All modules
CMVP Validated Module · FIPS 140-3 Security Policy

CipherTrust Transparent Encryption Cryptographic Module

Certificate#4740StandardFIPS 140-3Level1TypeSoftware-hybridEmbodimentMulti-Chip Stand AloneStatusActiveVendorThales
Medium review priority  ·  no TCB surface named  ·  last validated 24 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware-hybrid
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date7/25/2029
CaveatWhen operated in approved mode
VendorThales

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for CipherTrust Transparent Encryption Cryptographic Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Update<br/>Recovery</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C6 clue;
  class I2,I3,I6 infer;
  class R2,R3,R6 risk;
  class E2,E3,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for CipherTrust Transparent Encryption Cryptographic Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Update<br/>Recovery</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C6 clueLow;

Security Policy, page by page

Page 1

Thales CipherTrust Transparent Encryption Cryptographic Module

Page 2
Table of Contents
#SectionPage
Page 4
List of Tables
ItemPage
Table 1: Security Levels5
Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets)7
Table 3: Tested Module Identification – Hybrid Disjoint Hardware7
Table 4: Tested Operational Environments - Software, Firmware, Hybrid8
Table 5: Modes List and Description8
Table 6: Approved Algorithms9
Table 7: Non-Approved, Not Allowed Algorithms9
Table 8: Security Function Implementations10
Table 9: Ports and Interfaces12
Table 10: Roles13
Table 11: Approved Services14
Table 12: Non-Approved Services15
Table 13: Storage Areas20
Table 14: SSP Input-Output Methods20
Table 15: SSP Zeroization Methods20
Table 16: SSP Table 120
Table 17: SSP Table 221
Table 18: Pre-Operational Self-Tests22
Table 19: Conditional Self-Tests22
Table 20: Pre-Operational Periodic Information23
Table 21: Conditional Periodic Information24
Table 22: Error States24
Figure 1: Block Diagram7
Figure 2: Cryptographic Hardware for Intel Processor18
Figure 3: Intel® Xeon® Gold 5318N as found in PowerEdge R750xs18
Figure 4: Cryptographic Hardware for IBM Processor18
Figure 5: IBM Power9 Processor as found in IBM Power9 Server18
Page 5
1 General
1.1 Overview

This document is the non-proprietary FIPS 140-3 Security Policy for the CipherTrust Transparent Encryption Cryptographic Module Version 3.0.1. This Security Policy describes the security services provided by the module and describes how the module meets the requirements of FIPS 140-3 (Federal Information Processing Standards 140-3) for an overall Security Level 1 implementation.

1.2 Security Levels
1 1
2 1
3 1
4 1
5 1
6 1
7 1
8 N/A
9 1
10 1
11 1
12 N/A

Table 1: Security Levels 002-000482-001, Rev M, July 18, 2024

Page 6
2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The CipherTrust Transparent Encryption Cryptographic Module is a component within the CipherTrust Transparent Encryption solution, which in turn is part of the CipherTrust Data Security Platform solution. This solution provides data protection and access control functionality and is intended to be used as part of the CipherTrust Transparent Encryption solution. The CipherTrust Transparent Encryption Cryptographic Module is a loadable kernel module for Windows, Linux and IBM AIX. It is also loadable in the user space for Linux. The module communicates with the SecFS, a secure layer that sits over the filesystem to secure files and directories and to enforce the access and encryption policy. The policy specifies the key to be used by the cryptographic module when writing data to or reading data from the disk. The CipherTrust Transparent Encryption Cryptographic Library provides the cryptographic algorithms used by the module. Module Type: Software-hybrid Module Embodiment: MultiChipStand Cryptographic Boundary: The CipherTrust Transparent Encryption Cryptographic Module includes the CipherTrust Transparent Encryption Cryptographic Library. Cryptographic keys are provided to the library by other modules or applications and are used within the library. The cryptographic boundary of the module is the software library and CPU as shown in Figure 1. The diagram shows plaintext and ciphertext for encryption and decryption operations, and the request and response for PBKDF requests. Tested Operational Environment’s Physical Perimeter (TOEPP): Figure 1 shows the location of the cryptographic module with respect to the TOEPP. The TOEPP includes the CipherTrust Transparent Encryption application. 002-000482-001, Rev M, July 18, 2024

Page 7

Other CipherTrust Transparent Encryption Software CipherTrust Transparent Encryption Cryptographic plaintext, key Module ciphertext ciphertext, key Crypto Library SecFS plaintext password, parameters key Operating System Legend Encryption Hardware Platform Decryption CPU Memory PBKDF Figure 1: Block Diagram

2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 8

Tested Operational Environments - Software, Firmware, Hybrid: Operating System Hardware Processors PAA/PAI Hypervisor or Host OS Version(s) Platform Red Hat Enterprise PowerEdge Intel® Yes VMware ESXi 7.0 3.0.1 Linux 8.6 (Kernel Space) R750xs Xeon® Gold Update 3 5318N Red Hat Enterprise PowerEdge Intel® Yes VMware ESXi 7.0 3.0.1 Linux 8.6 (User Space) R750xs Xeon® Gold Update 3 5318N Windows Server 2019 PowerEdge Intel® Yes VMware ESXi 7.0 3.0.1 R750xs Xeon® Gold Update 3 5318N AIX 7.3 IBM Power9 IBM Power9 Yes 3.0.1 Server (900942A) Table 4: Tested Operational Environments - Software, Firmware, Hybrid Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: N/A for this module.

2.3 Excluded Components
2.4 Modes of Operation

Modes List and Description: Mode Name Description Type Status Indicator Approved Mode The module is operating in the Approved From Service (is_fips=1) Approved mode Non-Approved The module is operating in the non- Non- From Service (is_fips=0 or no Mode Approved mode. Approved indicator) Table 5: Modes List and Description The module is acting in an approved mode of operation when the module provides the services described in the Approved Services table. These services use the security functions listed in the Approved Algorithm table in an approved manner. The security service indicator provides confirmation that an approved service has been provided. When a service listed in the Non-Approved Services table is used, the module is not acting in an approved mode of operation. 002-000482-001, Rev M, July 18, 2024

Page 9
2.5 Algorithms

Approved Algorithms: Algorithm CAVP Cert Properties Reference AES-CBC A3609 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 256 AES-CBC-CS1 A3609 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 256 AES-XTS Testing A3609 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 256 HMAC-SHA2-256 A3609 Key Length - Key Length: 256-448 Increment 8 FIPS 198-1 HMAC-SHA2-384 A3609 Key Length - Key Length: 256-448 Increment 8 FIPS 198-1 PBKDF A3609 Iteration Count - Iteration Count: 90000-120000 Increment SP 800-132 1000 Password Length - Password Length: 96-128 Increment 1 SHA2-256 A3609 - FIPS 180-4 SHA2-384 A3609 - FIPS 180-4 Table 6: Approved Algorithms Vendor-Affirmed Algorithms: N/A for this module. There are no vendor-affirmed algorithms in this module. Non-Approved, Allowed Algorithms: N/A for this module. There are no non-approved, allowed algorithms in this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. There are no non-approved, allowed algorithms with no security claimed in this module. Non-Approved, Not Allowed Algorithms: Name Use and Function Diffie-Hellman Key Used to create keys used to obfuscate the communications between the kernel and Agreement the user space. RSA Used for key wrapping as part of the key exchange protocol between the key manager and the CipherTrust Transparent Encryption agent. ARIA Used for data encryption. Encryption operations using ARIA do not provide the FIPS indicator in the return. Table 7: Non-Approved, Not Allowed Algorithms Non-approved algorithms are not used in an approved mode of operation. An approved mode of operation is used when using an approved service (listed in the Approved Services Table with an approved algorithm listed in the Approved Algorithms table). The return code ‘is_fips=1’ indicates that the cryptographic operation has been performed in an approved mode of operation. If the return code is absent, or is ‘is_fips=0’, the service was not performed in an approved mode of operation. 002-000482-001, Rev M, July 18, 2024

Page 10
2.6 Security Function Implementations

Name Type Description Properties Algorithms Encrypt/Decrypt 1 BC-UnAuth Encryption/ Decryption of data AES-CBC Key Length: 128 Encrypt/Decrypt 2 BC-UnAuth Encryption/ Decryption of data AES-CBC Key Length: 256 Encrypt/Decrypt 3 BC-UnAuth Encryption/ Decryption of data AES-CBC-CS1 Key Length: 128 Encrypt/Decrypt 4 BC-UnAuth Encryption/ Decryption of data AES-CBC-CS1 Key Length: 256 Encrypt/Decrypt 5 BC-UnAuth Encryption/ Decryption of data AES-XTS Testing Revision 2.0 Key Length: 256 Create MAC 1 MAC Creates an HMAC HMAC-SHA2-256 Key Length: 256 Create MAC 2 MAC Creates an HMAC HMAC-SHA2-384 Key Length: 384 Verify Software Integrity MAC Verifies an HMAC HMAC-SHA2-384 Key Length: 384 Create Hash 1 SHA Creates a hash SHA2-256 Hash size: 256 Create Hash 2 SHA Creates a hash SHA2-384 Hash size: 384 PBKDF PBKDF Derives a key PBKDF Table 8: Security Function Implementations

2.7 Algorithm Specific Information

PBKDF is implemented in accordance with SP 800-132, option 1a. The module includes only the functionality to receive the input to the PBKDF function (password, password length, salt, salt length, iterations, key length) and provide the output (key). The PBKDF function has been tested based on the minimum and maximums noted in the Approved Algorithms table. The minimum recommended password length is 96 bytes. This is consistent with a 96-character password. SP 800-132, Appendix A recommends a minimum password length of 10 characters. This range exceeds the recommendation. Assuming that the password is made up of upper-case letters, lower case letters and numeric characters, the probability of guessing a random 96-character password in a single attempt is one in 6296. The lower bound of 90,000 iterations is deemed sufficient since the derived key never leaves the CipherTrust Transparent Encryption Agent (the Agent). The derived key is used to protect configuration files and keys used by the Agent. Note that in accordance with SP800-132, keys derived from passwords using PBKDF may only be used in storage applications. Although usage of keys resulting from use of the PBKDF function is outside of the scope of this cryptographic module, it should be noted that the Agent in which these keys are used provides data-atrest encryption for storage applications.

2.8 RBG and Entropy

N/A for this module. This module does not include an entropy source.

2.9 Key Generation
Page 11
2.10 Key Establishment

This module does not provide key establishment functions in the approved mode of operation.

2.11 Industry Protocols

Not applicable. 002-000482-001, Rev M, July 18, 2024

Page 12
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

Physical Logical Data That Passes Port Interface(s) N/A Data Input Application Programming Interface (API) entry point data input stack parameters N/A Data Output API entry point data output stack parameters N/A Control Input API entry point and corresponding stack parameters N/A Control Output API entry point return values and stack parameters N/A Status Output API entry point return values and status stack parameters Table 9: Ports and Interfaces 002-000482-001, Rev M, July 18, 2024

Page 13
4 Roles, Services, and Authentication
4.1 Authentication Methods
4.2 Roles

Name Type Operator Type Authentication Methods Crypto Officer Role Crypto Officer None Table 10: Roles The Crypto Officer role is implicitly assumed by the entity that can access the interfaces to the cryptographic module. This entity accesses the module exclusively via API calls. Each process or thread accessing the module is logically separated by the operating system into independent contexts of execution.

4.3 Approved Services

Name Description Indicator Inputs Outputs Security SSP Functions Access Encrypt Service to is_fips=1

Page 14

Name Description Indicator Inputs Outputs Security SSP Functions Access the module

Page 15
4.4 Non-Approved Services

Name Description Algorithms Role DH Key Agreement Used to create a key, which is then provided to Diffie-Hellman Key Crypto SecFS for use outside of the module. Agreement Officer RSA Key Wrap Used to encrypt a provided key and pass the RSA Crypto result to SecFS. Officer Non-Approved Used to encrypt supplied data. ARIA Crypto Encrypt Data Officer Non-Approved Used to decrypt supplied data. ARIA Crypto Decrypt Data Officer Table 12: Non-Approved Services

4.5 External Software/Firmware Loaded

Not applicable. 002-000482-001, Rev M, July 18, 2024

Page 16
5 Software/Firmware Security
5.1 Integrity Techniques

The module checks the integrity of its object code when it is initialized. The module performs an HMAC-SHA2-

384 of itself when it is loaded into the kernel or user space. Following the HMAC Known Answer Test (KAT), this

HMAC value is compared to the HMAC-SHA2-384 digest generated during build time. If the results are not the same, an error message is written to the output interface, and the module ceases operation. The HMAC key used for this function is embedded in the module in plaintext. At the completion of this test, temporary values are zeroized.

5.2 Initiate on Demand

Restarting the CipherTrust Transparent Encryption Agent will cause the integrity check to be rerun. 002-000482-001, Rev M, July 18, 2024

Page 17
6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Modifiable How Requirements are Satisfied: The CipherTrust Transparent Encryption Cryptographic Module exists as software executing in a commercially available operating system. The operating system (Windows, Linux or AIX) provides process isolation and CPU scheduling to ensure that programs do not interfere with each other. This ensures that the cryptographic module has control over its own SSPs while the cryptographic process is in use. Within the cryptographic module, each binary is launched into the address space of a process. Each instance of the module is run strictly inside the process space of the module. All processes spawned by the cryptographic module are owned by the module. The single operator for a given instance of the module is the combined identities associated with the processes containing the module. The operating system and hardware enforce the process isolation including memory isolation, where keys and intermediate key data are temporarily stored. When running in User Space, the writable memory areas of the module are accessible only to the module. Data and stack segments are accessible only to the processes containing the module. When running in Kernel space, access is restricted to only kernel modules. It is the user’s responsibility to allow only trusted modules to be loaded into the kernel. The operating system is responsible for multitasking operations so that other processes cannot access the address space of the processes containing the module. The module does not require a specific configuration of the target operating systems to enforce the controls described above. 002-000482-001, Rev M, July 18, 2024

Page 18
7 Physical Security

The module is a software-hybrid module that operates on a multi-chip standalone platform, which conforms to the level 1 requirements for physical security. Figure 2: Cryptographic Hardware for Intel Processor Figure 3: Intel® Xeon® Gold 5318N as found in PowerEdge R750xs Figure 4: Cryptographic Hardware for IBM Processor Figure 5: IBM Power9 Processor as found in IBM Power9 Server 002-000482-001, Rev M, July 18, 2024

Page 19
8 Non-Invasive Security

Not applicable. The module does not claim Non-Invasive Security. 002-000482-001, Rev M, July 18, 2024

Page 20
9 Sensitive Security Parameters Management
9.1 Storage Areas

Storage Description Persistence Area Type Name Memory Working memory used by the module Dynamic Table 13: Storage Areas

9.2 SSP Input-Output Methods

Name From To Format Distribution Entry SFI or Type Type Type Algorithm Key SecFS CipherTrust Plaintext Automated Electronic Import Transparent Encryption Cryptographic Module Key CipherTrust SecFS Plaintext Automated Electronic Export Transparent Encryption Cryptographic Module Table 14: SSP Input-Output Methods

9.3 SSP Zeroization Methods

Zeroization Description Rationale Operator Initiation Method Key Keys are Keys are not stored by the module. N/A. Keys are zeroized at the Destroy overwritten with They are zeroized at the end of each end of each cryptographic zeros. cryptographic operation. operation. Table 15: SSP Zeroization Methods

9.4 SSPs

Name Description Size - Strength Type - Generated Established Used Category By By By HMAC Key Key used with MAC 256 bit, 384 bit - HMAC Key Generate. 256 bit, 384 bit - CSP Data AES key used for 128, 256 bit Symmetric Encryption Encrypt Data and AES-CBC Key - CSP Key Decrypt Data services. 256 bit AES-XTS 128, 256 bit AES-CBC-CS1 - 128, 256 bit Derived Used outside of the 384 bit - 384 bit Symmetric PBKDF Key module to encrypt Key - CSP configuration and other information used by a storage application. Table 16: SSP Table 1 002-000482-001, Rev M, July 18, 2024

Page 21

Name Input - Storage Storage Duration Zeroization Related Output SSPs HMAC Key Key Memory:Plaintext Until the end of the Key Import cryptographic operation. Destroy Data Encryption Key Memory:Plaintext Until the end of the Key Key Import cryptographic operation. Destroy Derived Key Key Key Export Destroy Table 17: SSP Table 2

9.5 Additional Information

Keys are obtained from an external FIPS-validated module. No entropy input is claimed for the CipherTrust Transparent Encryption Cryptographic Module. 002-000482-001, Rev M, July 18, 2024

Page 22
10 Self-Tests
10.1 Pre-Operational Self-Tests

Algorithm or Test Test Test Type Indicator Details Test Properties Method HMAC-SHA2-384 Key length: Integrity SW/FW Logged: Keyed (A3609) 384 bits Test Integrity "FIPS <testname> Test failed” Hash or “FIPS Tests passed” Table 18: Pre-Operational Self-Tests The module performs a pre-operational self-test to verify the integrity of the software. On power-up, the module runs the conditional self-tests (including the KAT for HMAC-SHA2-384) and then runs the HMAC-SHA2-384 integrity test. Data input/output and any data processing are inhibited while the test is in progress. When all of the preoperational tests have run to completion, one or more messages are written to the log. If all tests pass, a single “FIPS Tests passed” message is written to the log. When all tests pass, the module is capable of being operated in an approved mode of operation.

10.2 Conditional Self-Tests

Algorithm or Test Test Test Indicator Details Conditions Test Properties Method Type AES-CBC Key Length: KAT CAST Logged: "FIPS Encrypt, Power-up (A3609) 128 bits <testname> Test failed” Decrypt or “FIPS Tests passed” AES-CBC Key Length: KAT CAST Logged: "FIPS Encrypt, Power-up (A3609) 256 bits <testname> Test failed” Decrypt or “FIPS Tests passed” AES-CBC-CS1 Key Length: KAT CAST Logged: "FIPS Encrypt, Power-up (A3609) 128 bits <testname> Test failed” Decrypt or “FIPS Tests passed” AES-XTS Testing Key Length: KAT CAST Logged: "FIPS Encrypt, Power-up Revision 2.0 256 bits <testname> Test failed” Decrypt (A3609) or “FIPS Tests passed” HMAC-SHA2-256 Key length: KAT CAST Logged: "FIPS Keyed Power-up (A3609) 256 bits <testname> Test failed” Hash or “FIPS Tests passed” HMAC-SHA2-384 Key length: KAT CAST Logged: "FIPS Keyed Power-up (A3609) 384 bits <testname> Test failed” Hash or “FIPS Tests passed” PBKDF (A3609) Key length: KAT CAST Logged: "FIPS Key Power-up

384 bits <testname> Test failed” Derivation

or “FIPS Tests passed” SHA2-256 Hash length: KAT CAST Logged: "FIPS Hash Power-up (A3609) 256 bits <testname> Test failed” or “FIPS Tests passed” SHA2-384 Hash length: KAT CAST Logged: "FIPS Hash Power-up (A3609) 384 bits <testname> Test failed” or “FIPS Tests passed” Table 19: Conditional Self-Tests 002-000482-001, Rev M, July 18, 2024

Page 23

The module performs conditional self-tests to confirm the proper operation of the cryptographic functions used in the software. These are run at power-up and may be run on demand by restarting the module. The Known Answer Tests (KATs) perform a byte-by-byte comparison of the result with a known answer, and abort on the first mismatch. Keys are destroyed upon completion of the KAT. Data input/output and any data processing are inhibited while the tests are in progress. If any test fails, an error status message is sent to the log and the module ceases operation. When all of the known answer tests and the pre-operational test have run to completion, one or more messages are written to the log. In the case of a failed test, the log will indicate which test failed with a “FIPS <testname> Test failed” message. If all tests pass, a single “FIPS Tests passed” message is written to the log. When all the conditional tests and the software integrity test pass, the module is capable of being operated in an approved mode of operation.

10.3 Periodic Self-Test Information

Algorithm or Test Test Method Test Type Period Periodic Method HMAC-SHA2-384 Integrity Test SW/FW Integrity Defined by Crypto The software (A3609) Officer integrity test may be run manually (on demand) by restarting the module. Table 20: Pre-Operational Periodic Information Algorithm or Test Test Method Test Type Period Periodic Method AES-CBC (A3609) KAT CAST Defined by Crypto The known answer Officer tests may be run manually (on demand) by restarting the module. AES-CBC (A3609) KAT CAST Defined by Crypto The known answer Officer tests may be run manually (on demand) by restarting the module. AES-CBC-CS1 KAT CAST Defined by Crypto The known answer (A3609) Officer tests may be run manually (on demand) by restarting the module. AES-XTS Testing KAT CAST Defined by Crypto The known answer Revision 2.0 Officer tests may be run (A3609) manually (on demand) by restarting the module. HMAC-SHA2-256 KAT CAST Defined by Crypto The known answer (A3609) Officer tests may be run manually (on 002-000482-001, Rev M, July 18, 2024

Page 24

Algorithm or Test Test Method Test Type Period Periodic Method demand) by restarting the module. HMAC-SHA2-384 KAT CAST Defined by Crypto The known answer (A3609) Officer tests may be run manually (on demand) by restarting the module. PBKDF (A3609) KAT CAST Defined by Crypto The known answer Officer tests may be run manually (on demand) by restarting the module. SHA2-256 (A3609) KAT CAST Defined by Crypto The known answer Officer tests may be run manually (on demand) by restarting the module. SHA2-384 (A3609) KAT CAST Defined by Crypto The known answer Officer tests may be run manually (on demand) by restarting the module. Table 21: Conditional Periodic Information The self-tests may be run on demand by restarting the module.

10.4 Error States

Name Description Conditions Recovery Indicator Method Error FIPS Algorithm Known Module enters the error state on Reinstallation of Error message is Answer Test/Integrity test condition that a self-test failure module written to the log. failed. has occurred. Table 22: Error States Operation of the module will cease if there is a failure of a KAT. An operator may confirm success or failure of the KATs by viewing the syslog messages and examining the ‘FIPS Tests passed’ or ‘FIPS <testname> Test failed’ message. The log files are found:

Page 25
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

The module is started by starting the CipherTrust Transparent Encryption Agent software. A call can be made to the "const char *vds_crypto_version(void);" API. The return string is the version of the cryptographic module software.

11.2 Administrator Guidance

Installation of the CTE Agent software is performed in accordance with the appropriate guidance:

11.3 Non-Administrator Guidance

In addition to the direct guidance provided in this security policy, CipherTrust Transparent Encryption user guidance is available in an online manual, which can be accessed at www.thalesdocs.com.

11.4 End of Life

The cryptographic module does not provide persistent storage of SSPs. SSPs are held in volatile memory and are zeroized following provision of the requested cryptographic service. It is recommended that the CTE agent application be uninstalled at the end of life of the module. This will result in the uninstallation of the cryptographic module and erasure of the HMAC Key used with the software integrity check. 002-000482-001, Rev M, July 18, 2024

Page 26
12 Mitigation of Other Attacks

Not applicable. The module does not claim Mitigation of Other Attacks. 002-000482-001, Rev M, July 18, 2024