The "SmartDocs" bar can customize this page to show only the features present on a particular Zebra device.
OSX, MX and Android version information for a device can be found in the Android Settings panel or by querying the device through ADB, EMDK or the MX CSP. More info.
The Encrypt Manager (EncryptMgr) allows apps to manage the Key Storage Database, activate or deactivate Full Storage Card Encryption, and create or delete Encrypted File Systems (EFSes). To configure encryption, certain questions must be answered:
Zebra Android devices support encrypting data that is stored in the device file system using two modes of operation:
Different kinds of devices can respond differently when "Full Storage Card Encryption Mode" is turned on, such as:
Note: If "Full Storage Card Encryption Mode" is turned on while a removable Storage Card is in the slot, the removable Storage Card will be encrypted. It will remain encrypted after being removed from the device and will mountable only in the device that originally encrypted it, provided its key is present.
Note: Changing a Storage Card from unencrypted to encrypted or encrypted to unencrypted requires reformatting the card, which erases all data on the card. If there is data that must be preserved, it must be copied to another location before activating or deactivating encryption and copied back after the card is reformatted.
Note: While the BSF for an EFS can be stored on a Storage Card that is removable, it cannot be stored on a Storage Card that is encrypted using Full Storage Card Encryption Mode. If an attempt is made to create an EFS, whose BSF is on a Storage Card that is encrypted using Full Storage Card Encryption, then an error will be returned in the Result XML.
Zebra Android devices have a Key Storage Database of named encryption keys. Each Named Key has an associated Key Value that can be used to encrypt a Full Storage Card and/or to encrypt any number of EFSes. When activating Full Storage Card Encryption or creating an EFS, a Named Key must be specified and must exist in the Key Storage Database. If a Named Key is removed from the Key Storage Database, Full Storage Card Encryption and/or EFSes that are encrypted using that Named Key will become inaccessible. Adding the Named Key (with the same Key Value) will restore accessibility.
Used to choose whether to Add a Named Key to the Key Storage Database on the device. Adding a Named Key to the Key Storage Database on the device makes a key available for use when activating Full Storage Card Encryption or when creating EFSes.
Notes:
Parm Name: InstallKeyAction
Option | Name | Description | Note | Status | Requires |
---|---|---|---|---|---|
0 | Do Nothing | This value (or the absence of this parm from the XML) will cause no change to the Key Storage Database. |
OSX: 1.0+ MX: 4.3+ |
||
1 | Install Key | Adds the Named Key and its associated Key Value to the Key Storage Database. |
OSX: 1.0+ MX: 4.3+ |
Used to enter the name of the Named Key that will be added to the Key Storage Database.
Note: If an attempt is made to add a Named Key that is already in the Key Storage Database, then an error will be returned in the Result XML.
Parm value input rules:
Shown if: The Install Key action is "Install key"
Parm Name: InstallKeyName
Requires:
- OSX: 1.0+
- MX: 4.3+
Used to enter the Key Value to be associated with a Named Key being added to the Key Storage Database. Entering an empty (length of zero) value (or the absence of this parm from the XML) will cause a random key value to be automatically generated and used on the device. Read important notes below regarding random key generation.
Important: Random, machine-generated keys are generally considered the most secure. Such keys are virtually impossible to guess because of their length, and cannot be accidentally revealed because they are never known to the user. However, if a random key is lost, data encrypted using that key is also lost. Persistent data could be rendered irretrievable on a device following an Enterprise Reset or other erasure event if the only copy of the encryption key is erased during that event. The Install Key Value parameter accepts 256-bit AES encryption values generated using any desired mechanism. Once generated, Key Values should be managed and preserved carefully.
Zebra recommends that the persistence of encryption keys match that of the device data.
Parm value input rules:
Shown if: The Install Key action is "Install key"
Parm Name: InstallKeyValue
Requires:
- OSX: 1.0+
- MX: 4.3+
Used to choose whether to Remove a Named Key from the Key Storage Database.
Note: If an attempt is made to Remove a Named Key that is not currently in the Key Storage Database, an error will be returned in the Result XML.
Removing a Named Key from the Key Storage Database prevents that key from subsequently being used when activating Full Storage Card Encryption or when creating EFSes.
Note: When a Named Key is successfully Removed from the Key Storage Database, any Storage Card or Encrypted File Systems that were encrypted using that key and that were mounted will be un-mounted and become inaccessible.
Parm Name: RevokeKeyAction
Option | Name | Description | Note | Status | Requires |
---|---|---|---|---|---|
0 | Do Nothing | This value (or the absence of this parm from the XML) will cause no change to the Key Storage Database. |
OSX: 1.0+ MX: 4.3+ |
||
1 | Revoke Key | Removes an Encryption Key from the Key Storage Database. |
OSX: 1.0+ MX: 4.3+ |
Used to enter the name(s) of the Named Key(s) to be Removed from the Key Storage Database.
Parm value input rules:
Shown if: The Revoke Key action is "Revoke key"
Parm Name: RevokeKeyName
Requires:
- OSX: 1.0+
- MX: 4.3+
Used to choose whether to create an Encrypted File System on the device.
Note: The process of Creating an Encrypted File System (EFS) takes time since it must create the Backing Storage File (BSF) and mount the EFS on its designated Mount Point. As a result, applications will not be able to access an EFS via its Mount Point until it is successfully mounted. Further, an EFS could later be un-mounted if the Key Name it is using is Removed from the Key Storage Database. Applications that use an EFS should thus include error handling logic that can deal with situations where the EFS is not mounted and cannot be accessed.
An attempt to Create an Encrypted File System creation may fail for various reasons, including:
Status: This feature is not supported on devices running Android 5.1 or later.
Parm Name: CreateEFSAction
Used to enter the name of the Encrypted File System to be Created.
Parm value input rules:
Status: This feature is not supported on devices running Android 5.1 or later.
Shown if: The Create EFS action is "Create EFS"
Parm Name: EFSName
Requires:
- OSX: 1.0+
- MX: 4.3+
Used to enter the Named Key to use when creating the Encrypted File System.
Parm value input rules:
Status: This feature is not supported on devices running Android 5.1 or later.
Shown if: The Create EFS action is "Create EFS"
Parm Name: EFSKeyName
Requires:
- OSX: 1.0+
- MX: 4.3+
Used to enter the storage location where the Backing Storage File should be stored for the Encrypted File System to be created.
Status: This feature is not supported on devices running Android 5.1 or later.
Shown if: The Create EFS action is "Create EFS"
Parm Name: EFSLocation
Used to enter the Mount Path to be used for the Encrypted File System to be Created.
Parm value input rules:
Status: This feature is not supported on devices running Android 5.1 or later.
Shown if: The Create EFS action is "Create EFS"
Parm Name: MountPath
Requires:
- OSX: 1.0+
- MX: 4.3+
Used to enter the size of the Backing Storage File (in MB) for the Encrypted File System to be created.
Parm value input rules:
Status: This feature is not supported on devices running Android 5.1 or later.
Shown if: The Create EFS action is "Create EFS"
Parm Name: VolumeSize
Requires:
- OSX: 1.3+
- MX: 4.3+
Used to choose whether to Delete an Encrypted File System.
Status: This feature is not supported on devices running Android 5.1 or later.
Parm Name: DeleteEFSAction
Used to enter the storage location of the Backing Storage File (BSF) of the Encrypted File System (EFS) to be deleted.
Status: This feature is not supported on devices running Android 5.1 or later.
Shown if: The Create EFS action is "Delete EFS"
Parm Name: DeleteEFSLocation
Used to activate or deactivate Full Storage Card Encryption. An attempt to activate or deactivate Full Storage Card Encryption may fail for various reasons, including:
Note: Whenever Full Storage Card Encryption is activated or deactivated, the Storage Card must be reformatted as encrypted or unencrypted, respectively. Reformatting causes the loss of all data on the card. If there is data that must be preserved, it would have to be copied to another location before activating or deactivating encryption and then copied back after the card is reformatted.
Parm Name: SdCardOperation
Option | Name | Description | Note | Status | Requires |
---|---|---|---|---|---|
0 | Do Nothing | This value (or the absence of this parm from the XML) will cause no change to the Full Storage Card Encryption activation status. |
OSX: 1.3+ MX: 4.3+ |
||
1 | Encrypt SDcard | Activates the Full Storage Card Encryption, reformatting and encrypting the Storage Card. |
OSX: 1.3+ MX: 4.3+ |
||
2 | Format SDcard | Deactivates the Full Storage Card Encryption, reformatting and removing encryption from the Storage Card. |
OSX: 1.3+ MX: 4.3+ |
Used to enter the Named Key that will be used to perform Full Storage Card Encryption.
Note: If the Named Key is not present in the Key Storage Database, an error will be returned in the Result XML.
Parm value input rules:
Shown if: The SDcard Operation is "Encrypt SDcard"
Parm Name: SdCardKeyName
Requires:
- OSX: 1.3+
- MX: 4.3+
<wap-provisioningdoc>
<characteristic type="EncryptMgr" version="4.3" >
<parm name="SdCardOperation" value="1"/>
<parm name="SdCardKeyName" value=" EncryptKey"/>
</characteristic>
</wap-provisioningdoc>
<wap-provisioningdoc>
<characteristic type="EncryptMgr">
<parm-query name="SdCardOperation" />
</characteristic>
</wap-provisioningdoc>
<wap-provisioningdoc>
<characteristic type="EncryptMgr" version="4.3">
<parm name="SdCardOperation" value="1" />
</characteristic>
</wap-provisioningdoc>
<wap-provisioningdoc>
<characteristic type="EncryptMgr" version="4.3">
<characteristic-query type="CreateEFS"/>
</characteristic>
</wap-provisioningdoc>
<wap-provisioningdoc>
<characteristic type="EncryptMgr" version="4.3">
<characteristic type="CreateEFS"/>
<parm name="CreateEFSAction" value="1" />
<characteristic type="CreateEFSDetails">
<parm name="EFSName" value=" EFSName1" />
<parm name="EFSKeyName" value=" EFSKeyName1" />
<parm name="EFSLocation" value=" StorageType1" />
<parm name="MountPath" value=" MountPath1" />
<parm name="VolumeSize" value=" VolumeSize1" />
</characteristic>
</characteristic>
</characteristic>
<characteristic type="EncryptMgr" version="4.3">
<characteristic type="CreateEFS"/>
<parm name="CreateEFSAction" value="1" />
<characteristic type="CreateEFSDetails">
<parm name="EFSName" value=" EFSName2" />
<parm name="EFSKeyName" value=" EFSKeyName2" />
<parm name="EFSLocation" value=" StorageType2" />
<parm name="MountPath" value=" MountPath2" />
<parm name="VolumeSize" value=" VolumeSize2" />
</characteristic>
</characteristic>
</characteristic>
</wap-provisioningdoc>
<wap-provisioningdoc>
<characteristic type="EncryptMgr" version="4.3">
<characteristic-query type="InstallKey"/>
</characteristic>
</wap-provisioningdoc>
<wap-provisioningdoc>
<characteristic type="EncryptMgr" version="4.3">
<characteristic type="InstallKey"/>
<parm name="InstallKeyAction" value="1" />
<characteristic type=" InstallKeyDetails ">
<parm name="InstallKeyName" value=" KeyName1" />
</characteristic>
</characteristic>
</characteristic>
<characteristic type="EncryptMgr" version="4.3">
<characteristic type="InstallKey"/>
<parm name="InstallKeyAction" value="1" />
<characteristic type=" InstallKeyDetails ">
<parm name="InstallKeyName" value=" KeyName2" />
</characteristic>
</characteristic>
</characteristic>
</wap-provisioningdoc>