Even when your device is off, all your data is encrypted by default. The encryption key is stored in a secure area called TrustZone in the device chipset.
During boot-up, Knox platform checks for authorized (unrooted) firmware and checks for device software integrity.
At run-time, the kernel is continuously monitored and protected. If compromised, security-sensitive apps are locked.