Media Card Encryption/Security via IT Policy
 

I am trying to set some security on media cards and have run into some odd behavior. I don't want to disable the media cards, just encrypt and secure the data in the event the device is lost/stolen/abducted by aliens.

Not sure if I've missed something or not....I wasn't able to find anything about this on the boards. We are running BES 4.1.4 MR2; Exchange 2003 SP2.

In my test IT Policy I have the 'External File System Encryption Level' set to "Encrypt to user-provided password; include multi-media directories". I then applied this policy to my Sprint 8830 (has a 4G Sandisk card).

Under Options / Media card the Encryption Mode changed to "Security Password", and Encrypt Media Card changed to "Yes". Neither one of these options can be changed on the device.

I put some additional media (.jpg's) on my card via Media Manager and noticed that the NEW files received a new extension of .ren. The OLD files (already existing) still had the .jpg extension.

I then took the media card out of my device and put it into another 8830. The other device prompted for a password in order to read the media card. Ok, good. He tried a wrong password and it wouldn't let him past the password prompt.

However, I then took that same device with my card in it and connected it to Desktop Manager. The user entered his password (on the PC) to complete the connection and opened Media Manager. At this point, no (correct) password had been entered on the device for the media card.

The files with the .ren were not able to be manipulated with Media Manager - He received a 'General Failure'. So far so good.

However, he was able to use Media Manager to acccess the OLD files from the media card, copy them to his PC, and open them (the ones with the .jpg). This is NOT good.

I'm currently on the phone with RIM to find out if there is a way to encrypt the EXISTING files on a media card so that I can implement this policy. If there is no way to do this, I fear our security director (the guy I was testing with) will want me to disable the media cards.

Any help would be appreciated, and I will post back after I talk more with RIM.

In my testing, I was not able to encrypt existing files on the SD card. Also, there would still be alternative ways to add unencrypted data to the cards as detailed in this article from blackberry.com: BlackBerry Search Results

Our inability adquately ensure the data was encrypted, combined with little to no current business requirements for the functionality led us to disable SD card access for now.

-zip

Thanks for the reply, Zip, I heard the same thing from RIM (glad they are on the same page! ;-) )

They said there is no way, via IT Policy, to encrypt existing files on a media card. He did say that users could move the files off the card and then back onto the card and they would then be encrypted. Yea, right, that'll happen right after I win the lottery.

The security guy isn't very excited about this, but is going let me invoke the encryption vs. disabling the card, pending further research - like how many of our users are already using cards.

My next step is to see if there is a way that I can find out how many users have media cards. Anyone know of a way to check this from the BES???

Sure... set and apply an IT to policy to disable the Media Card and then wait for your phone to ring. ;-)

Hahaha..... that thought DID cross my mind ;-)

I played with these policies when they first came out and found the same things. I think what I question is since the main reason for concern is putting work DATA (word, excel) on the device it's easier to disable USB use and let the user use the card for photo / video / music storage as there is no way to open and edit a DATA type document .. yet.

^^ Can you explain that a little further? I'm not sure I follow.....

Now I have found something else that is a little irritating.

If I put my media card in a USB adapter I can copy files to it from my PC (or anyone else PC) via Windows Explorer or Media Manager and they are not encrypted. Even after I put the media card back into my Blackberry.

UGH!

That is what I was referencing in the link in my post above. Even with encryption enabled, there are multiple methods to transfer unencrypted data to the card, and no way to encrypt it once it is there.

-zip

I submitted a request to have the ability to encrypt everything either locally or remotely ... hopefully both!

I believe Windows Mobile 6.1 will support this functionality; BlackBerry needs to do this.