Encryption Key Sizes and Algorithms

You can specify a specific cipher type when disks are encrypted or when KeyIDs are created. By default, the Policy Agent uses AES-XTS-512 encryption to take advantage of the performance improvements that come with AES-NI (Advanced Encryption Standard New Instructions).

Policy Management encryption keys:

• Support AES and AES-XT encryption. Specifically:

  Algorithm	Mode	Notes
  AES-128	CBC	Available only for KeyIDs. Not available when encrypting Linux or Windows disks. Uses a single 128-bit encryption key.
  AES-256	CBC	Uses a single 256-bit encryption key.
  AES-XTS-256	XTS	Not available on Windows boot drives. Uses a pair of 128-bit encryption keys.
  AES-XTS-512	XTS	Uses a pair of 256-bit encryption keys, one data AES key and one tweak AES key.

• Automatically detect and use hardware cryptography — AES-NI on Intel and AMD processors.
• Can be assigned an expiration date — one key per device is generated.
• Enable secure encrypted communication between KeyControl clusters and Policy Agents.
• Allow users to revoke or restore access to all keys for a VM.
• Allow users to cache keys in the VM (encrypted with a passphrase).
• Allow users to clone VMs and authenticate cloned VMs (for backup, restore, autoscaling, and DR purposes).
• Enable the Policy Agents to share encryption keys and disks between VMs in the same Cloud VM Set, which allows these VMs to encrypt, securely transport, and decrypt data and disks.
• Allow users to rekey both Windows and Linux disk while those disks are online and accessible.

AES-NI is supported by all current-generation EC2 instances in Amazon Web Services (AWS) and by all Microsoft Azure instances. To check whether a specific server supports AES-NI, run hcl status on the server or look at the VM details in the KeyControl webGUI under Cloud > VMs.

For additional details about AES-NI, see the Wikipedia summary at http://en.wikipedia.org/wiki/AES_instruction_set.