Security Technical Overview

Local Navigation

Protecting data that a device stores on a media card

To protect the data that a BlackBerry® device stores on a media card, you can configure the External File System Encryption Level IT policy rule, or a user can configure the corresponding option on the device. You can use this rule or option to configure whether the device encrypts the data using a password that a user provides, a device key that is randomly generated and stored in the NV store, or both.

A media card can store a master key and the code-signing keys that are included in the header information of encrypted files. The code-signing keys permit only applications that signed the files to access the files. A device is designed to use the master key that is stored on the media card to decrypt and encrypt files on the media card. The master key and code-signing keys use AES encryption. The device is designed to check the code-signing keys when the device opens the input streams or output streams of an encrypted file and to use code-signing with RSA-1024 encryption to control access to objects on the media card.

When a user stores a file on a media card for the first time after you or the user turns on encryption of media cards, the device decrypts the encryption key for the media card file and uses it to encrypt the stored file. The device does not encrypt files that a user transfers to the media card using a USB mass storage device.

The device, a computer, and other devices that use the media card can modify encrypted files (for example, truncate files) on the media card. The device is not designed to perform integrity checks on data in encrypted files.

For more information, visit www.blackberry.com/go/serverdocs to read Enforcing encryption of internal and external file systems on BlackBerry devices Technical Overview.

Process flow: Generating an encryption key for a media card

When you or a user turns on encryption of media cards for the first time, a BlackBerry® device generates an encryption key (also known as a session key) for a media card.

To generate an encryption key, the BlackBerry device performs the following actions:

  1. generates an AES-256 encryption key
  2. stores the encryption key in the NV store in RAM on the BlackBerry device
  3. XORs the AES-256 encryption key with another AES-256 encryption key that is encrypted with a password to generate the encryption key for the media card
  4. encrypts the encryption key for the media card using the AES-256 encryption key
  5. stores the encrypted encryption key for media cards on the media card
Back To Top

Was this information helpful? Send us your comments.