Since: Knox API Level 28
package

com.samsung.android.knox.ddar

Provides classes that:

  • Enable creation and configuration of a workspace(container) with Dual DAR protection.
  • Enable third party applications to provide an implementation for an independent second layer of encryption.

Dual DAR

Dual DAR enables customers to use two independent layers of encryption to protect stored information on End User Device (EUD) in a powered off or in an unauthenticated state. The solution is designed to adhere to the architecture and configuration requirements documented in the CSfC DAR Capability Package where Samsung Knox DualDAR mitigates against the risk to classified data from unauthenticated access when the device is powered off or unauthenticated. The Samsung Knox DualDAR solution will provide two separate layers for encryption and key generation. All data placed inside Workspace is dually encrypted by both layers.

  1. Outer Layer: The outer layer of the DualDAR solution is the built-in Android FBE (as enhanced by Samsung to meet MDFPP requirements). This layer is implemented through the Qualcomm Integrated Crypto Engine (ICE) as part of the SoC, dedicated to flash storage encryption. Data encryption at this layer is AES 256 XTS. File encryption keys are encrypted using AES-GCM 256. The Qualcomm ICE module is a FIPS 140-2 certified module.
  2. The inner layer of encryption is based on a framework that will allow an independent third party to install a separate cryptographic module. If no third party module is installed, the inner layer of encryption will be performed by a FIPS 140-2 certified cryptographic module included on the device by Samsung. For the Samsung included FIPS certified cryptographic module, data encryption at this layer we are targeting AES CBC 256 or AES XTS 256. For file encryption keys we are targeting encrypting using AES-GCM 256. It is expected that third party crypto modules would also be FIPS 140-2 validated, though this is up to the customer and vendor providing the library.

Dual DAR for Enterprise Mobility Management (EMM)

IT admin via their Enterprise Mobility Management (EMM) solution can enable DualDAR during provisioning for both deployment modes, Knox Workspace or Knox Workspace on Fully Managed Device. For the Knox Workspace on Fully Managed Device configuration the entire device is managed. As such the device is required to be factory reset prior to provisioning (unless the device is new). The enterprise first provisions a Device Owner (DO) with the EMM agent becoming the DO and the device under management. The enterprise then creates a Knox Workspace on the Fully Managed Device. As part of Knox Workspace creation the enterprise can enable DualDAR.

Dual DAR Second Layer of Encryption

Third party application developers can refer the Dual DAR Native developer guide to implement an independent second layer of encryption for work data.

Classes

DualDARClient This class is used by privileged application to invoke Dual DAR platform apis and receive platform callbacks. 
DualDARPolicy This class supports MDM(EMM) to create a workspace(container) protected with Dual DAR and provides APIs to access and set Dual DAR configurations. 
DualDARPolicy.DUAL_DAR_VERSION_CODES Enumeration of the currently known DUAL DAR version codes.