January 19, 2020

Samsung Knox File Encryption 1.0 - The first certified integrated Dual Data-at-Rest solution for mobile devices

Brian Wood

As more organizations look for data isolation capabilities, one of the key tools is encrypting data only until it is needed. This isn’t a new solution; it is the backbone of most security. The difference has always been in how easy (or hard) it is to deploy the encryption for the organization, and how hard it is to use once it has been deployed, especially on mobile devices. With Samsung Knox File Encryption, a Work Profile can have an independent layer of encryption, without the need to deploy additional components or change how users (or their applications) work.


What is Data-at-Rest?

Data-at-Rest (DAR) is simply encrypting data when it is stored. Samsung devices encrypt all user data by default, so when your mobile device is off, the data cannot be read (as plain text) until your password has been entered. DAR protection happens automatically, in the background, without the user needing to do anything different than to unlock the device.


So what is Dual Data-at-Rest?

So if DAR is encrypting all your files when they are written to storage, DualDAR is encrypting files twice, with two different keys. For example, encrypting an individual file (say by zipping the file and placing a password on it), on a device that already has all the files encrypted, is DualDAR. It provides additional protection on the protected file(s) when the system is running and the main DAR layer is unlocked.


If Dual Data-at-Rest is so great, why don’t we use it all the time?

As with any encryption solution, there are always 4 major questions:

  1. Do I have data to protect that needs the additional security?
  2. How hard is it to deploy?
  3. How hard will it be to use?
  4. What is the overhead of using the solution?

The first question is probably the most important. If you have data that should remain confidential most of the time, then it may be a high priority to add an encryption layer to that data. But this needs to be balanced with the rest of the questions. Many security solutions are difficult to deploy and maintain. Complicated deployments and a lot of administrator time means the solutions are unlikely to be used. Similarly, if the solution is hard for an end user, they will either try to ignore it (that is, not use it), or even actively work around it. Lastly, if the implementation slows down the system noticeably, or drains the battery faster, then users will come to the same conclusion that it is hard to use.

In most cases, while an organization may say the answer to the first question is that they should have the additional security on the data, the answers to deploying a solution to do so, in terms of additional overhead (both administrative and end user) are sufficient to mean the organization will not add the additional security.


The Samsung Knox File Encryption approach

The difference with Samsung Knox File Encryption is that the answers to the last three questions become:

  1. Easy
  2. Easy
  3. Not noticeable

This makes the answer to the first question more about the data security than it does about how to add the protection.

Samsung Knox File Encryption is a simple setting to be enabled in a Work Profile when it is deployed. The end user opens the Work Profile the same way they would normally, but all files inside the Work Profile are now automatically encrypted. For performance, Samsung has integrated with the hardware accelerated encryption engines already available on the device, so performance is fast and impacts on things like battery life are minimal.


What is the certification?

On December 9, 2019, the National Information Assurance Partnership (NIAP) certified Samsung Knox File Encryption 1.0 to the requirements in the PP-Module for File Encryption Version 1.0 and Protection Profile for Application Software Version 1.3. This certification means the Knox File Encryption components have been evaluated to meet US government requirements for functionality, including the encryption requirements for securing classified data.


Who would use this?

Samsung designed Knox File Encryption around the NSA requirements found in the Data-at-Rest Capability Package. While these requirements are specifically written for classified environments, Samsung focused on creating a simple solution that would be easy for anyone to use, not just the NSA. Any organization that has confidential data that may be stored on mobile devices should consider implementing our DualDAR encryption on their Work Profiles.


What next?

Browse the KPE White PaperWhitepaper Check the Knox Service Plugin Admin GuideAdmin Guide Review the Knox SDK Developer GuideDeveloper Guide Reach out to our Knox Partner Program