Menu

DualDAR architecture

On this page

Dual Encryption allows enterprises to ensure their work data is secured with two layers of encryption, even when the device is in a powered off or unauthenticated state. With single layer of encryption, potential flaws in the implementation may result in a single point of failure. Two layers of protection reduces the possibility of enterprise work data becoming compromised. The Knox Platform for Enterprise is achieving an even higher level of reliability by enabling more redundancies. DualDAR protects sensitive data with two layers of encryption. These security layers are independent and protect stored information when the device is in a powered off or unauthenticated state.

The Samsung Knox DualDAR solution provides two separate layers of encryption and key generation. All data placed inside the Workspace is dually encrypted by both layers. The outer layer of the DualDAR solution is built on top of Android's FBE and enhanced by Samsung to meet MDFPP requirements. The inner layer of encryption is based on a framework that will allow an independent third party to install a separate cryptographic module. If no third party module is installed, an separate inner layer of encryption is secured by a FIPS 140-2 certified cryptographic module included by the Samsung Knox framework.

Inside the workspace there are two storage locations available to an app, Credential Encrypted (CE) storage and Device Encrypted (DE) storage. The Workspace storage is DualDAR protected and works as CE storage, from an apps standpoint. The Knox framework prevents apps from writing data to any storage space that is not protected by DualDAR.

Architecture

Samsung Knox DualDAR leverages Android File Based Encryption (FBE) architecture. On a FBE enabled device, every device has two storage locations available to an app:

  • Credential Encrypted (CE) storage: Default storage location and only available after a user has unlocked the device.
  • Device Encrypted (DE) storage: Storage location available both during Direct Boot mode and after the user has unlocked the device.

By default, in Android 9.0 (on a Samsung FBE enabled device) all data is stored in CE storage. CE storage is protected by user credentials, allowing data to only be available after the user has authenticated the device at start-up. After the device is unlocked, CE storage is available as normal. Access to CE storage can be revoked by evicting the CE key from memory. CE key eviction occurs during a device reboot, inactivity timeout, or explicitly removed by an IT admin.

DE storage is available at all times, even prior to user authentication. An application that is aware of encryption (referred to as crypto aware) can choose to store data in either CE or DE storage. For example, a crypto aware alarm app can store non sensitive information such as date and time information in DE storage so that the alarm can ring even when the device is locked and an end user has not unlocked the device. For more information on Android FBE please see this article.

Samsung Knox DualDAR Workspace container storage works as CE storage from an application standpoint. Knox framework will prevent applications from writing data to non-DualDAR protected DE storage. For certain use cases, where an app is aware of both CE and DE storages and needs to write unclassified content to DE storage, the Knox framework allows IT admins to vet/whitelist an app so it has permission to write to DE storage. This ensures that no app will write sensitive or classified content to DE storage without IT admin approval.

Encryption layers

Outer layer

The outer layer of Samsung Knox DualDAR is built on Android FBE and enhanced by Samsung to meet MDFPP requirements. This layer is implemented through the SoC dedicated to flash storage encryption. Where the SoC could be Qualcomm Integrated Crypto Engine (ICE) or Exynos Flash Memory Protector (FMP). Data encryption at this layer is AES 256 XTS and file encryption keys are encrypted using AES-GCM 256.

Inner layer

The inner layer of encryption is based on a framework that will allow an independent third party to install a separate cryptographic module. If no third party module is installed, the inner layer of encryption is performed by a FIPS 140-2 certified cryptographic module included on the device by Samsung. For the Samsung included FIPS certified cryptographic module, data encryption at this layer will be AES XTS 256. File encryption keys are encrypted using AES-GCM 256. It is expected that third party crypto modules would also be FIPS 140-2 validated, though this is up to the customer and vendor providing the library.

Data Lock Concept

When the Workspace container is configured for DualDAR, access to app data inside the container will only be available when the container is unlocked (i.e. the user is actively using the container). When the container (or device as a whole) is locked, the container encryption keys are evicted from memory. In a data lock state, the Samsung device remains powered on but the user is locked out of both the Workspace and device. All sensitive data is protected in Credential Encrypted (CE) storage within the Workspace. CE storage is not available until the user provides both their device and Workspace credentials. The Samsung device can enter this state under two conditions:

  1. Device reboot: During device reboot the CE keys are evicted and the Workspace and device are locked.
  2. Data lock timeout: The Samsung DualDAR solution allows admins to configure a data lock timeout. After the screen is locked, the data lock timeout starts. Upon the specified time expiry, the CE keys are evicted and Workspace and device are locked.

In order to gain access to the CE storage and access sensitive/classified data, the end user is required to authenticate to both layers (device and Workspace).

Supported Deployment Modes

The DualDAR solution is an add on to the Knox Platform for Enterprise (KPE) and is available in the following configurations.

Knox Workspace

In this configuration the enterprise enables an end user's personal devices for work by creating a container (Workspace). All work data is secured inside the workspace. An EMM agent acts as a Profile Owner (PO) and manages only the container with limited control of the device outside of the Workspace. All data inside the Workspace will be dually encrypted after DualDAR is enabled.

Knox Workspace on a fully managed device

In this configuration, the enterprise manages the entire device, included the Workspace container on the device. With this setup, there are two instances of an EMM agent. One instance runs as a Device Owner (DO) managing the entire device and another instance runs as a Profile Owner (PO) managing the Workspace. All data inside the Workspace will be dually encrypted after DualDAR is enabled.

Authentication

To access DualDAR protected data, the end user must authenticate into each layer of the device and Workspace separately. Customers can enable DualDAR in two deployment modes, Knox Workspace or Knox Workspace on Fully Managed Device as seen above.

Both deployment modes require the end user to provide the first password to authenticate the device and the second password to authenticate the Knox Workspace. IT admin can set password policies separate for each password, and continue to enforce unique password complexity, length, history, etc. for each layer. The first and second passwords are user generated based on the IT admins password policy restrictions.

DualDAR Licensing

Samsung Knox DualDAR is offered as an add on to Knox Platform for Enterprise (KPE). Customers that need DualDAR can purchase a KPE-DualDAR license, and receive KPE-DualDAR features in addition to all KPE Premium features. Customers that don’t need DualDAR can simply purchase a KPE license. Customers that have already deployed KPE and want to add DualDAR to their existing licence can do so by requesting their account team to add the DualDAR permission to their existing licence. This prevents the need to reactivate a new KPE-DualDAR licence. For details on this process, follow the tutorial.

High-Level Provisioning Overview

IT admin using their Enterprise Mobility Management (EMM) solution can enable DualDAR during provisioning for both Knox Workspace or Knox Workspace on Fully Managed Devices. The Knox Workspace on Fully Managed Device configuration requires the device to be factory reset prior to provisioning (unless the device is new). The IT admin first provisions a DO with an EMM agent and then create a Knox Workspace on the Fully Managed Device. As part of Knox Workspace creation the IT admin can enable DualDAR.

For the Knox Workspace configuration, the IT admin enables an end user's personal device for work by creating a container (Workspace). As part of Knox Workspace creation the IT admin can enable DualDAR. Once provisioned, all data inside the Workspace is DualDAR protected. In order for the end user or IT admin to disable DualDAR, the device must be factory reset or the Workspace must be uninstalled/removed.

Need more help?

For more information, see the: