Security information


Storage of cloud storage credentials and file encryption keys:

  • For iOS, the system keychain is used.
  • For Android, the system key store is used.

If you have set an app password as described in App password, the following local data is encrypted:

  • Device key (used for Secure Storage, core data, locally stored work documents, work browser downloads)
  • Local keys
  • SafeGuard encryption keys
  • BitLocker and FileVault recovery keys
  • Client certificates
  • Root certificates
  • Container policies
  • Connection settings
Warning We strongly recommend that you create a device lock screen password to improve the security of the key store (Android) or keychain (iOS).
Warning We strongly discourage rooting (Android) or jailbreaking (iOS) your device as this weakens the security of the key store or keychain.

File encryption and keys

  • Sophos Secure Workspace encrypts files using the AES-256 encryption standard. Each file has its own data encryption key (DEK).
  • The DEK itself is also encrypted using an AES-256 key encryption key (KEK). The encrypted DEK is stored with the file.
  • Sophos Secure Workspace calculates the KEK from a passphrase entered by the user, using the PKCS#5 encryption standard.
  • Note that due to the specifics of this method and to improve security, some random data is added, so that creating two KEKs from the same passphrase results in two very different keys.
  • The list of KEKs available to a user is called the Sophos Secure Workspace keyring.