Compatibility
-
Starting with VTE for AIX version 5.3, CTE is backward compatible with, and fully supports, the existing AES-CBC mode for both new and existing datasets.
-
Starting with VTE for AIX version 5.3, CTE fully supports AES-CBC-CS1 encryption for offline data transformation on CTE AIX environments.
Versions of VTE prior to version 5.3 are not backwards compatible with AES-CBC-CS1 encryption. On these earlier versions, attempting to guard a device using a policy containing an AES-CBC-CS1 key will fail.
-
Protected hosts supporting AES-CBC-CS1 encryption can be added to host groups.
Difference between AES-CBC and AES-CBC-CS1
The two encryption modes are completely different from a file format standpoint.
-
AES-CBC-CS1 encryption only applies to file system directories; AES-CBC encryption applies to both files and block devices.
Note
-
If you attempt to use an AES-CBC-CS1 key to guard a block device or partition, the guarding fails with an error reported on the CipherTrust Manager, similar to: Raw or Block Device (Manual and Auto Guard) GuardPoints are incompatible with Policy “policy-xxx" that contains a key that uses the CBC-CS1 encryption mode.”
-
AES-CBC-CS1 encryption is supported in AIX environments; as long as it is a local JFS2 or remote file system using NFS, the file formats will be compatible. It is possible that an encrypted file created with a specific AES-CBC-CS1 key on AIX cannot be read on a Linux or Windows local file system, even if that specific key were to be used, and vice versa.
-
-
AES-CBC-CS1 uses cipher-text stealing to encrypt the last partial block of a file whose size is not aligned with 16 bytes.
-
Each file encrypted with an AES-CBC-CS1 key is associated with a unique and random base IV.
-
AES-CBC-CS1 implements a secure algorithm to tweak the IV used for each segment (512 bytes) of a file.
