How to Encrypt Data on your BlackBerry and its media card
These steps work for BlackBerry 8330m Curve devices running operating system v18.104.22.168. If you're using a different device and operating system, I'm hoping the instructions will be helpful anyway. Be sure to read the warnings below each set of instructions.
How to Encrypt Device Data:
1. Go into Options>Security Options>General Settings and set a password for your device. Set the number of wrong password attempts you will allow and your desired security timeout. Choose whether or not the handheld should lock upon holstering and whether or not to allow outgoing calls while the device is locked. From the BlackBerry Knowledge Base: "BlackBerry smartphones support individual security passwords between 4 and 14 characters in length. BlackBerry® Device software 4.6 to 6.0 support individual security passwords between 4 and 32 characters in length."
2. Set "Content Protection" to "Enabled."
3. Choose the "Strength" of the content protection. "Strong" is the default setting. The other choices are "Stronger" and "Strongest." The BlackBerry uses the Advanced Encryption Standard. For the encryption to work best, if you choose "Stronger," your password should be 12 characters; if you choose "Strongest," your password should be 21 characters. (Citation, page 8.) (See step one above for the limitations of your device and its software.)
4. Choose whether or not to "Include Address Book." If you include your address book, your contacts will also be encrypted.
When you include the address book in Content Protection, even if you allow outgoing calls while the device is locked, your address book won't be available when you go to make a call (if the phone is locked). When you receive calls, the caller ID will only display the incoming caller's phone number, not his name or picture. Furthermore, if you like to use custom contact alerts and ringtones and notification profile exceptions, they won't work when the device is locked. Why? Because the BlackBerry will not be able to decrypt contact information when the device is locked. The phone will simply ring under whatever default notification profile is in use at the time.
How to Encrypt Media Card Data:
1. Go to Options>Media Card and make sure "Media Card Support" is set to "On."
2. Set "Encryption Mode" to "Security Password." This is VERY IMPORTANT! An explanation follows in the WARNING(s) below.
3. Set "Encrypt Media Files" to "Yes."
4. Make sure "Mass Storage Mode" is set to "Off."
If, in Step 2, you choose a setting other than "Security Password," you will not be able to view your encrypted media card files in any other device. DO NOT USE "Device" or "Security Password & Device" if you want to view your encrypted media card files in a different BlackBerry device.
If you choose "Security Password" (as I have suggested), and you insert your media card into a different BlackBerry device, the device will prompt you for your media card password (which will be the same password as the one you used on the device with which you performed the above steps), and you'll be able to view your encrypted media files in the different (or new) device. The device will also ask you whether or not you want to change the media card's password to match the new (or different) device's password.
Remember your password! Here's why: if you have more than one media card, and you take this one out, forget about it while using a different card, and end up changing your password on your device in the meantime, your device won't recognize your card. It will be as if you put the card in a different device when you go to use it again; the device will prompt you for the password you used on the card. It will also ask you whether or not you want to change the media card's password to match the device's current password.
I have two cards. Whenever I change my device's password, I make sure to put my backup card back in my device (after changing the device password) while the old password is still fresh in my mind. I then follow the prompt and change the backup card's password to my current in-use password before putting my other every-day card back in. The only reason I wouldn't change my media card password to match the in-use device's password would be if I was using my card in someone else's device.
You must use a capable version of Desktop Manager software to transfer encrypted media card files between your media card and pc. The current version of Desktop Manager Software (available on June 12, 2011) has the capability. It will decrypt files you transfer to your pc, and it will encrypt files you transfer to your device (so long as your media card settings are set so that media card encryption is on, and mass storage mode is off). Do not try use mass storage mode to transfer encrypted media card files between pc and device. I have a mix of encrypted and unencrypted pictures on my media card; wallpapers and general stuff are unencrypted for faster, Mass Storage Mode transfer between pc and device, while pictures of friends and loved ones are encrypted.
In my experience, VIDEOS made while Options>Media Card>Encrypt Media Files is set to "Yes" will not work, even in the device you used to make the video! I believe this is a bug. If you encrypt your media card, you'll have to remember to change this setting to "No" when making a video and remember to change it back to "Yes" when you're done making the video. I don't make a lot of videos, but this is what I do when the need to make a video arises.
Last edited by Tõnis; 06-12-2011 at 03:54 PM.
I learned today that the latest version of Desktop Manager is now capable of transferring encrypted media files between device and pc. I tried it, and it works great! I'll amend the above instructions to reflect that.
Posted from my CrackBerry at wapforums.crackberry.com
Today I learned that,
"BlackBerry smartphones support individual security passwords between 4 and 14 characters in length. BlackBerry® Device software 4.6 to 6.0 support individual security passwords between 4 and 32 characters in length."
Source: BlackBerry Knowledge Base
I'll incorporate this info into the instructions above.
Last edited by Tõnis; 06-12-2011 at 03:13 PM.
- CrackBerry Abuser
08-12-2011, 10:39 AM #4
- 169 Posts
Best way to encrypt data (files) for security. Appreciate any input!
What is the best way to encrypt contents of the Media card for the phone.
What if i use the options in OS6. There is a Two-factor Protection?
Can i put the strongest encryption for Contacts, Media Files and Media Card. And be assured if it gets lost. No one can pull my data from my microsd card? Appreciate any feedback!
I am hoping if i have a copy of that data in my computer (copied from blackberry) I will be set.
Incase the phone gets lost or stolen. appreciate any feedback!!
It's my understanding that no one can decrypt properly encrypted media card files without the password. Using two-factor protection would add an additional layer of security: you would need a smart card in addition to the password to decrypt the files, but I have no experience at all with this feature.
Also, when you're using the latest version of Desktop Manager to make your backups, the program gives you the option to encrypt the backup file you make. This is terrific, because you can set a password for each backup file you save to the pc.
I haven't because I've always used it, but I've heard people saying this before, so it could very well be possible. Where I think I noticed a slight decrease in battery life (on my 9650) was when I made my password substantially longer (from 21-30 characters) and decreased the security timeout from one hour to one minute. I'm not sure if it was the password length or the fact that the device was locking and I was unlocking it more often, but it seemed to go through the battery faster during the day. I went back to the 21 character password, and battery life is back to what I was accustomed to, so that seems to indicate that it was the password length, not the security timeout. I still play around with the length of time on the security timer alternating between one hour, five minutes, and one minute depending on my needs (or my mood, lol) at the moment.
Last edited by Tõnis; 06-12-2012 at 07:17 AM.
- 06-13-2012, 11:50 AM #10
Is there anyway to enable the media card encryption without having hte device password lock the device otherwise? (I use and prefer pattern lock to lock my phone rather than the device lock---enabling the encryption of my media card forces me to lock the phone as well, without a work around).
"To encrypt data on your BlackBerry® device, you must have set a password for your device."
I'm not about to turn my password off, but you could try it. In Options>Security>Encryption, check only the settings in the Media Card part. For the mode, choose "Device Key," and see if it will work. Let us know.
- 06-18-2012, 03:43 AM #12
Nice tip. Thanks Tõnis.
I have a problem.
I had encrypted both the device data and the media card data for a while. A few days ago I tried to turn them off, but the media card data encryption still works now (even if I set it off).
I have a Storm 2 running os v22.214.171.1247, I go into Options > Security Options > Encryption and choose both in Device Memory and Media Card the option "Disable".
The problem is that the encryption of the media card still works (even if I set it off) generally on two occasions: when I reboot the handheld, when I remote the memory card and put it back.
Thanks for any advice.
Last edited by BB M.D.; 06-18-2012 at 12:31 PM.LET'S MAKE CANCER MORE TREATABLE.
SUPPORT CANCER RESEARCH.
Nick, are you saying that after you disable encryption, the settings come back on after you reboot or reinsert the media card? Or are you saying that the files that were encrypted before are still encrypted? If it's the latter, I would say that's normal. Any existing files that are encrypted need to be moved, either on the BlackBerry itself, or from the BlackBerry to the pc using Desktop Software (and I recommend version 6 if it will work with your model BlackBerry). I would first use the "Files" feature of the Desktop Software program to drag and drop all the encrypted pictures from your BlackBerry to a folder on your pc. Then I would unplug your BlackBerry, shut off its encryption, plug your BlackBerry back in, and then choose the USB option. (On operating systems before BlackBerry 6, the USB option is called Mass Storage Mode, and it's one of the device settings. IIRC, it's in the media card settings.) Once you enable Mass Storage Mode (or choose USB mode on BLACKBERRY 6 devices), you can drag and drop the ordinary jpg's back to the BlackBerry (not with Desktop Software, but by using your BlackBerry as a USB drive). The other option would be to take the card out (after you have successfully transferred the files to your pc and disabled encryption) and put the card right in the card reader on your computer and transfer them back that way. Once the encrypted files have been successfully transferred to your pc, and you've disabled encryption, you should be able to transfer them back to the Blackberry/Card, and they should remain unencrypted. Let me know if I misunderstood.
- 06-19-2012, 04:06 AM #14
First of all, thank you so much, Tõnis, for your answer. And I'm really sorry to express myself in a very poor English.
I let you know if my long journey to the solution arrives at its destination.
Thanks again for giving me your valuable advice.
Last edited by BB M.D.; 06-19-2012 at 04:33 PM.LET'S MAKE CANCER MORE TREATABLE.
SUPPORT CANCER RESEARCH.
That message you're seeing is the message you will see if you have encrypted some media card files using the Security Password mode and you've put your media card in a different BlackBerry or shut off encryption. This is good, a lucky break. The reason I say it's good is that you had a one-in-three chance of selecting a media card encryption mode that will allow you to view encrypted media card files in a different BlackBerry, after a security wipe, and maybe under certain other conditions. It's possible that if one of the other two choices had been selected when the files were encrypted they'd be forever lost at this point.
The message you're seeing shows up when you put your (Security Password) encrypted media card in a different BlackBerry. Now that you've turned off encryption, the media card "thinks" it has been in inserted in a different BlackBerry and/or your BlackBerry doesn't recognize your card as its own. Enter the password when prompted to and, very carefully, using the Files feature of Desktop Software 6, drag and drop all your encrypted files to a folder on your PC. Make sure they're there and that you can actually see them! Then, you might want to format your card in your BlackBerry. After you've done that, make sure Mass Storage Mode is enabled, plug your blackbery into your pc (or put your card directly in your pc's card reader), and drag and drop all your files back onto your card. This should work for you.
- 06-21-2012, 04:34 PM #16
Thanks Tõnis for your answer.
The way to solve the problem you suggest me is surely right, but I figure it out in another, probably more simple, way (that works for me, I do not know if it could work for other people having the same problem).
I just put the memory card into my pc's (it is actually a mac) card reader, copy all the contents of the memory card into a new folder on the desktop, eliminate all the memory card's files, re-copy all the files into the mc... and it works! It is a method very similar to yours, but, in my opinion, a little bit easier (probably more risky).
Anyway thanks again for your help.
Last edited by BB M.D.; 06-24-2012 at 06:36 AM.LET'S MAKE CANCER MORE TREATABLE.
SUPPORT CANCER RESEARCH.
I haven't updated this topic for a while. In light of new information, and on BlackBerry 6 and OS 7, here's what you need to do to secure your BlackBerry.
1. Check the box to enable and choose a password.
2. Choose the number of incorrect password attempts (10 max) before your Blackberry will perform a security wipe.
3. Set the security timeout. Various increments are available up to one hour.
4. Check "Prompt on Application Install." This will require that you enter your password when you or someone else downloads/installs an application.
5. Choose whether to allow outgoing calls while locked. (The pros and cons are discussed in this topic above.)
6. Choose whether or not you want the device to lock when you put it in its holster.
(Device Memory portion)
1. Check the box to encrypt the device memory.
2. Choose the Strength, based upon the password length you will use. If you choose "Stronger," use a password that's at least 12 characters long. If you choose "Strongest," choose a password that's at least 21 characters long. A long password doesn't have to be hard to remember. For example, "To be or not to be, THAT is the question!" is 41 characters long (with the spaces) and contains lower case, upper case, and punctuation. But dont use that one; your BlackBerry only supports passwords up to 32 characters long!
3. Choose whether or not to encrypt contacts. (The pros and cons are discussed in this topic above.)
4. Check the box to include media files.
(Media Card portion)
5. Check the box to encrypt the media card.
6. Choose the mode. If you choose "Device Password," you will be able to view your encrypted media card files in a different BlackBerry (the different BlackBerry will prompt you for the password you used when you encrypted the media card), but your BlackBerry will become vulnerable to a software crack that's commercially available. So, use "Device Password & Device Key" and it will be safe. Just here's the catch: if you use "Device Password & Device Key" make sure your media card files are backed up properly somewhere (like on your pc). If your BlackBerry dies, or if you or someone else wipes your phone, those files will be lost forever, because the device key that was in use in conjunction with the device password will be gone.
7. Check the box to include media files.
That's it. Do these things, and you're BlackBerry and its media card files will be encrypted and secure. Remember this: when backing up your encrypted media card files to your pc, you must use the Files feature of Desktop Software (latest version 7 works). You can't just drag and drop them using the card in a card reader or by plugging your BlackBerry in and choosing "USB." They will not transfer properly or otherwise work if you don't use Desktop Software. You can have a combination of encrypted and unencrypted files on your media card. Remember it this way: use DTS to transfer encrypted media card files back and forth between your BlackBerry and your pc; use the USB (mass storage mode) method only to transfer unencrypted files, the ones you don't care about encrypting.
Last edited by Tõnis; 06-23-2012 at 04:20 PM.
- CrackBerry Newbie
11-24-2012, 05:22 PM #18
- 2 Posts
Add on to this great post of Tõnis
First of all, thnx to Tõnis for sharing all this info.
So i'd like to add some of my findings on the subject.
If one enables to Encrypt Device Data with a Password, then most of the Users Data are Encrypted, but not all.
As i found out, if one is using his BB without encryption for a period of time, and then enables the Password Encryption of the Device, then some of the data previously saved in his Device memory (the internal storage and not the media card) *1, are not encrypted.
Let me be clear, I started as a Newbie with BB world since summer, first with a Bold 9000 OS 4.5 & 5.0 just to check how things were working, and now with a 9810 OS 7.0 & 7.1.
My change of mobile platforms from android was based on the fact, or should i say assumption, of BB's unsurpassed security, both in the device itself, and the net communication over the air.
So after getting familiar with new OS and Software, i finally made the transition, and after installing and setting up all the non BB software (Instant Messengers, utilities, email clients etc), i finally went to lock my device with a password, not having a Media card yet inserted, because at that point i wanted to know where my data is saved, and thous leave only the OS one option to do that which is to the phone memory.
After the padlock sign changed to locked from unlocked sign, (some quite a long time later), i assumed that all data was encrypted and rested assured.
Days later when i decided to check some files through Desktop Software, i found out that some of the files had the padlock sign, while some hadn't.
To make the long story short i finally discovered the following:
Data previously saved (before encryption occurred) by some BB & non BB applications were not encrypted.
Some BB cache files (Internet/browser cache , AppWorld data (cache or logins, i'm not sure), settings also were not encrypted.
Some media files (previously saved) were not encrypted.
Call Blockers settings (including Contact name with number)
Also some of the following files:
BB Camera photos & Videos (Taken Older Than Encryption Date)
WhatsApp (some files)
logicmail (Older Than Encryption Date)
to name some of the files but not all.
The above were tested on two 9810 with both 7.0 & 7.1 OS.
Because at the time i was both baffled and in a hurry, i didn't save a snapshot of the files, so that's why my description is a little generic and not exact.
But based on the fact that the above occurred on both 9810 devices leaves no doubt about the fact that encrypting the device DOESNT Encrypt all the data in Built In Storage.
So based on these findings, i devised a method to overcome this problem, it's a CRUDE solution, i have to admit, similarly to Tõnis description above, but since the BB software doesnt work as expected, thats the only one i can think of.
1. After Encryption of the device (following Tõnis description above), Make sure "Mass Storage Mode" is set to "ON."
This is a temporary setting, we will turn it off after all that has to be done is done.
2. Connect with a USB cable to a computer.
3. Copy all the data from your BB (that you can be copied) to your PC with MS explorer or whatever u use, using the Mass Storage option.
Make sure you keep the directory structure as in BB built in memory.
Make sure all the data is copied.
3. Still connected, clean erase the files u can, using an appropriate program (Eraser etc)
4. Them Erase all unused space of the internal flash memory, using the same software.
5. Set "Mass Storage Mode" is to "OFF"
6. Connect with BB Desktop Software.
Transfer all files previously copied to the PC, to their respective folders.
You now would be able to see the Locked Padlock sign beside every and each file in your BB.
7. From now on, (assuming no settings changed), each time you transfer data, it should be encrypted.
*1 - At that point i hadn't installed a Smart Card, so i don't know what would happen then, my guess is that again certain files would be encrypted while others not.
as of what are these files that wold be encrypted and who won't, there is no info anywhere i've looked for.
I've searched about that topic and couldn't find some info from official sources as of what kind of files would be encrypted in a case like this.
So since there's no such info, one has to do a manual and thorough search in case some of his files are not encrypted (they would not show the "Padlock" sign.
My guess (again) is that BB's official software data would be encrypted, while some of the other software data wouldn't.
*2 - Make a note here that when a file changes, a new version of this file is saved, then the old file is deleted. But although deleted its recoverable with an undelete utility.
Saying this, one can understand that a file could have many instances somewhere in the Device Memory depending on how many times this file change, even a bit of the file.
Now where the OS is going to save it (physically) is not certain, but in general if one deploys an undelete/recover utility, the software comes with surprisingly lots of files, even files deleted.
So if one decides to lock his BB after using it for some time, without following the above steps i described, data will be kept in his built in memory. Which and how is not certain, but since he
used it, certainly there would be.
Now the other point of interest is that BB software, when one encrypts his device, should do a wipe/erase of empty space to make sure no old instances of the files exist, even if they require a a
special but common, easy, and even free software to be restored.
This is not clear, as this is not mentioned anywhere i've searched.
And having in mind the very poor way encryption is implemented, it's very possible that empty space is not wiped.
So here is the $1 million question: when someone wipes his BB, IS the empty space erased? because it's not clear if empty space is wiped, (no message, and no specific mention of that
anywhere). Which, when i have some time i'll check my self.
-Make a note here that when i wiped my Bold 9000 and set it to factory default, after installation of newer OS v5.0 and software, magically, the Browser had the ex owners user names and
passwords from sites, in memory, plus, it kept his 4 email addresses with their passwords (obviously, he had his BB set that way, to remember his passwords). And in a conversation i had with
him, i doubled checked that, they really were his (his company name actually was in the one email address, and his name to an other).
Checking with him, he told me that he had his BB wiped also.
So thats a major security breach also, and adds to my well established, by now, notion, that mobile devices such as pones, organizers, tablets, and other devices, that keep data or settings in
an internal, non removable storage memory, which at any time were used for entering into email acc. or bank acc or saved in them any other personal info, the device should never end up in an
other person, as this could lead to a major identity theft or even lock out the previous owner from all his digital life.
This is very important to understand as this is not like selling your old Nokia, which might have kept some contacts, or SMS in it, as this could not lead in a ID theft and most likely one could not
even find out (even with the contacts and SMS in it) who's that phone previous owner.
Especially in the case the phone ends up in an other country.
Now to our BB case, even if the phone ends up in a remote country of the world, having the user name and password of even one of your accounts, most likely is enough to identify you, and from
then on to start a chain of events to unfoil all your digital, personal or business life.
I have to mention here that the way a desktop or even a notebook keeps its data and settings, meaning to a Hard Disk Drive which one can erase with ease or even replace with a new one,
is safe by means of one has to rely only on the credibility of the software used to Wipe the HDD. But u dont have to run check on the manufacturer settings or way of storing data.
My comment on that, is that BB's software behavior and the messages the user is confronted with, are totally unacceptable and totally misleading.
Because when someone goes to the length of Securing his device with a Password, having to deal with daily, if not hourly (in my case), inputs of it, adding time to the already lengthy backups, and adding stress to his life in order to be safe, then encrypting only part of the data is totally crap. At least there could be a message as of what has been encrypted and what was not, so at least the user wouldn't be rest assured, while his data (at least some of them) are unprotected.
From my point of view, BB should have the info of "Best Practices Encrypting your Device", describing the steps to follow, and when to, somewhere available for the customers, like Microsoft and so many other companies have done, not to mention Tõnis, and other Crackberry users contributing to this.
OS v7.0 & v7.1
BB Desktop Software v7.0 & v7.1
- CrackBerry Master
06-08-2013, 01:13 AM #19
- 1,245 Posts
BB10 MicroSD new file discovered
Thank you for such an exhaustive detailed record on BB device encryption.
I figured to update this post vs starting a new one since a quick google search seems to show its directly related.
Anyone with a BB10 device, specifically with BB Protect enabled on their BB ID - and NOT on BES in anyway shape or form ever noticed that their MicroSD card seems to be randomly inaccessible? Removing mine from the Z10 and into a SDCard reader onto my OSX 10.8 workstation I've found a new file present and I'm unaware of its source.
Encryption of data on a microSD media card.
File name: system_crypt_file
Date: (today's date)
Size: 512 bytes (4 KB on disk)
Created & Modified: Today 6:07 AM
^ oddly enough I've just removed all my files, I've deleted all entries (externally on OSX), reformatted the MicroSD (SanDisk Ultra 64GB) and yet this file is STILL present - newly created of course - with the same information above.Weapon Of Choice = BlackBerry: Z10
Amunition = BB10 Full Metal Jacket, the Mobile OS piercing violator!
- CrackBerry Newbie
06-14-2013, 04:21 PM #20
- 2 Posts
in regards to the "system_crypt_file" this is a file used by Blackberry for the Encryption/Decryption of Device Memory Card files, as Blackberry in the above link Supa_Fly1 posted, clearly states.
This is a way Blackberry devised to utilize the encryption of the Media Card.
But BE Warned because this file is a possible "Trojan Horse" to your Blackberry Data on the card, and possibly your Blackberry Phone itself.
As Elcomsost clearly states in its Elcomsoft Phone Password Breaker software description page at:
Recover passwords protecting iPhone/iPod and BlackBerry backups
"The recovery of BlackBerry password is possible if the user-selectable Device Password security option is enabled to encrypt media card data. By analyzing information stored on encrypted media cards, Elcomsoft Phone Password Breaker can try millions password combinations per second, recovering a fairly long 7-character password in a matter of hours. With the ability to recover the device password, ElcomSoft does what's been long considered impossible, once again making Elcomsoft Phone Password Breaker the world's first."
Now what the above info doesnt say, is, what exactly files the Elcomsoft software analyzes, and in other pages with info related to that software, things come clear and the only file Elcomsoft needs for Cracking the password, is the above file, system_crypt_file.
If that file is not available, or the media card is not encrypted, then a Blackberry phone, with an adequate length password over 10 digits including lower/uppercase/signs is pretty much un-crackable since no software is publicly available for this purpose. No one even claims to have any success percentage, even a low one with Blackberrys. And elcomsoft, which is one (if not the only) of the leaders in Password Breaking, clearly states that if "Memory Card Encryption is not Enabled, then password cracking is not possible"
So in essence, having the convenience of using Encryption in Memory Cards, and the ability also to exchange it with other Blackberry Devices, compromises the whole Phone security.
So since you are now informed of the whole picture, or rather quite a lot of it ;-), since security matters are dynamic and change by the day, you can now decide weather you use it or not.