Encryption Algorithm

The EncryptedStorage plugin uses AES 128 in CBC mode. EncryptedStorage generates a random encryption key and stores it in the Logon plugin's datavault (or calls the error callback if the datavault is locked). As required by CBC, EncryptedStorage randomly and uniformly chooses an IV from among the possible IV values.

Encryption of Stored Objects

The EncryptedStorage plugin depends on the Logon plugin to automatically store the encryption keys in the datavault of the Login plugin. The EncryptedStorage plugin does not require a password when creating an encrypted storage object. If a password is provided, it will not be used.

When you change a passcode, the contents of the datavault are deencrypted and reencrypted, including the encryption keys.

Deleting of Encrypted Storage for Security Reasons

The EncryptedStorage plugin receives a notification from the Login plugin in the event that the Login plugin's datavault is deleted. This can occur when the user forgets their password while unlocking the application, violates a password policy set on the server, or explicitly deletes the registration. The EncryptedStorage plugin then generates an OnEncryptedStorageErased event which is a notification that the encrypted storage on the device (the database the application uses for secure storage of application data) has been cleared for security reasons.

Settings Exchange and EncryptedStorage

The SettingsExchange plugin uses the EncryptedStorage plugin to store the settings. Disabling the EncryptedStorage plugin will cause the settings exchange activity of the Settings plugin to stop working properly.