- Basics
- About Knox
- Knox licenses
- Knox white paper
- Sign up for Samsung Knox
- Latest release notes
- General Knox FAQ
- General Knox KBAs
- Submit a support ticket
- User Acceptance Testing
- For IT admins
- Knox Admin Portal
- Knox Suite
- Knox Platform for Enterprise
- Introduction
- How-to videos
- Before you begin
- Get started with UEMs
- Introduction
- Blackberry UEM
- Citrix Endpoint Management
- FAMOC
- IBM MaaS360
- Microsoft Intune
- MobileIron Cloud
- MobileIron Core
- Samsung Knox Manage
- SOTI MobiControl
- VMware Workspace ONE UEM
- Knox Service Plugin
- Release notes
- Migrate to Android 11
- FAQs
- Troubleshoot
- KBAs
- Knox Mobile Enrollment
- Knox Configure
- Mobile
- Wearables
- Shared Device
- FAQ
- KBAs
- Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- Getting started with Knox Capture
- Step 1: Launch Knox Capture
- Step 2: Create a scanning profile
- Step 3: Select apps and activities
- Step 4: Configure the scanner
- Step 5: Set keystroke output rules
- Step 6: Test apps in your configuration
- Step 7: Share your configuration
- Step 8: Deploy Knox Capture in Managed mode
- End users: Get started
- Features
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox Asset Intelligence
- Knox Manage
- Introduction
- How-to videos
- Get started
- Video: Getting started with Knox Manage
- Integration with Managed Service Provider
- Access Knox Manage
- Configure basic environments
- Create user accounts
- Create groups
- Create organization
- Set up devices and profiles
- Create a new profile
- Assign profiles to groups and organizations
- Enroll devices
- Shared Android device quickstart
- Non-shared Android device enrollment quickstart
- Android Management API device enrollment quickstart
- Apple User Enrollment quickstart
- View device information
- Apply profiles to organizations
- Set up Knox Manage deployment with a Knox Suite license
- Manage Chromebooks
- Manage Android devices with the Android Management API
- Manage Shared iPads
- Configure
- Licenses
- Organization
- Users
- Sync user information
- Groups
- Devices
- Content
- Applications
- Profile
- Knox E-FOTA
- Certificates
- Advanced settings
- Monitor
- Kiosk devices
- Knox Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- Features
- FAQ
- KBAs
- Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox E-FOTA On-Premises
- Legacy Knox E-FOTA products
- Knox Guard
- Introduction
- How-to video
- Get started
- Using Knox Guard
- Dashboard
- Manage devices
- Device management
- Accept or reject devices
- Upload devices
- Delete devices
- Complete device management
- Send notifications
- Enable or disable SIM control
- Download devices as CSV
- View device log
- View device deletion log
- Start and stop blinking reminder
- Lock and unlock devices
- Update lock message
- Send relock timestamp
- Turn on/off relock reminder
- Manage policies
- Manage licenses
- Manage resellers
- Manage admins and roles
- Activity log
- Knox Deployment App
- Release notes
- FAQ
- KBAs
- Support
- Knox Guard REST API
- Samsung Care+ for Business
- For Knox Partners
- Knox Deployment Program
- Knox MSP Program
Knox White Paper
Protecting Data-At-Rest (DAR) on mobile devices is a major concern for security conscious enterprises. The Samsung Knox Sensitive Data Protection (SDP) already addresses this issue, by decrypting data only after user authentication, providing per-file and per-data decryption keys, offering per-app password checks, and meeting MDFPP requirements for US government and military use.
Knox DualDAR adds two separate layers of encryption, further meeting the requirements of classified deployments. Knox DualDAR secures all Work profiledata on devices with two distinct levels of encryption. The solution also protects data by restricting apps from writing or saving data to the unencrypted space on the device. As the name implies, Knox DualDAR is based on two layers of data encryption. To fully understand how DualDAR works, we need to examine how the two layers of encryption within DualDAR work.
The DualDAR solution provides the following two separate layers of encryption and key generation. All data placed inside the Work profileis dually encrypted by both layers. Currently, DualDAR only secures data placed inside the designated Work profile.
- Outer layer: The outer layer of the DualDAR solution is built on top of Android's FBE and enhanced by Samsung to meet MDFPP requirements. This layer is implemented through the SoC dedicated to flash storage encryption. In this context, the SoC could be Qualcomm Integrated Crypto Engine (ICE) or Exynos Flash Memory Protector (FMP). Data encryption at this layer is AES 256 XTS and file encryption keys are encrypted using AES-GCM 256.
- Inner layer: The inner layer of encryption is based on a framework that allows an independent third party to install a separate cryptographic module. If no third party module is installed, an separate inner layer of encryption is secured by a FIPS 140-2 certified cryptographic module included with the Samsung Knox framework.
DualDAR is supported on the Galaxy S10, N10, S20, and subsequent flagship models, and is compatible with Android FBE.
How DualDAR encryption works
DualDAR's inner and outer security layers are independent and protect all information stored in the Work profile when the device is in a powered off or unauthenticated state. Samsung Knox DualDAR leverages Android File Based Encryption (FBE) architecture.
On a FBE-enabled device, every device has the following two storage locations available to an app.
- Credential Encrypted (CE) storage: Default storage location and only available after a user has unlocked the device.
- Device Encrypted (DE) storage: Storage location available both during Direct Boot mode and after the user has unlocked the device.
From an app point of view, the DualDAR Work profile functions as CE storage. The Knox framework prevents apps from writing data to non-DualDAR protected DE storage. In some cases an app is aware of both CE and DE storage, and needs to write unclassified content to DE storage. In such cases, IT admins can allow that app to write to DE storage. This strict allowlist process ensures that no app can write sensitive or classified content to DE storage without explicit IT admin approval.
When the Work container is configured for DualDAR, the secured data is available as follows.
- On a device that supports and is configured for DualDAR, access to app data inside the container is only available when the container is unlocked, that is when the user is actively using the container.
- When the container—or device as a whole—is locked, the container encryption keys are evicted from memory.
- In a data lock state, the Samsung device remains powered on but the user is locked out of both the Work container and device. All sensitive data is protected in Credential Encrypted (CE) storage within the Work profile. CE storage is not available until the user provides both their device and Work profilecredentials.
Unique advantages of Knox DualDAR
DualDAR encryption has the following significant advantages over traditional single layer encryption methods.
- Mitigate risks of implementation flaws: DualDAR reduces the likelihood of unauthorized data access by mitigating the risks that arise from vulnerabilities in a single encryption layer. While one of the many methods available for unauthorized data access may crack through a single layer of encryption, the chances are very low that such vulnerabilities are available on both layers of encryption.
- Mitigate risks of password configuration flaws: Both layers of encryption on a DualDAR configured device use separate and distinct authentication methods to allow access. This separation of authentication methods reduces the likelihood that a single misplaced or misconfigured password is exploited on both layers of data encryption at the same time. Two layers of encryption and two methods of authentication ensure that encrypted data remains protected even in the event of breach on one layer.
- Provide access using strict security evaluation criteria: DualDAR meets the standards laid out in the FIPS 140 certification requirements. Both the inner and outer layers use FIPS 140 certified cryptographic modules. GCM is used to encrypt the key while data is encrypted using XTS or CBC.
- Ease of deployment: DualDAR leverages the in-built Android FBE framework and builds additional layers of security on top of this framework. This solution is available on devices that use a Work container in PO mode as well as fully managed devices that include a PO mode. For more information on configuring this solution for your supported device, see the DualDAR architecture page.
- Customize the second layer of encryption: DualDAR allows IT admins to implement third party encryption solutions at the inner layer of encryption. This freedom of implementation means IT admins can use and configure any third party cryptographic modules, including solutions that meet FIPS 140 certification criteria.
- Flexible deployment methods: IT admins can implement and configure DualDAR on all kinds of devices, including BYOD and company-issued devices. Whether the device uses a Work container in PO mode or is a fully managed device that includes a PO mode, DualDAR is compatible with both models. This flexibility means IT admins can use this superior data security solution on a wide variety of devices within their enterprise.
For more information on DualDAR and its unique design, see the DualDAR architecture page.
