Encrypted Volume and File System v2.2 Administrator Guide (777846-001, April 2014)
• High-performance bulk data encryption using symmetric keys
EVFS encrypts volume data using a symmetric encryption key, referred to as the volume
encryption key. EVFS supports the following symmetric key algorithms for encrypting volume
data:
◦ 128-bit key AES CBC (Advanced Encryption Standard Cipher Block Chaining) mode
◦ 192-bit key AES CBC mode
◦ 256-bit key AES CBC mode
◦ 128-bit key Advanced Encryption Standard Cipher FeedBack (AES CFB) mode
◦ 192-bit key AES CFB mode
◦ 256-bit key AES CFB mode
EVFS encrypts file data using a unique symmetric encryption key, referred to as the file
encryption key. EVFS supports the following symmetric key algorithms for encrypting file data:
◦ 128–bit key Advanced Encryption Standard Cipher FeedBack (AES CFB) mode
◦ 192-bit key AES CFB mode
◦ 256-bit key AES CFB mode
EVFS supports the following symmetric key algorithms only on IA:
◦ 128-bit key Advanced Encryption Standard Cipher Block Chaining (AES CBC) mode
◦ 192-bit key AES CBC mode
◦ 256-bit key AES CBC mode
• Public/private keys to protect the symmetric keys.
EVFS uses public/private encryption key to protect volume and file encryption keys. EVFS
supports the following public/private key encryption algorithms:
◦ 1024-bit key Rivest-Shamir-Adelman (RSA)
◦ 1536-bit key RSA
◦ 2048-bit key RSA
• Passphrase storage and retrieval for automatic start (autostart).
EVFS encrypts private keys with passphrases. In normal operation, EVFS prompts the user for
the passphrase to decrypt and retrieve the private key. To enable EVFS operation during
system startup without human intervention, EVFS provides a mechanism to store a user's
passphrase in a file, encrypted with system-specific data. At system startup, EVFS can
automatically retrieve stored passphrases and use the passphrases to execute EVFS commands.
CAUTION: Stored passphrases provide convenience, but they are security risks.
16 Overview