Enhanced Encryption Mode
This section describes the enhanced AES-CBC-CS1 encryption mode for keys. It contains the following topics:
The AES-CBC-CS1 encryption is superior to the existing AES-CBC mode because it uses a unique and unpredictable (random) IV (initialization vector) generated for each individual file. The per-file IV object is generated only at file creation time. It is stored as file metadata.
Note
AES-CBC-CS1 encryption does not require any additional license.
Security Improvements
| AES-CBC | AES-CBC-CS1 | |
|---|---|---|
| Unique IV per-file | No | Yes | 
| IV predictability | Yes | No | 
File System Support
| AES-CBC | AES-CBC-CS1 | |
|---|---|---|
| Local FS (AIX) | JFS2 | JFS2 | 
| Remote FS (AIX) | NFS3/NFS4 | NFS3/NFS4 | 
| Block Device Support (secvm) | Fully supported | No. When a policy contains a key with CBC-CS1 encryption mode, the guarding fails on the CipherTrust Manager, and an error message displays. |