System requirements for stored file encryption on BlackBerry smartphones
Java® based BlackBerry smartphones that run BlackBerry® Device Software 4.0 to 5.0
Java based BlackBerry smartphones that support external file storage using a media card (BlackBerry smartphones that run BlackBerry Device Software 4.2 to 5.0)
Encrypting stored files on BlackBerry smartphones
Turn on the Content Protection option (Options > Security Options > General Settings)Turn on Media Card Support (Options > Media Card or Options > Memory > Media Card Support).Set the encryption mode for the external file system. The BlackBerry smartphone encrypts files stored on the media card.
Choose whether to encrypt media files in external memory only on the BlackBerry smartphone.
BlackBerry Device Software 4.7 to 5.0 - If the Encrypt Media Files option is set to to Yes, the BlackBerry smartphone encrypts all files that have an audio, image, or video Multipurpose Internet Mail Extensions (MIME) type, excluding OMA Digital Rights Management (DRM) file types (.dcf, .odf, .o4a and .o4v).
BlackBerry Device Software 4.2 to 4.7 - If the Encrypt Media Files option is set to Yes, the BlackBerry smartphone encrypts files according to the folders they are stored in on the media card (/BlackBerry/videos/, /BlackBerry/music/, /BlackBerry/pictures/, /BlackBerry/ringtones/ and /BlackBerry/voicenotes/).
Note: The BlackBerry smartphone does not encrypt files transferred using USB while the Mass Storage Mode Support option is turned on, or OMA DRM files. OMA DRM files are protected using the OMA DRM standard.
For more information about how BlackBerry smartphones encrypt stored data, see the BlackBerry Enterprise Solution Security Technical Overview.
Data that the BlackBerry smartphone can encrypt in internal memory
When content protection is enabled on BlackBerry smartphones, the BlackBerry smartphones encrypt the following user data items:
All text that automatically replaces the text that is typedContent that web sites or third-party applications push to the BlackBerry smartphone Web sites that saved on the BlackBerry smartphone Browser cache Subject Location Organizer Attendees Notes included in the appointment or meeting request Contacts (in the contact list)
All information except the contact title and category
Note: The administrator can set the Force Include Address Book In Content Protection IT policy rule to True to prevent the turning off of the Include Address Book option on the BlackBerry smartphone. The BlackBerry smartphone permits the Caller ID and Bluetooth® Address Book transfer features to work when content protection is turned on and the BlackBerry smartphone is locked.
Subject Email addresses Message body Attachments Title Information included in the body of the note A key identifying the BlackBerry smartphone and a key identifying the Subscriber Identity Module (SIM) card (if available) that the BlackBerry smartphone adds to DRM forward-locked applicationsThe contents of the .sdtid file seed stored in flash memoryTitle Information included in the body of the taskProtecting user data stored on a locked BlackBerry smartphone
If content protection is turned on, on BlackBerry smartphones, user data that the BlackBerry smartphones store is always protected with the 256-bit Advanced Encryption Standard (AES) encryption algorithm. Content protection of user data is designed to perform the following actions:
Use a 256-bit AES content protection key to encrypt stored data when the BlackBerry smartphone is locked Use an Elliptic Curve Cryptography (ECC) public key to encrypt data that the BlackBerry smartphone receives when it is lockedTurning on protected storage of BlackBerry smartphone data in internal memory
Administrators turn on protected storage of data on the BlackBerry smartphone by setting the Content Protection Strength IT policy rule. Administrators should choose a strength level that corresponds to the desired Elliptic Curve Cryptography (ECC) key strength. If content protection is turned on the BlackBerry smartphone, in the BlackBerry smartphone Security Options, the content protection strength can be set to the same levels that administrators can set using the Content Protection Strength IT policy rule.
Protecting files stored in external memory on the BlackBerry smartphone
The BlackBerry smartphone is designed to prevent a third-party device from using the media card by encrypting data that it stores on an external memory device.
Data that the BlackBerry smartphone can encrypt in external memory
If media card encryption is turned on, the BlackBerry smartphone encrypts its external file system, but the administrator or BlackBerry smartphone must specify whether to include stored media files in file encryption. The external file system encryption does not apply to files that are manually transfered to external memory (for example, from a USB mass storage device).
Setting the external memory encryption level
The administrator can use the External File System Encryption Level IT policy rule to enforce a minimum level of encryption for the external file system. The encryption mode to any encryption level can be set to stronger than the minimum, if this IT policy rule is set.
The BlackBerry smartphone uses a randomly generated device key to encrypt the external file system.The BlackBerry smartphone uses the BlackBerry smartphone password to encrypt the external file system. Turning on this option turns on the password prompt on the BlackBerry smartphone automatically. The BlackBerry smartphone then requires the user to set a BlackBerry smartphone password if one does not exist already.The BlackBerry smartphone uses the randomly generated device key and the BlackBerry smartphone password to encrypt the external file system. Turning on this option requires the BlackBerry smartphone password to be set if one does not exist already.Transferring encrypted media files
The BlackBerry smartphone can be connected to the computer to transfer files between the BlackBerry smartphone and the computer, or use Bluetooth® technology to send media files to or receive media files from a Bluetooth enabled device.
Turning on the mass storage mode option on the BlackBerry smartphone allows the transfer of files quickly over a USB connection between the media card and the computer without using the media programs in the BlackBerry® Desktop Manager. When transferring files to the media card using mass storage mode, the BlackBerry smartphone does not encrypt the transferred files using mass storage mode even if the BlackBerry smartphone is set to encrypt files stored on the media card. If transferring encrypted files from the media card using mass storage mode, the computer cannot decrypt the transferred files using mass storage mode.
Moving the media card to a different BlackBerry smartphone
If the media card is removed from the BlackBerry smartphone and placed in a new BlackBerry smartphone, the new BlackBerry smartphone cannot decrypt any files that the first BlackBerry smartphone encrypted on the media card using a randomly generated device key. If the first BlackBerry smartphone encrypted the files on the media card using the BlackBerry smartphone password, when the media card is removed from the BlackBerry smartphone and placed in a new BlackBerry smartphone, the new BlackBerry smartphone prompts for the password used on the first BlackBerry smartphone to access the files on the new BlackBerry smartphone.
By downloading, accessing or otherwise using the Knowledge Base documents you agree:
(a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and
(b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.
Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.
No comments:
Post a Comment