File Systems Compatibility
On AIX, you can use AES-CBC-CS1 keys to guard currently supported file systems.
AES-CBC-CS1 encrypted files on AIX local file systems can result in additional space consumption.
AES-CBC-CS1 files on AIX local or remote file systems such as JFS2 embed the IV in a 4K-byte header within the file. When these files are guarded, CTE masks the file header to applications and system utilities. The expanded file is only apparent when CTE guarding is disabled.
The file system must have enough extra space to store the extra 4K bytes of the embedded header.
On AIX, with AES-CBC-CS1 encryption, encrypted files on all file systems, both remote or local, have the same file format.
Storing Metadata
AES-CBC-CS1 encrypted files on AIX store the base IV of a file in the embedded header of the file.
To get the value of the base IV, type:
voradmin secfs iv get <file-name>
The base IV of a file is protected. It cannot be set/modified/removed by commands and applications. However, if a GuardPoint is unguarded, the files in the GuardPoint are no longer protected. An adversary can then corrupt the content of the files, as well as the IVs.