We strongly recommend that you create a device lock screen password to improve the security of the key store (Android) or keychain (iOS).
We strongly discourage rooting (Android) or jailbreaking (iOS) your device as this weakens the security of the key store or keychain.
Sophos Secure Workspace stores cloud storage credentials and file encryption keys in the system key store (Android) or system keychain (iOS).
If you have set an app password as described in Set an app password, the following local data is encrypted:
- Device key (used for Secure Storage, core data, locally stored work documents, work browser downloads)
- Local keys
- SafeGuard encryption keys
- BitLocker and FileVault recovery keys
- Client certificates
- Root certificates
- Container policies
- Connection settings
File encryption and keys
Sophos Secure Workspace encrypts files using the AES-256 encryption standard. Each file has its own data encryption key (DEK).
The DEK itself is also encrypted using an AES-256 key encryption key (KEK). The encrypted DEK is stored with the file.
Sophos Secure Workspace calculates the KEK from a passphrase entered by the user, using the PKCS#5 encryption standard.
Note that due to the specifics of this method and to improve security, some random data is added, so that creating two KEKs from the same passphrase results in two very different keys.
The list of KEKs available to a user is called the Sophos Secure Workspace keyring.