February 26, 2019

Knox Deep Dive: Knox DualDAR Encryption

Prarthna Srivathsan

The new Samsung smartphones—scheduled to reach consumers in early 2019—add support for File-based Encryption (FBE), which is a feature of the Android OS. Along with adding support for FBE, the Knox framework also adds a new feature called Knox DualDAR encryption. This blog post provides a high-level overview of Knox DualDAR encryption as well as links to other information about DualDAR.





The Samsung Knox Sensitive Data Protection (SDP) feature addresses the issue of protecting Data-At-Rest (DAR) on mobile devices. SDP decrypts data only after authentication, providing per-file and per-data decryption keys, offering per-app password checks, and meeting MDFPP requirements for US government and military use. Knox DualDAR secures all Workspace data on devices by adding two separate layers of encryption, further meeting the requirements of classified deployments.

In simple terms, the solution’s efficiency rests on the following two components:

  1. Data storage: The solution restricts apps from writing or saving data to the unencrypted space on the device.
  2. Data encryption: Knox DualDAR uses two layers of data encryption to secure all data saved to the encrypted space on the device. The solution provides two layers—inner and outer—of encryption and key generation. All data placed inside the Workspace is dually encrypted by both layers and needs separate authentication at both layers for access.

DualDAR is supported on all devices compatible with Android FBE and running Knox 3.3 or later. For more information on finding your Knox version, see the DualDAR Prerequisite section in the Knox Developer Guide.


Benefits of DualDAR

DualDAR encryption has the following significant advantages over traditional single-layer encryption methods:

  • Mitigate risks of implementation flaws – DualDAR reduces the likelihood of unauthorized data access with two layers of encryption since chances are very low that security vulnerabilities are present on both layers of encryption.
  • Mitigate risks of password configuration flaws – DualDAR uses two layers of encryption and two methods of authentication for each of the layers, and ensures that encrypted data remains protected even in the event of a breach on one layer.
  • Provide access using strict security evaluation criteria – Both the inner and outer layers of encryption in DualDAR use FIPS 140 certified cryptographic modules and target the use of file encryption keys using AES-GCM 256.
  • Ease of deployment – DualDAR leverages the in-built Android FBE framework and builds additional layers of security on top of this framework. DualDAR is available for all compatible devices, whether they use the DO, PO, or a combination of both models for deployment. For more information on configuring this solution for your supported device, see the DualDAR configuration section in the Knox SDK Developer guide.
  • Customize the second layer of encryption – DualDAR allows IT admins to use and configure any third-party cryptographic modules, including solutions that meet FIPS 140 certification criteria.
  • Flexible deployment methods – IT admins can implement and configure DualDAR on all kinds of devices, including BYOD and company-issued devices. Whether the devices use a PO or a DO deployment model, IT admins can use this superior data security solution on all devices within their enterprise.

For more information on DualDAR and its unique design, see the DualDAR topic in the Knox White Paper and the DualDAR topic in the KPE Developer Guide.


Next steps