How to encrypt internal and external file systems on BlackBerry smartphones

Article ID: KB16088

Type: Support Content

Last Modified: 08-26-2014

 

Product(s) Affected:

  • BlackBerry Bold 9780
  • BlackBerry Bold 9700
  • BlackBerry Bold 9650
  • BlackBerry Bold 9000
  • BlackBerry Curve 9330
  • BlackBerry Curve 9300
  • BlackBerry Curve 8900
  • BlackBerry Curve 8500 Series
  • BlackBerry Curve 8300 Series
  • BlackBerry Pearl 9100 Series
  • BlackBerry Pearl 8200 Series
  • BlackBerry Pearl 8100 Series
  • BlackBerry Storm smartphones
  • BlackBerry Tour 9630
Jump to: Environment | Overview
CollapseEnvironment
  • BlackBerry smartphones
CollapseOverview

System requirements for stored file encryption on BlackBerry smartphones

Internal files

External files

Java based BlackBerry smartphones that run BlackBerry Device Software 4.0 to 5.0

Java based BlackBerry smartphones that support external file storage using a media card (BlackBerry smartphones that run BlackBerry Device Software 4.2 to 5.0)



 

 

 

 

 


Encrypting stored files on BlackBerry smartphones

Internal files External files
Turn on the Content Protection option (Options > Security Options > General Settings)
  1. Turn on Media Card Support (Options > Media Card or Options > Memory > Media Card Support).
  2. Set the encryption mode for the external file system. The BlackBerry smartphone encrypts files stored on the media card.
  3. Choose whether to encrypt media files in external memory only on the BlackBerry smartphone.
    • BlackBerry Device Software 4.7 to 5.0 - If the Encrypt Media Files option is set to to Yes, the BlackBerry smartphone encrypts all files that have an audio, image, or video Multipurpose Internet Mail Extensions (MIME) type, excluding OMA Digital Rights Management (DRM) file types (.dcf, .odf, .o4a and .o4v).

    • BlackBerry Device Software 4.2 to 4.7 - If the Encrypt Media Files option is set to Yes, the BlackBerry smartphone encrypts files according to the folders they are stored in on the media card (/BlackBerry/videos/, /BlackBerry/music/, /BlackBerry/pictures/, /BlackBerry/ringtones/ and /BlackBerry/voicenotes/).

    Note: The BlackBerry smartphone does not encrypt files transferred using USB while the Mass Storage Mode Support option is turned on, or OMA DRM files. OMA DRM files are protected using the OMA DRM standard.

Data that the BlackBerry smartphone can encrypt in internal memory:

When content protection is enabled on BlackBerry smartphones, the BlackBerry smartphones encrypt the following user data items:

Item Description
AutoText All text that automatically replaces the text that is typed
BlackBerry Browser
  • Content that web sites or third-party applications push to the BlackBerry smartphone
  • Web sites that saved on the BlackBerry smartphone
  • Browser cache
Calendar
  • Subject
  • Location
  • Organizer
  • Attendees
  • Notes included in the appointment or meeting request
Contacts (in the contact list)

All information except the contact title and category

Note: The administrator can set the Force Include Address Book In Content Protection IT policy rule to True to prevent the turning off of the Include Address Book option on the BlackBerry smartphone. The BlackBerry smartphone permits the Caller ID and Bluetooth Address Book transfer features to work when content protection is turned on and the BlackBerry smartphone is locked.

Email messages
  • Subject
  • Email addresses
  • Message body
  • Attachments
Memo list
  • Title
  • Information included in the body of the note
OMA DRM applications A key identifying the BlackBerry smartphone and a key identifying the Subscriber Identity Module (SIM) card (if available) that the BlackBerry smartphone adds to DRM forward-locked applications
RSA SecurID Library The contents of the .sdtid file seed stored in flash memory
Tasks
  • Title
  • Information included in the body of the task

Protecting user data stored on a locked BlackBerry smartphone

If content protection is turned on, on BlackBerry smartphones, user data that the BlackBerry smartphones store is always protected with the 256-bit Advanced Encryption Standard (AES) encryption algorithm. Content protection of user data is designed to perform the following actions:

  • Use a 256-bit AES content protection key to encrypt stored data when the BlackBerry smartphone is locked
  • Use an Elliptic Curve Cryptography (ECC) public key to encrypt data that the BlackBerry smartphone receives when it is locked

Turning on protected storage of BlackBerry smartphone data in internal memory

Administrators turn on protected storage of data on the BlackBerry smartphone by setting the Content Protection Strength IT policy rule. Administrators should choose a strength level that corresponds to the desired Elliptic Curve Cryptography (ECC) key strength. If content protection is turned on the BlackBerry smartphone, in the BlackBerry smartphone Security Options, the content protection strength can be set to the same levels that administrators can set using the Content Protection Strength IT policy rule.

Protecting files stored in external memory on the BlackBerry smartphone

The BlackBerry smartphone is designed to prevent a third-party device from using the media card by encrypting data that it stores on an external memory device.

Data that the BlackBerry smartphone can encrypt in external memory

If media card encryption is turned on, the BlackBerry smartphone encrypts its external file system, but the administrator or BlackBerry smartphone must specify whether to include stored media files in file encryption. The external file system encryption does not apply to files that are manually transfered to external memory (for example, from a USB mass storage device).

Setting the external memory encryption level

The administrator can use the External File System Encryption Level IT policy rule to enforce a minimum level of encryption for the external file system. The encryption mode to any encryption level can be set to stronger than the minimum, if this IT policy rule is set.

Encryption mode Description
Device The BlackBerry smartphone uses a randomly generated device key to encrypt the external file system.
Security Password The BlackBerry smartphone uses the BlackBerry smartphone password to encrypt the external file system. Turning on this option turns on the password prompt on the BlackBerry smartphone automatically. The BlackBerry smartphone then requires the user to set a BlackBerry smartphone password if one does not exist already.
Security Password & Device The BlackBerry smartphone uses the randomly generated device key and the BlackBerry smartphone password to encrypt the external file system. Turning on this option requires the BlackBerry smartphone password to be set if one does not exist already.


Transferring encrypted media files

The BlackBerry smartphone can be connected to the computer to transfer files between the BlackBerry smartphone and the computer, or use Bluetooth technology to send media files to or receive media files from a Bluetooth enabled device.

Turning on the mass storage mode option on the BlackBerry smartphone allows the transfer of files quickly over a USB connection between the media card and the computer without using the media programs in the BlackBerry Desktop Manager. When transferring files to the media card using mass storage mode, the BlackBerry smartphone does not encrypt the transferred files using mass storage mode even if the BlackBerry smartphone is set to encrypt files stored on the media card. If transferring encrypted files from the media card using mass storage mode, the computer cannot decrypt the transferred files using mass storage mode.

Moving the media card to a different BlackBerry smartphone

If the media card is removed from the BlackBerry smartphone and placed in a new BlackBerry smartphone, the new BlackBerry smartphone cannot decrypt any files that the first BlackBerry smartphone encrypted on the media card using a randomly generated device key. If the first BlackBerry smartphone encrypted the files on the media card using the BlackBerry smartphone password, when the media card is removed from the BlackBerry smartphone and placed in a new BlackBerry smartphone, the new BlackBerry smartphone prompts for the password used on the first BlackBerry smartphone to access the files on the new BlackBerry smartphone.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.