Compatibility
-
CTE is backward compatible with, and fully supports, the existing AES-CBC mode for both new and existing datasets.
-
CTE fully supports AES-CBC-CS1 encryption for LDT and offline data transformation on CTE Linux environments.
Versions of VTE prior to version 6.1.0 are not backwards compatible with AES-CBC-CS1 encryption. On these earlier versions, attempting to guard a device using a policy containing an AES-CBC-CS1 key will fail.
-
Protected hosts supporting AES-CBC-CS1 encryption can be added to host groups.
Difference between AES-CBC and AES-CBC-CS1
The two encryption modes are completely different from a file format standpoint.
- AES-CBC-CS1 encryption only applies to file system directories; AES-CBC encryption applies to both files and block devices.
Note
- If you attempt to use an AES-CBC-CS1 key to guard a block device or partition, the guarding fails with an error reported on the CipherTrust Manager, similar to: Raw or Block Device (Manual and Auto Guard) GuardPoints are incompatible with Policy “policy-xxx" that contains a key that uses the CBC-CS1 encryption mode.”
-
AES-CBC-CS1 uses cipher-text stealing to encrypt the last partial block of a file whose size is not aligned with 16 bytes.
-
Each file encrypted with an AES-CBC-CS1 key is associated with a unique and random base IV.
-
AES-CBC-CS1 implements a secure algorithm to tweak the IV used for each segment (512 bytes) of a file.