ManualsPro Samsung SAMSUNG 1.5 File Encryption User Guide

SAMSUNG 1.5 File Encryption User Guide

June 15, 2024
Samsung

SAMSUNG 1.5 File Encryption User Guide

SAMSUNG 1.5 File Encryption User Guide

Copyright Notice

Copyright © 2019-2023 Samsung Electronics Co. Ltd. All rights reserved. Samsung is a registered trademark of Samsung Electronics Co. Ltd. All brand, product, service names and logos are trademarks and/or registered trademarks of their respective owners and are hereby recognized and acknowledged.

About this document
This document describes the enterprise guidance for the deployment of Samsung devices in accordance with the Common Criteria-validated configuration. The document is intended for mobile device administrators deploying Samsung devices.

Document Identification
 Document ID Samsung File Encryption Admin Guidance v1.5
Document Title Samsung File Encryption 1.5 Administrator Guide
Revision History

1 Introduction

1.1 Scope of Document

This document is intended as a guide for administrators deploying Samsung File Encryption in the enterprise. The guidance provided here focuses on how to configure devices to be in an approved configuration based on the PP-Module for File Encryption 1.0 (and the Protection Profile for Application Software Version 1.4) for the functionality specified here.
The document is evolutionary. It will cover all devices evaluated with a common major version of the Knox File Encryption software.

1.1.1 End-User Guidance

This guidance document is focused on the deployment of Knox File Encryption. Guidance related to user functions on a device, such as managing Bluetooth connections or setting authentication credentials are outside the scope of this documentation as they are part of the device configuration on which Knox File Encryption relies. End-user guidance can be found both on the device (most functions are guided through the user interface with descriptions and help) or from the Samsung support website. Links to online guidance can be found in section 1.5 References.

1.2 Overview of Document

Samsung mobile devices and the software bundled with them are designed to maintain a secure mobile environment. To successfully deploy and maintain such an environment requires coordination with multiple parties including:

  • Enterprise/Mobile Device Management (EDM/MDM) software
  • Carriers
  • Mobile Device Administrators
  • Users

This document is designed for the Mobile Device Administrators, to provide guidance in how to configure and deploy Samsung Knox File Encryption within an enterprise environment. This includes information about API controls that can be used within the EDM/MDM software to achieve this configuration.

1.3 Terminology & Glossary

SAMSUNG 1.5 File Encryption User Guide - Table 1 - Acronyms

1.4 Evaluated Devices & Software

The Common Criteria evaluation was performed on a set of devices covering a range of processors.

The evaluation was performed on the following devices;

SAMSUNG 1.5 File Encryption User Guide - Evaluated Devices & Software

1.4.1 Application Version Details

The following table shows the Security software versions on devices supporting Knox File Encryption.

SAMSUNG 1.5 File Encryption User Guide - Application Version Details

1.5 References

The following websites provide up to date information about Samsung device certifications.

SAMSUNG 1.5 File Encryption User Guide - Table 3 – Reference Websites

https://docs.samsungknox.com/admin/knoxplatform-for-enterprise/kbas/common- criteriamode.htm
https://docs.samsungknox.com/dev/knoxsdk/index.htm
https://docs.samsungknox.com/devref/knoxsdk/reference/com/samsung/android/knox/ddar /package-summary.html
https://www.samsung.com/us/support/mobile/phones/galaxy-s
https://www.samsung.com/us/support/mobile/phones/galaxy-note
https://www.samsung.com/us/support/mobile/tablets/galaxy-tabs
https://docs.samsungknox.com/admin/knoxplatform-for-enterprise/dualdar- forwpc.htm?Highlight=dualdar
https://docs.samsungknox.com/admin/whitepaper/kpe/DualDAR.htm?Highlight=dualdar
https://www.niapccevs.org/Product/PCL.cfm?par303=Samsung%20Electronics%20Co%2E%2C%20Ltd%2E
https://www.niap-ccevs.org/Profile/PP.cfm
https://pages.nist.gov/800-63-3/sp800-63b.html

2 Samsung Knox File Encryption Deployment

2.1 Overview

Samsung Knox File Encryption is a software service designed to provide a second layer of encryption to files stored on the device independent of the default file encryption for the device. Depending on how Knox File Encryption is enabled, it can encrypt all files on the device or only those contained within the work profile.
The Knox File Encryption service runs in the background and utilizes the Samsung Android cryptographic modules included in the platform to provide file encryption services. The service is designed to run without any user intervention and all files (as determined by the configuration) will be encrypted automatically. It is an integrated component of the device image, and is not a separately installed app.
Knox File Encryption supports defining the set of files to be encrypted in two configurations: work profile or whole device. Note in the current evaluation, all devices use the work profile. When configured for the work profile, all files stored inside the work profile will be automatically encrypted. When configured for the whole device, all user files will be automatically encrypted (some Android and critical service files are not encrypted to allow the device to work, but these files do not contain user data).
Knox File Encryption is designed as a framework which can be used for the Knox work profile or the whole device. Through this service, all files (per the configuration) that are read or written when Knox File Encryption is enabled will be filtered and encrypted/decrypted automatically. The service does not require the user or any apps to be aware of the service, only that Knox File Encryption to be enabled for the work profile or device. The service provides the ability to fully clear and close all open apps after a defined timeout period.
The Knox File Encryption service relies on the Android EDM APIs to provide management.
The Knox File Encryption service is built on the Samsung Software Development Kit (SDK). It is possible for a third party to utilize this SDK to integrate into the File Encryption service to provide separate cryptographic modules used to protect the files encrypted by the service. Installation and management of these third party integrations are handled by the developer of the add-on component.

2.2 Deployment

The deployment of Knox File Encryption is tied to the deployment of a device. When creating a Knox work profile, the administrator must select the DualDAR option to enable Knox File Encryption. When configuring the whole device, it must be enabled during the initial device configuration. Note in the current evaluation, all devices use the work profile. This is the only step necessary to activate Knox File Encryption on a supported Samsung device.

The specific details of the EDM solution and options are outside the scope of this document, the EDM guidance will provide specific information about configuring a Knox work profile.

Ideally, the deployed EDM solution should be evaluated to the requirements of the Protection Profile for Mobile Device Management (PP_MDM).

2.2.1 EDM Solution Selection

To manage Knox File Encryption, an EDM must be deployed. This EDM should support the Samsung Knox APIs to enable the capabilities documented in this. guide.
Once Knox File Encryption has been enabled on a device by the EDM, the user must follow any further steps (such as setting a password) to complete the configuration. Knox File Encryption Configuration
This section of the guide will list the configuration settings that are reviewed as part of the Common Criteria evaluation.

2.3 File Encryption Settings

This section specifies the settings that must be configured to enable Knox File Encryption. This flag is set when the device management is configured. If the work profile will be created, then the Intent to create a managed profile must be this constant specified. If the device will be fully managed, then the Intent to set the device configuration must have this constant specified. In either case, this must be done during the initial configuration, it cannot be added later.

All settings here are based on the Class com.samsung.android.knox.ddar.DualDARPolicy.

SAMSUNG 1.5 File Encryption User Guide - Table 4 - Mandatory File Encryption Settings

Note: The configuration to enable File Encryption can only be set during the creation of the Knox work profile. Once a work profile has been created, the File Encryption setting is fixed (either on or off).

2.3.1 Optional Configuration Settings

In addition to the mandatory configuration to enable File Encryption, the administrator can also configure the following optional settings.

SAMSUNG 1.5 File Encryption User Guide - Optional Configuration Settings

The optional configuration settings can be used to meet the deployment needs of the organization. These settings have been covered in the evaluation, but the specific settings of those items does not affect the evaluated configuration.

2.3.2 Whole Device Password Settings

In the whole device configuration (not used on any devices listed in 1.4), the File Encryption password settings use the device password settings, so the type of password and any restrictions on it, will be matched for the File Encryption password. The administrator can configure a different minimum length for the File Encryption.

In addition to setting a different minimum password length, the administrator may also set a reset token that can be used to reset the File Encryption password (with administrator assistance). By default, the password reset token is disabled and must be specifically set to be enabled.

SAMSUNG 1.5 File Encryption User Guide - Table 6 - Password Settings

2.4 End User Procedures

While the administrator can configure the software, the end user of the device will interact with the resulting configuration. Specific instructions about procedures for an end user can be found in the support links in section 1.5 References. There the user can specifically select their device and have tailored usage instructions. The user does not directly interact with the File Encryption service. The user interacts with the Knox work profile, which then automatically encrypts all data stored within the work profile boundary.

2.4.1 User Authentication

The user must configure a password for the Knox work profile. Detailed instructions for configuring these methods can be found under “Change unlock method” in the Knox work profile Guide.

2.4.1.1 Setting Passwords
Passwords are available for use to prevent unauthorized access to the work profile, and hence the information protected by Knox File Encryption. A user must always have a password set for authentication, and this password should never be shared with anyone. Recommendations for setting strong passwords can be found in NIST SP 800-63B, section 5.1.1, Memorized Secrets.

3 Software Updates

3.1 Secure Updates

The Knox File Encryption software is bundled as part of the operating system on Samsung devices. Updates to the software are bundled as part of the FOTA updates that are provided by Samsung. Updates are provided for devices as determined by Samsung and the carriers based on many factors.
When updates are made available, they are signed by Samsung with a private key that is unique to the device/carrier combination (i.e. a Galaxy S20 on Verizon will not have an update signed with the same key as a Galaxy S23 on AT&T). The public key is embedded in the bootloader image, and is used to verify the integrity and validity of the update package. This signature covers the entirety of the update, including any updates for Knox File Encryption.
When updates are made available for a specific device (they are generally rolled out in phases across a carrier network), the user will be prompted to download and install the update (see the User Guide for more information about checking for, downloading and installing the update). The update package is checked automatically for integrity and validity by the software on the device. If the check fails, the user is informed that there were errors in the update and the update will not be installed.
The device management capabilities allow the administrator to control the ability to install these updates. See the EDM guidance for the device for more information about these capabilities.

3.2 Software Version

As the Knox File Encryption software is bundled with the Knox work profile as part of the overall Android operating system, the version information can be found in the Setting/About device/Software information page. Under Knox version information is shows the DDAR version.
For the Common Criteria evaluation version information see section 1.4.1 Application Version Details.

4 Operational Security

4.1 Wiping File Encryption Data

Samsung Android devices provide administrators with the ability to wipe the device or the work profile. These capabilities are not part of the Knox File Encryption software but are built into the underlying platform.
An enterprise initiated remote wipe command (for either the device or just the Knox work profile, depending on the configuration) occurs under the following conditions:

  • The enterprise sends a remote wipe command to the device:
    • when the device has been lost or stolen;
    • in response to a reported incident;
    • in an effort to resolve current mobile issues; and
    • for other procedural reasons such as when an Android device end user leaves the organization.

The administrator should refer to the EDM guidance for more information about how to specify the settings to wipe the work profile (or the entire device) according to the needs of the organization.

4.2 Additional Notes on Operational Security

Common Criteria Part 3 does require operational user guidance for the following:

  • User-accessible functions and privileges that should be controlled in a secure processing environment, including appropriate warnings.
  • Secure usage of available interfaces.
  • Security parameters of interfaces and functions under the control of the user and their secure values.
  • Each type of security-relevant event relative to the user-accessible functions.

Administrators and users are considered to use a Samsung Enterprise device. As described in previous sections of this document, the administrator is responsible for configuration and installation of the device. The end user receives the device in an operational state where no further security configuration is possible. The only user accessible user functions are lock screen password protection’,change of password’ and `local device wipe’.

The user is responsible to obey the provided user guidance and to not actively working against the protection of the device data.

The TOE Administrators are trusted to follow and apply all administrator guidance, including the EDM guidance in a trusted manner.

References

Read User Manual Online (PDF format)

Read User Manual Online (PDF format)  >>

Download This Manual (PDF format)

Download this manual  >>

Samsung User Manuals

SAMSUNG The Freestyle Skins for Smart Portable Projector Instruction Guide
Samsung
SAMSUNG SSD macOS Software User Guide
Samsung
SAMSUNG UA43BU8000WXXY Crystal UHD 4K Smart TV Instruction Manual
Samsung
SAMSUNG QA55Q60BAKXXA 55″ 4K QLED TV User Manual
Samsung
SAMSUNG T-NKLADEUC TV Firmware Upgrade User Guide
Samsung
SAMSUNG RR22M287YU2 Single Door 212 L Refrigerator Instructions
Samsung
SAMSUNG SM-R925F Galaxy Watch5 Pro 4G Watch User Manual
Samsung
SAMSUNG LSP7T The Premiere Smart 4K UHD Ultra User Guide
Samsung
SAMSUNG SWA-9100S Wireless Rear Speakers Kit User Manual
Samsung
SAMSUNG Portable SSD macOS User Guide
Samsung
SAMSUNG UA55MU6100S 55 Inch UHD 4K Flat Smart TV User Manual
Samsung
SAMSUNG SCG17 Galaxy Z Flip4 Cover User Guide
Samsung
SAMSUNG WF600B0BHWQ washing machine Instructions
Samsung
SAMSUNG QE32LS03TCUXXU 32 Inch Frame Art Mode QLED Full HD Smart TV User Guide
Samsung
SAMSUNG VH55B-E Smart Signage 55 Inch Video Wall Display User Guide
Samsung
SAMSUNG Galaxy A22 5G Smartphone User Manual
Samsung
SAMSUNG WA52A5500AW,AV,AC Top Load Washer Warranty User Manual
Samsung
SAMSUNG SM-A137F-DSN Smartphone User Guide
Samsung
SAMSUNG LACH-R1-B DVM S2 Low Ambient Cooling Instruction Manual
Samsung
SAMSUNG LACH-M1-B Low Ambient Cooling Guard Instruction Manual
Samsung

Related Manuals

Scheppach BC-AG125-X Cordless Angle Grinder Instruction Manual
Scheppach
MATADOR MG12MD Heavy Duty Bench Top Meat Mincer Instruction Manual
MATADOR
ACT AC1502 USB-C Dual M.2 SSD Docking Clone Station Installation Guide
ACT
Whynter BBR-801BG Built-in Black Glass 80-can capacity 3.0 cu ft. Beverage Refrigerator Instruction Manual
Whynter
PHILIPS 41BDL7224L L Line Professional Display Solutions User Guide
Philips
BRAUN PL5014 Silk Expert Pro 5 IPL Hair Removal with Venus Razor and Pouch User Guide
Braun
Magic Chef MCSTCW20W5 Portable Washer User Manual
Magic Chef
THAMES KOSMOS 620502 Ultra Bionic Blaster STEM Experiment Kit User Manual
Thames Kosmos
Xbox 1V8-00001 Core Wireless Controller User Guide
XBOX
SCAG SFZ-48H-24KT Cape Fear Tractor and Saw Instruction Manual
SCAG
lumicom DUETTO Ceiling Light 2X E27 Instruction Manual
lumicom
SOLT GGSPFS14TB Pedestal Fan User Manual
SOLT
BZBGEAR BG-DA-1x2AS 1×2 HDMI 2.0 Splitter with Scaler/Audio Extract User Manual
BZBGEAR
Barmesa Pumps BPEV512 Submersible Effluent Pumps Instruction Manual
Barmesa Pumps
milwaukee M18 ONEFPRT Battery Fuel Blind Rivet Pliers Instructions
Milwaukee
Nakamichi NDSD200 DSD Player with DSP User Manual
Nakamichi
SNAILAX SL-633C Cordless Neck and Shoulder Shiatsu Massager with Heat User Manual
SNAILAX
SKEY Cordless Grass Shear User Guide
SKEY
ezcoo EZ-SP12H28S 1×2 HDMI 2.1 Splitter Scaler User Manual
ezcoo
IKEA 804.316.42 FRIHULT Wall Lamp Instruction Manual
Ikea
WORLD EYECAM SuperLive Plus Mobile Surveillance App User Manual
WORLD EYECAM
hama 00200117 External 4 Port USB-C Hub USB Powered User Manual
Hama
TRUST 24639 Keyboard User Guide
Trust
ALLVIEW Viva H1003 LTE Pro 1 Tablet User Manual
ALLVIEW
NORA LIGHTING NLTH-41TW Contemporary Matte Powder White LED Recessed Lighting Owner’s Manual
NORA LIGHTING
Electrolux LKR60004NW Cooker User Manual
Electrolux
Ruijin F-90C Pro True Wireless Bluetooth Earphones User Guide
Ruijin
CLATRONIC WK3452 Cordless Kettle Instruction Manual
CLATRONIC
DeLonghi ECAM23460S Digital Super Automatic Machine Instructions
Delonghi
Best BUY essentials Full Color LED Tape Light User Manual
BEST BUY essentials
Contact Us   Privacy Policy   4.662ms