Encryption Key Sizes and Algorithms

You can specify a specific cipher type when disks are encrypted or when KeyIDs and FSIDs are created. By default, the Policy Agent uses AES-XTS-512 encryption to take advantage of the performance improvements that come with AES-NI (Advanced Encryption Standard New Instructions).

For Policy Management encryption keys:

  • AES 128/256/512-bit encryption support (CBC and XTS cipher modes). Specifically:

    Algorithm Mode Key size Notes
    AES-128 CBC 128-bit Not available on Windows boot drives
    AES-256 CBC 256-bit  
    AES-XTS-256 XTS 128-bit Not available on Windows boot drives
    AES-XTS-512 XTS 256-bit  
  • Automatic detection and use of hardware cryptography — AES-NI on Intel and AMD processors.
  • Set an expiration date for keys — one key per device is generated.
  • Secure encrypted communication between KeyControl clusters and Policy Agents.
  • Ability to revoke and restore access to all keys for a VM.
  • Ability to cache keys in the VM (encrypted with a passphrase).
  • Ability to clone VMs and authenticate cloned VMs (for backup, restore, autoscaling and DR purposes).
  • Share encryption keys and disks between VMs in the same Cloud VM Set, which allows these VMs to encrypt, securely transport, and decrypt data and disks.
  • On-line key rotation on Windows and off-line rekey on Linux.

AES-NI is supported by all current-generation EC2 instances in Amazon Web Services (AWS) and by all Microsoft Azure instances. To check whether a specific server supports AES-NI, run hcl status on the server or look at the VM details in the KeyControl webGUI under Cloud > VMs.

For additional details about AES-NI, see the Wikipedia summary at http://en.wikipedia.org/wiki/AES_instruction_set.

 

HyTrust DataControl v 4.3.1

Copyright © 2019 HyTrust, Inc. All Rights Reserved.

Follow us: