Enhanced Encryption Mode
This section describes the enhanced AES-CBC-CS1 encryption mode for keys. It contains the following topics:
The AES-CBC-CS1 encryption is superior to the existing AES-CBC mode because it uses a unique and unpredictable (random) IV (initialization vector) generated for each individual file. The per-file IV object is generated only at file creation time. It is stored as file metadata.
Note
AES-CBC-CS1 encryption does not require any additional license.
Security Improvements
AES-CBC | AES-CBC-CS1 | |
---|---|---|
Unique IV per-file | No | Yes |
IV predictability | Yes | No |
File System Support
AES-CBC | AES-CBC-CS1 | |
---|---|---|
Local FS | NTFS/ReFS | NTFS/ReFS |
Remote FS | CIFS | No support |
Block Device Support (secvm) | Fully supported | No. When a policy contains a key with CBC-CS1 encryption mode, the guarding fails on the CipherTrust Manager, and an error message displays. |