Enhanced Encryption Mode
This section describes the enhanced AES-CBC-CS1 encryption mode for keys. It contains the following topics:
The AES-CBC-CS1 encryption is superior to the existing AES-CBC mode because it uses a unique and unpredictable (random) IV (initialization vector) generated for each individual file. The per-file IV object is generated only at file creation time. It is stored as file metadata.
Note
AES-CBC-CS1 encryption does not require any additional license.
Security Improvements
AES-CBC | AES-CBC-CS1 | |
---|---|---|
Unique IV per-file | No | Yes |
IV predictability | Yes | No |
File System Support
AES-CBC | AES-CBC-CS1 | |
---|---|---|
Local FS (AIX) | JFS2 | JFS2 |
Remote FS (AIX) | NFS3/NFS4 | NFS3/NFS4 |
Block Device Support (secvm) | Fully supported | No. When a policy contains a key with CBC-CS1 encryption mode, the guarding fails on the CipherTrust Manager, and an error message displays. |