File Systems Compatibility
On Windows, you can use AES-CBC-CS1 keys to guard currently supported file systems.
The remote file system must have enough extra space to store the extra 4K bytes of the embedded header.
Storing Metadata
AES-CBC-CS1 encrypted files on Windows store the base IV (initialization vector) of a file in a Windows ADS (Alternate Data Streams) associated with the file. The size required for saving the CS1 key depends on the allocation size of the file system. If the allocation size is set to 4k, then the new IV will require 4K of extra space on the disk. You can run the fsutil fsinfo
tool to find out the allocation size of the file system.
The AES-CBC-CS1 key is supported on the following file systems:
-
NTFS: Supported on all Windows platforms that are supported by CTE.
-
REFS: Supported on Windows 2012 R2 and later.
-
CIFS: Supported if the backend storage for the CIFS share is Windows-based storage.
Some network storage servers do not support multiple ADS associated with a file.
Compatibility
AES-CBC | AES-CBC-CS1 | |
---|---|---|
Local FS (Windows) | No change | Alternate Data Streams |
NTFS file system | Supported | Supported |
Azure File Share | Supported | Not supported with a standard policy on a system with a VMFILTR driver. |
AES-CBC-CS1 encrypted files on CTE Windows are not compatible with AES-CBC-CS1 encrypted files on CTE Linux. Do not create a policy on Linux that uses AES-CBC-CS1 keys if access to the same NFS GuardPoint is required by both Windows and Linux LAN clients.
Base IV file
To get the value of the base IV, type:
voradmin secfs iv get <file-name>
The base IV of a file is protected. It cannot be set/modified/removed by commands and applications. However, if a GuardPoint is unguarded, the files in the GuardPoint are no longer protected. An adversary can then corrupt the content of the files, as well as the IVs.
AES-CBC-CS1 depends on the physical file system's support for extended attributes in a manner similar to the CipherTrust Transparent Encryption Live Data Transformation feature.
Missing IV file
If the IV for a file is missing, or CTE is unable to read the IV, then CTE denies access to the file. This access denied message may trigger an application to display an error message. This message may vary from application to application.