Encryption Key Sizes and Algorithms

You can specify a specific cipher type when disks are encrypted or when keyIDs and FSIDs are created. By default, the Policy Agent uses AES-XTS-512 encryption to take advantage of the performance improvements that come with AES-NI (Advanced Encryption Standard New Instructions).

For Policy Management encryption keys:

AES 128/256/512-bit encryption support (CBC and XTS cipher modes). Specifically:

Algorithm	Mode	Key size	Notes
AES-128	CBC	128-bit	Not available on Windows boot drives
AES-256	CBC	256-bit
AES-XTS-256	XTS	128-bit	Not available on Windows boot drives
AES-XTS-512	XTS	256-bit

Automatic detection and use of hardware cryptography — AES-NI on Intel and AMD processors.
Set an expiration date for keys — one key per device is generated.
Secure encrypted communication between KeyControl clusters and Policy Agents.
Ability to revoke and restore access to all keys for a VM.
Ability to cache keys in the VM (encrypted with a passphrase).
Ability to clone VMs and authenticate cloned VMs (for backup, restore, autoscaling and DR purposes).
Share encryption keys and disks between VMs in the same Cloud VM Set, which allows these VMs to encrypt, securely transport, and decrypt data and disks.
On-line key rotation on Windows and off-line rekey on Linux.

AES-NI is supported by all current-generation EC2 instances in Amazon Web Services (AWS) and by all Microsoft Azure instances. To check whether a specific server supports AES-NI, run hcl status on the server or look at the VM details in the KeyControl webGUI under Cloud > VMs.

For additional details about AES-NI, see this Wikipedia summary and this Intel article.

Open topic with navigation