that optimizes the decryption process.
The device uses the device password to generate an ephemeral key that the device uses to encrypt the content protection key and ECC private key. If you change the content protection strength to Stronger so that the device uses a 283-bit ECC private key, you can consider changing the Minimum Password Length IT policy rule to enforce a minimum password length of 12 characters for the device password. If you change the content protection strength to Strongest so that the device uses a 571-bit ECC private key, you can consider changing the Minimum Password Length IT policy rule to enforce a minimum password length of 21 characters for the device password. These password lengths maximize the encryption strength that the longer ECC private keys are designed to provide. A shorter password length produces a weaker ephemeral key.
Process flow: Encrypting user data on a locked device
- uses the content protection key to automatically encrypt the bulk of its stored user data and application data
- frees the device memory that is associated with the decrypted content protection key and the decrypted ECC private key that is stored in RAM
- uses the ECC public key to encrypt data that it receives
Process flow: Decrypting user data on an unlocked device
- A user types the correct BlackBerry® device password to unlock a device.
- The device performs the following actions:
- uses the password to derive the ephemeral key
- uses the ephemeral key to decrypt the encrypted content protection key and ECC private key that are stored in flash memory
- stores the decrypted content protection key and ECC private key in RAM
- uses the decrypted content protection key to decrypt the user data when the user tries to access user data (for example, an email message) that the device received and encrypted while it was locked
- uses the decrypted ECC private key to decrypt the user data and access the ECC-encrypted items (for example, the message body, subject, or recipient) when the user tries to access user data that the device encrypted while it was locked
When the device opens ECC-128 encrypted items (usually less than 40 messages), the device uses the ECC private key to decrypt the ECC-encrypted items. The device re-encrypts the items with the content protection key the next time that the device locks. If the device does not complete the re-encryption process before the user unlocks the device, the device resumes re-encryption when it locks again.