CKM_AES_CBC
Firmware 7.7.0 and Newer Summary
| FIPS approved? | Yes |
| Supported functions | Encrypt | Decrypt | Wrap | Unwrap |
| Functions restricted from FIPS use | Cannot wrap |
| Minimum key length (bits) | 128 |
| Minimum key length for FIPS use (bits) | 128 |
| Minimum legacy key length for FIPS use (bits) | N/A |
| Maximum key length (bits) | 256 |
| Block size | 16 |
| Digest size | 0 |
| Key types | AES |
| Algorithms | AES |
| Modes | CBC |
| Flags | Extractable |
NOTE To comply with FIPS SP800-131a Rev2 published in March 2019, when the HSM is in FIPS mode, this mechanism is not allowed to wrap objects.
Firmware 7.4.2 and Older Summary
| FIPS approved? | Yes |
| Supported functions | Encrypt | Decrypt | Wrap | Unwrap |
| Functions restricted from FIPS use | None |
| Minimum key length (bits) | 128 |
| Minimum key length for FIPS use (bits) | 128 |
| Minimum legacy key length for FIPS use (bits) | N/A |
| Maximum key length (bits) | 256 |
| Block size | 16 |
| Digest size | 0 |
| Key types | AES |
| Algorithms | AES |
| Modes | CBC |
| Flags | Extractable |
TIP The CKM_AES_CBC mechanism can wrap/unwrap other symmetric keys.
Wrap/unwrap of asymmetric keys (RSA, ECC, etc.) is supported only by mechanisms that can process any byte length - thus CBC_PAD, GCM, or KWP. However, of those three, only KWP is permitted by FIPS mode.
