File Systems Compatibility
On Linux, you can use AES-CBC-CS1 keys to guard currently supported file systems.
AES-CBC-CS1 encrypted files on Linux remote file systems like NFS and CIFS increase the file size compared to encrypted files on Linux local file systems which retain the original file size.
AES-CBC-CS1 encrypted files on Linux local file systems, in conjunction with LDT policies, can result in additional space consumption. Unlike the current AES-CBC encryption where encrypted files on all file systems, both remote or local, have the same file format, AES-CBC-CS1 encrypted file formats differ based on whether or not they were created on local or remote file systems.
AES-CBC-CS1 files on Linux remote file systems such as NFS and CIFS embed the IV in a 4K-byte header within the file. When these files are guarded, CTE masks the file header -- to applications and system utilities. The expanded file is only apparent when CTE guarding is disabled.
The remote file system must have enough extra space to store the extra 4K bytes of the embedded header. You can run the following script in the GuardPoint to identify how much space to reserve before data transformation:x=$(find . -type f | wc -l); y=$(echo "$x * 4 /1024" | bc); echo ${y}MB
File System Requirements
CTE Only
Unlike with AES-CBC encryption, files encrypted with AES-CBC-CS1 on remote file systems cannot be copied over to local file systems in the absence of CTE guarding. Similarly, AES-CBC-CS1 encrypted files on local file systems cannot be copied over to remote file systems in the absence of CTE guarding.
The fundamental reason for this incompatibility is the usage of extended attributes on local file systems to store the IV, in contrast to its storage as a part of the file metadata on remote file systems. This is why files cannot be transferred across these file system boundaries in the absence of CTE guarding.
In RHEL 6, the user_xattr
mount option needed to be provided manually if the files were encrypted with CTE AES-CBS-CS1 encryption mode. This is no longer required. Thales does not support RHEL 6 anymore. Therefore, the File Systems Compatibility table has been removed to make the document simpler and easier to understand.
Storing Metadata
AES-CBC-CS1 encrypted files on Linux store the base IV of a file in either the extended attributes or in the file metadata:
-
On local FS (EXT3/EXT4/XFS), Linux saves it as an extended attribute associated with the file. The underlying file system requires that you mount it with the extended attribute mount option.
-
On remote FS (NFS and CIFS), Linux saves it in the embedded header of the file.
-
For CipherTrust Transparent Encryption Userspace, all files have an embedded header.
To get the value of the base IV, type:
voradmin secfs iv get <file-name>
The base IV of a file is protected. It cannot be set/modified/removed by commands and applications. However, if a GuardPoint is unguarded, the files in the GuardPoint are no longer protected. An adversary can then corrupt the content of the files, as well as the IVs.
AES-CBC-CS1 depends on the physical file system's support for extended attributes in a manner similar to the CipherTrust Transparent Encryption - Live Data Transformation feature.
Missing IV file
If the IV for a file is missing, or CTE is unable to read the IV, then CTE denies access to the file. This access denied message may trigger an application to display an error message. This message may vary from application to application.
AES-CBC | AES-CBC-CS1 | |
---|---|---|
Local Linux FS | No change | Internal extended attribute for each file |
Remote Linux FS | No change | 4KB embedded header for each file |
HDFS
CTE Only
The AES-CBC-CS1 key is compatible with the current Hadoop File System support.
Backups
Backups and other data protection utilities should take into account the extended attributes present in each AES-CBC-CS1 encrypted file on a Linux local file system to ensure that they are safely backed up. An AES-CBC-CS1 encrypted file whose IV is corrupted, renders the files to be corrupted and therefore unreadable. Hence all data protection software must preserve the file's extended attributes.
CTE Linux can inspect a file's IV using the following command:
voradmin secfs iv get file
CTE Only
On Linux, the backup utility specified in the guarding policy should automatically backup/restore extended attributes as well. For example, you must use the options to preserve extended attributes when running cp
or rsync.normal
.
Due to the different file formats, the backup/restore process across the local and remote file systems are not allowed. If you want to backup a GuardPoint from a local directory, you must restore it to a local directory. If a GuardPoint is backed up on a remote file system, you must restore it to a remote file system.
Backup/Restore Process | AES-CBC | AES-CBC-CS1 |
---|---|---|
General backup utility requirement (all platforms) | Backup utility defined in guarding policy with clear view | Backup utility defined in guarding policy with clear view |
Special requirement for backup/restore local fs on Linux | No | Backup utility must be run with user extended attribute enabled |
Special requirement for backup/restore remote fs on Linux | No | No |
On Linux, backup local fs and restore to remote fs | Allowed | Not allowed, the restored files cannot be accessed with I/O error |
On Linux, backup remote fs and restore to local fs | Allowed | Not allowed, the restored files cannot be accessed with I/O error |