Compatibility
-
Starting with VTE for Windows version 6.1.0, CTE is backward compatible with, and fully supports, the existing AES-CBC mode for both new and existing datasets.
-
Starting with VTE for Windows version 6.1.0, CTE fully supports AES-CBC-CS1 encryption for LDT and offline data transformation on CTE Windows environments.
Versions of VTE prior to version 6.1.0 are not backwards compatible with AES-CBC-CS1 encryption. On these earlier versions, attempting to guard a device using a policy containing an AES-CBC-CS1 key will fail.
-
Protected hosts supporting AES-CBC-CS1 encryption can be added to host groups.
Difference between AES-CBC and AES-CBC-CS1
The two encryption modes are completely different from a file format standpoint.
-
AES-CBC-CS1 encryption only applies to file system directories; AES-CBC encryption applies to both files and block devices.
• If you attempt to use an AES-CBC-CS1 key to guard a block device or partition, the guarding fails with an error reported on the CipherTrust Manager, similar to: Raw or Block Device (Manual and Auto Guard) GuardPoints are incompatible with Policy “policy-xxx" that contains a key that uses the CBC-CS1 encryption mode.”
• While AES-CBC-CS1 encryption is supported on both Linux and Windows environments, the file formats are incompatible. An encrypted file created with a specific AES-CBC-CS1 key on Windows cannot be read on Linux, even if that specific key were to be used and vice versa. -
AES-CBC-CS1 uses cipher-text stealing to encrypt the last partial block of a file whose size is not aligned with 16 bytes.
-
Each file encrypted with an AES-CBC-CS1 key is associated with a unique and random base IV.
-
AES-CBC-CS1 implements a secure algorithm to tweak the IV used for each segment (512 bytes) of a file.