Knox White Paper
Protecting Data-At-Rest (DAR) on mobile devices is a major concern for security conscious enterprises. The Samsung Knox Sensitive Data Protection (SDP) already addresses this issue, by decrypting data only after user authentication, providing per-file and per-data decryption keys, offering per-app password checks, and meeting MDFPP requirements for US government and military use.
Knox DualDAR adds two separate layers of encryption, further meeting the requirements of classified deployments. Knox DualDAR secures all Work profiledata on devices with two distinct levels of encryption. The solution also protects data by restricting apps from writing or saving data to the unencrypted space on the device. As the name implies, Knox DualDAR is based on two layers of data encryption. To fully understand how DualDAR works, we need to examine how the two layers of encryption within DualDAR work.
The DualDAR solution provides the following two separate layers of encryption and key generation. All data placed inside the Work profileis dually encrypted by both layers. Currently, DualDAR only secures data placed inside the designated Work profile.
- Outer layer: The outer layer of the DualDAR solution is built on top of Android's FBE and enhanced by Samsung to meet MDFPP requirements. This layer is implemented through the SoC dedicated to flash storage encryption. In this context, the SoC could be Qualcomm Integrated Crypto Engine (ICE) or Exynos Flash Memory Protector (FMP). Data encryption at this layer is AES 256 XTS and file encryption keys are encrypted using AES-GCM 256.
- Inner layer: The inner layer of encryption is based on a framework that allows an independent third party to install a separate cryptographic module. If no third party module is installed, an separate inner layer of encryption is secured by a FIPS 140-2 certified cryptographic module included with the Samsung Knox framework.
DualDAR is supported on all devices with Knox version 3.3 or later and compatible with Android FBE. For more information on finding your Knox version, see the Prerequisite section on the DualDAR UEM integration page.
How DualDAR encryption works
DualDAR's inner and outer security layers are independent and protect all information stored in the Work profile when the device is in a powered off or unauthenticated state. Samsung Knox DualDAR leverages Android File Based Encryption (FBE) architecture.
On a FBE-enabled device, every device has the following two storage locations available to an app.
- Credential Encrypted (CE) storage: Default storage location and only available after a user has unlocked the device.
- Device Encrypted (DE) storage: Storage location available both during Direct Boot mode and after the user has unlocked the device.
From an app point of view, the DualDAR Work profile functions as CE storage. The Knox framework prevents apps from writing data to non-DualDAR protected DE storage. In some cases an app is aware of both CE and DE storage, and needs to write unclassified content to DE storage. In such cases, IT admins can whitelist that app to write to DE storage. This strict whitelist process ensures that no app can write sensitive or classified content to DE storage without explicit IT admin approval.
When the Work container is configured for DualDAR, the secured data is available as follows.
- On a device that supports and is configured for DualDAR, access to app data inside the container is only available when the container is unlocked, that is when the user is actively using the container.
- When the container—or device as a whole—is locked, the container encryption keys are evicted from memory.
- In a data lock state, the Samsung device remains powered on but the user is locked out of both the Work container and device. All sensitive data is protected in Credential Encrypted (CE) storage within the Work profile. CE storage is not available until the user provides both their device and Work profilecredentials.
Unique advantages of Knox DualDAR
DualDAR encryption has the following significant advantages over traditional single layer encryption methods.
- Mitigate risks of implementation flaws: DualDAR reduces the likelihood of unauthorized data access by mitigating the risks that arise from vulnerabilities in a single encryption layer. While one of the many methods available for unauthorized data access may crack through a single layer of encryption, the chances are very low that such vulnerabilities are available on both layers of encryption.
- Mitigate risks of password configuration flaws: Both layers of encryption on a DualDAR configured device use separate and distinct authentication methods to allow access. This separation of authentication methods reduces the likelihood that a single misplaced or misconfigured password is exploited on both layers of data encryption at the same time. Two layers of encryption and two methods of authentication ensure that encrypted data remains protected even in the event of breach on one layer.
- Provide access using strict security evaluation criteria: DualDAR meets the standards laid out in the FIPS 140 certification requirements. Both the inner and outer layers use FIPS 140 certified cryptographic modules. GCM is used to encrypt the key while data is encrypted using XTS or CBC.
- Ease of deployment: DualDAR leverages the in-built Android FBE framework and builds additional layers of security on top of this framework. This solution is available on devices that use a Work container in PO mode as well as fully managed devices that include a PO mode. For more information on configuring this solution for your supported device, see the DualDAR architecture page.
- Customize the second layer of encryption: DualDAR allows IT admins to implement third party encryption solutions at the inner layer of encryption. This freedom of implementation means IT admins can use and configure any third party cryptographic modules, including solutions that meet FIPS 140 certification criteria.
- Flexible deployment methods: IT admins can implement and configure DualDAR on all kinds of devices, including BYOD and company-issued devices. Whether the device uses a Work container in PO mode or is a fully managed device that includes a PO mode, DualDAR is compatible with both models. This flexibility means IT admins can use this superior data security solution on a wide variety of devices within their enterprise.
For more information on DualDAR and its unique design, see the DualDAR architecture page.