It's security week at Talk Mobile and what better security than BlackBerry Balance? Most users know a bit about what Balance  and how it separates work and personal space on BlackBerry 10, but aside from that there are many who don't know much else.

For a little insight into what makes BlackBerry Balance tick, we tapped out own Sith_Apprentice to give us a bit of a breakdown how it all works and just how secure your data is.

What is BlackBerry Balance?

According to BlackBerry, BlackBerry Balance is "designed to separate and secure work and personal information on BlackBerry devices so users can stay connected to the important people and things in their life. Whether users are using their own device or one provided to them, BlackBerry Balance technology helps give them peace of mind that their privacy is respected while their sensitive work information is protected.”

BlackBerry Balance – A Brief History

Balance isn’t a new feature and has actually been around for several years. It was first introduced with BlackBerry Enterprise Server 5.0.3 with devices running BB OS 6.0 MR2 or newer. At the time the options were very limited, and provided only the most basic of rules (3 IT policies rules). The data was not segregated on the device, but was rather “tagged”. There were not any significant improved with BB OS 7 or 7.1.

The major improvements to Balance arrived with the QNX based OS in PlayBook 2.0. For the first time, data was completely segregated and no longer just “tagged” based on the domain. Any information that came through  in that work space was automatically stored in the Work mode of the device, and kept separate from anything personal.

From the PlayBook OS 2 to BB10 there are not significant back end changes, though obviously there have been a number of changes to the user experience.  Balance is also now baked into every BB 10 device, and all it requires is an activation on BES 10 or higher in order to access it.

Well that’s all fine and dandy, but why should I care?

Well, for the first time, you can truly have a separation of work and personal lives. Your personal data is isolated to ONLY the personal space (unless work data is allowed to access it, and then it can be brought into the work side). You can also download and run any applications you want on the personal side, without worrying about any sort of compromise to work data. You also get a single, unified view for all of your emails, contacts, tasks, and notes, without having to keep switching in and out of applications. You get this powerful security tool in the palm of your hands, without the entire unnecessary burden of “VISIBLE” security.

How BlackBerry 10 devices protect work data

BlackBerry 10 devices encrypt data stored in the work file system using XTS-AES-256.

A device randomly generates an encryption key to encrypt the contents of a file. The file encryption keys are protected by a hierarchical system of encryption keys as follows:

  • The device encrypts the file encryption key with the work domain key and stores the encrypted file encryption key as a metadata attribute of the file
  • The work domain key is a randomly generated key that is stored in the file system metadata and is encrypted using  the work master key
  • The work master key is also randomly generated. The work master key is stored in NVRAM on the device and is
  • encrypted with the system master key
  • The system master key is stored in the replay protected memory block on the device
  • The replay protected memory block is encrypted with a key that is embedded in the processor when the processor is manufactured.

The file encryption keys, the work domain key, the work master key, and the system master key are generated using the BlackBerry OS Cryptographic Kernel, which received FIPS 140-2 certification for the BlackBerry 10 OS

How BlackBerry 10 devices protect personal data

BlackBerry 10 devices allow the encryption of personal files on devices.

You can use the Personal Space Data Encryption IT policy rule to turn on encryption for the personal space of devices. If the Personal Space Data Encryption rule is set to Yes, files stored in the personal space of the device are encrypted. If this rule is set to No, users can choose to encrypt files in the personal space using the Device Encryption option in the Security and Privacy settings on the device.

If encryption is turned on for the personal space of the device, the device encrypts files stored in the personal file system using XTS-AES-256. A device randomly generates an encryption key to encrypt the contents of a file. The file encryption keys are protected by a hierarchical system of encryption keys, as follows:

  • The device encrypts the file encryption key with the personal domain key and stores the encrypted file encryption key as a metadata attribute of the file
  • The personal domain key is a randomly generated key that is stored in the file system metadata and is encrypted using the personal master key
  • The personal master key is also randomly generated. The personal master key is stored in NVRAM on the device and is encrypted with the system master key
  • The system master key is stored in the replay protected memory block on the device
  • The replay protected memory block is encrypted with a key that is embedded in the processor when the processor is manufactured

If you set the Personal Space Data Encryption IT policy rule to Yes, you should also set the Apply Work Space Password to Full Device IT policy rule to Yes so that the work space password applies to the entire device. If you set the Personal Space Data Encryption IT policy rule to No and the user chooses to turn on encryption for the personal space, the device prompts the user to type a new password if the device does not already have a password.

Devices can also encrypt all files stored on media cards that are inserted in devices (only personal data can be saved to media cards). You can set the Media Card Encryption IT policy rule to Yes, to require that a device automatically encrypt all files stored on media cards using a device key.

The file encryption keys, the personal domain key, the personal master key, and the system master key are generated using the BlackBerry OS Cryptographic Kernel, which received FIPS 140-2 certification for the BlackBerry 10 OS.

Still want more? You can read more on BlackBerry security on BES 10 here.