January 27, 2019

Knox Deep Dive: Sensitive Data Protection

Josh Fernandez

Protecting Data-At-Rest (DAR) on mobile devices is a major concern. While the industry standard is to encrypt all data on a device, that data is decrypted and accessible after the device boots successfully. If a device is lost or stolen, a sophisticated attack can extract data from it as long as the device is still running, even if the device is locked.

Samsung created Sensitive Data Protection (SDP) to address this specific issue, and includes SDP in Samsung devices built on the Knox Platform for Enterprise (KPE).


What is Knox SDP?

With Knox SDP, selected files remain encrypted at runtime and are decrypted only after device users authenticate themselves at the device lockscreen or Knox Workspace login. Knox ejects decryption keys each time the device or Knox Workspace locks.


Why should I consider Knox SDP?

  • MDFPP-Compliant:

    SDP is certified as meeting the Mobile Device Fundamentals Protection Profile (MDFPP) requirements defined by the National Information Assurance Partnership (NIAP) for DAR, meaning that SDP is approved for use by the US government and military. Without Knox SDP, the base Android system is not certified as satisfying MDFPP requirements, which mandates a form of SDP. MDFPP compliance is a requirement for many government agencies and the companies they work with. Samsung has more MDFPP-certified products than any other mobility solution provider.
  • Granular Control:

    App developers and enterprise IT admins can use Knox SDP to protect individual files, databases, and any other sensitive enterprise data.
  • Per-App Password:

    For an added layer of security, app developers and enterprise IT admins can customize Knox SDP so that sensitive data is decrypted only by a per-app password entered by the app user. In this case, the device unlock or Knox Workspace authentication alone does not decrypt app data. An app password is also needed.


How does Knox SDP work?

Knox’s two levels of protection and how they perform when a device is off, locked, or authenticated

The Knox Platform provides two levels of protection for Data-At-Rest:

  • Protected Data

    By default, all data is encrypted when the device is powered off. When the device is powered on, the data is decrypted. The decryption key for Protected Data is tied to the device hardware, making Protected Data recoverable only on the same device.
  • Sensitive Data

    SDP provides an extra layer of security. Unlike Protected Data, Sensitive Data remains encrypted, even after the device boots. Data is decrypted only after the device is unlocked through user authentication. SDP data can't be decrypted in the locked state, only in the unlocked state. The SDP data decryption key is also tied to device hardware, meaning Sensitive Data is recoverable only on the same device and only after successful user authentication.

SDP enables both app developers and enterprise IT admins to label data as “sensitive” to guarantee the data is encrypted and not accessible on locked devices.


Where is Knox SDP used?

Knox SDP is enabled by default to secure the Samsung Email app's email body and attachments.

SDP even handles incoming sensitive data, such as emails and notifications, ensuring it is immediately encrypted and not accessible until the user is authenticated. This encryption uses a public key algorithm. The private key is maintained in an encrypted partition while the public part encrypts the sensitive, newly received data.


Next steps

To learn more about:

  • Other data protection options for Samsung Knox devices, see the KPE Admin Guide.
[Icon] close

Get the right solution for your business

Join 25,000+ organizations around the world.

[Icon] suitcase
Are you a reseller or solution partner?

Get access to the Knox Partner Program for helpful partner tools, such as the Knox Deployment Program portal, Knox MSP portal, partner SDKs, and more.

[Icon] info
Unified Endpoint Management
Knox Suite
Rebranding and customization
Knox Configure
Fraud and theft protection
Knox Guard
Device protection plan
Samsung Care + for Business
Other products & services

Get started with

[Image] Knox Suite

All-in-one solution bundle for enterprise mobility.

[Icon] Check mark

Join us and get a 90-day free trial for Knox Suite and other Knox products. *Approval required

[Icon] Check mark

A complete set of tools to secure, deploy, manage, and analyze your enterprise's corporate mobile devices.

[Icon] Check mark

Try powerful features bundled with Knox Suite, such as Knox Remote Support.

Knox Suite include:

[Icon] Knox Platform for Enterprise Knox Platform for Enterprise
[Icon] Knox E-FOTA Knox E-FOTA
[Icon] Knox Mobile Enrollment Knox Mobile Enrollment
[Icon] Knox Asset Intelligence Knox Asset Intelligence
[Icon] knox manage Knox Manage
[Icon] knox capture Knox Capture

Get started with

[Image] Knox Configure Logo

Remotely configure Samsung devices in bulk and tailor them to specific needs, right out of the box.

[Icon] Check mark

After approval, you can try both the:

  • Setup edition — designed for a one-time deployment
  • Dynamic edition — deploy and update policies as many times without a factory reset.
[Icon] Check mark

Try either the Setup edition or Dynamic edition of Knox Configure on up to 30 devices.

[Icon] Check mark

Get a free Knox Suite trial upon approval to try our UEM.

Get started with

[Icon] Knox Guard Logo

Remotely control Samsung devices to reduce financial risks and protect assets.

[Icon] Check mark

After you get approved, generate your free trial license for 90 days.


Try all the features of Knox Guard on up to 30 devices, including SIM control and device locking.

[Icon] Check mark

Get a free Knox Suite trial upon approval to try our UEM.

Get started with

[Image] Samsung Care Plus For Business Logo

Protect your business devices against accidental damage and mechanical breakdowns.

[Icon] Check mark

Are you already a Samsung Care+ for Business customer? Create an account and access the Samsung Care+ for Business console.

[Icon] Check mark

Contact the Samsung sales team and get peace of mind for your devices.

Other products & services

[Image] Others logo
[Icon] Check mark

Samsung offers additional solutions to serve the unique needs of your business. Talk to a Samsung expert today.

Back to top