Please Note:

Release Notes

Product Description

CipherTrust Manager is the center of the CipherTrust Data Security Platform. It serves as the central point for managing configuration, policy and key material for data discovery, encryption, on-premise and cloud based use cases. It is the successor to both the Thales eSecurity (formerly Vormetric) DSM and the Gemalto (formerly SafeNet) KeySecure platforms.

Product Abbreviations

Name	Abbreviation
CipherTrust Batch Data Transformation	BDT
CipherTrust Manager	CM
CipherTrust Application Data Protection	CADP
CipherTrust Application Key Management	CAKM
CipherTrust Cloud Key Manager	CCKM
CipherTrust Data Protection Gateway	DPG
CipherTrust RESTful Data Protection	CRDP
CipherTrust Database Protection (formerly known as ProtectDB)	CDP
CipherTrust Live Data Transformation	LDT
CipherTrust Transparent Encryption	CTE
CipherTrust Transparent Encryption for Kubernetes	CTE-K8s
CipherTrust Transparent Encryption for Ransomware	RWP
CipherTrust Transparent Encryption UserSpace (formerly known as ProtectFile FUSE)	CTE UserSpace
CipherTrust Intelligent Protection	CIP
CipherTrust Data Discovery and Classification	DDC
CipherTrust Vaulted Tokenization	CT-V
CipherTrust Vaultless Tokenization	CT-VL
Data Protection on Demand	DPoD

Release Description

This release is available on the Customer Support Portal in the following formats:

An upgrade file for physical k570 and k470 CipherTrust Manager devices, and existing k170v Virtual CipherTrust Manager instances.
Note
You can upgrade the Trusted Cyber Technologies (TCT) CipherTrust Manager k570 model to 2.14.1 or 2.14.2, not 2.14.0. There is an advisory for this model which impacts upgrade to 2.14.0. The Thales CipherTrust Manager k570 has no such advisory.
An OVA image file for deploying a new Virtual CipherTrust Manager on VMWare vSphere or Nutanix AHV.
A VHDX image file for deploying a new Virtual CipherTrust Manager on Microsoft Hyper-V.
A QCOW2 image file for deploying a new Virtual CipherTrust Manager on OpenStack.

In addition, 2.14.0 Virtual CipherTrust Manager will be available on the following public clouds, as the Community Edition:

Amazon Web Services: SafeNet Cloud Provisioning System
Google Cloud
Note
As 2.14.x is not the default version, you must use the gcloud CLI to retrieve it.

Microsoft Azure: Available as a BYOL image in the Microsoft Azure Marketplace
Oracle Cloud
IBM Cloud
- An OVA image file for deploying a new Virtual CipherTrust Manager on IBM Cloud VMWare.
- A QCOW2 image file for deploying a new Virtual CipherTrust Manager IBM Cloud Virtual Private Cloud Gen2.

2.14.0 contains a number of new features and enhancements. Refer to Release 2.14.0 for details. For the list of known issues, refer to Known Issues.

Features and Enhancements

Release 2.14.2

The 2.14.2 release includes a bug fix listed in the resolved issues list. This release also includes an internal client upgrade to maintain compatibility with the Thales Data Protection On Demand (DPoD) Luna Cloud HSM Service root-of-trust integration past January 28, 2025. Details on the Luna Cloud HSM compatibility change are available in knowledge base article KB0028422. The CipherTrust Manager change is tracked internally under reference number KY-85442.

This release is available as an upgrade file. The upgrade can be applied directly on CipherTrust Manager versions 2.14.1, 2.14.0, 2.13.x, 2.12.x, 2.11.0, 2.11.1, and 2.11.2.

This release does not address all security vulnerabilities discovered after the release of 2.14.0 minor version. To obtain current security fixes, upgrade to the latest feature release.

Release 2.14.1

The 2.14.1 includes some stability fixes listed in the resolved issues list. This release is available as a new virtual instance, or as an upgrade file. The upgrade can be applied directly on CipherTrust Manager versions 2.14.0, 2.13.x, 2.12.x, 2.11.0, 2.11.1, and 2.11.2.

Release 2.14.0

Platform

Support added to configure a list of IPs (cluster allowlist) to connect to the Cluster port.
Added quorum for the UpdateQuorumProfile operation, that leads to the quorum's approval process to modify the quorum policies including a number of voters change.
Added capability to create policies to manage authentication based on the Client IP.
Upgraded the major versions of PostgreSQL and minor versions of BDR as regular maintenance and upgrade of critical system components. Click here for more details.
Support added in ECC Algorithm for Curve25519.
Enhancements to the UI web console:
- Added a notification when the same user is logged into multiple sessions.
- Enhanced the Policies page for better readability.
Additional information is added to quorums meta. For example, resource name or ID for every operation.

Limitations

Policies created to manage authentication based on the Client IP parameter don't apply to the requests coming to the NAE and KMIP interfaces with "anonymous login" mode enabled. For details, refer to Client IP.
If a domain has more than 1000 cryptographic objects (keys and opaque objects), to fetch keys, it is recommended to use KeyNamesRequest instead of KeyQueryRequest. The response time of KeyQueryRequest is proportional to the number of keys on the CipherTrust Manager, therefore, it may lead to a timeout exception on the client side.
Currently, the log forwarders are not configured to use the system's proxy configuration. If proxy is configured, the log forwarders bypass the proxy servers.
Domain backup containing users and groups can not be restored to the different domains on the same CipherTrust Manager instance. Such domain backup can only be restored to a different CipherTrust Manager instances.
During client renewal, if another client (which has Auth mode set to DN) already exists in the system with a matching subject DN, the client renewal may fail. This applies to external or local CA clients. For external CA certificates, delete the client to be renewed and register a new client with a new certificate and different subject DN.
However, for local CAs, it is not required to delete the client to be renewed, rather set the do_not_modify_subject_dn field to false. Refer to Renewing Local CA Clients for details.

Application Data Protection

Added support to register CipherTrust RESTful Data Protection (CRDP) connector in Application Data Protection tile. Refer to Defining Applications for details.
Support added to create static and dynamic masking formats. Static format creates masking format for the protect operation. Dynamic format creates masking format for the reveal operation. Click here to know more.
Added support of data-centric policies. It is now mandatory to configure access policy while creating protection policy. Follow the link for more information.
Support added to auto-renew client certificate for DPG and CRDP. More information can be found here.
Added licensing enforcement for CRDP.

CCKM

Released support for Oracle Cloud Infrastructure External Key Management Service (OCI EKMS or HYOK) to manage external vaults and external keys for general availability.
Automatic Cloud Key Discovery
- Google Cloud: Automatic detection and addition of GCP key rings to CCKM.
  - CCKM detects all the GCP projects in organizations that contain GCP key rings (across regions).
  - Adds the detected GCP key rings and applies the specified ACLs to CCKM automatically.
  - Automatic scheduling of GCP key ring addition continuously or periodically.
- Azure: Automatic detection and addition of Azure key vaults to CCKM.
  - CCKM detects all the Azure subscriptions that contain Azure vaults.
  - Adds the detected Azure key vaults and applies the specified ACLs to CCKM automatically.
  - Automatic scheduling of Azure key vault addition continuously or periodically.
In CCKM, you now have the option to assign an available credential rotation schedule when creating an AWS External Custom Key Store in a Linked state. From the new Add Credential Rotation Schedule page and drop-down menu, you can select a credential rotation schedule to assign to this key store.
You now have the option to enable or disable TLS client-side certificate verification or mutual TLS where the CipherTrust Manager authenticates the AWS KMS client.
CCKM audit events logged for AWS External Key Store (XKS) now include the ID of the Luna key and CipherTrust Manager key used.
CCKM logs for Google Cloud External Key Manager (EKM) now includes the Cloud EKM service name (cmek_service_name) and project ID associated with wrap and unwrap requests.
Ability to create policy templates that are not linked to an AWS account.
Ability to export and download the filtered key and KMS container metadata for AWS, Google, and Azure clouds using the GUI.
Google Workspace CSE: Removed the upgrader role from the wrap API (per the Google spec 0.9.3).

CTE and CTE UserSpace

Information in this section applies to all types of CTE and CTE UserSpace Agents unless stated specifically.

CA certificate renewal notification: Added capability to notify the CTE Agents of changes in the client certificate and the web interface certificate. If the CA that signed the client certificate or the web interface certificate is modified, the CTE client is notified about this change. The CTE client can now generate or install a new certificate and update the truststore for uninterrupted connections.
This feature is applicable to the CipherTrust Manager 2.14, CTE 7.5, CTE UserSpace 10.2, and their higher versions. Refer to Certificate Renewal for details.
Added capability to clean stale client entries that were added during registration but are no longer associated with the CTE clients due to any failure in enrollment. The CLI command ksctl cte clients bulk-delete and the API /v1/transparent-encryption/clients/delete are updated for this capability.
GUI enhancements:
- Added the Learn Mode column for Client Policies.
- Protection Mode for non-Windows CTE clients and unregistered clients is set as CTE.

CTE Specific

Added support for Multifactor Authentication (MFA) to the MFA-capable CTE for Linux clients. This support will be available from CTE 7.6 onward.
Added capability to create unique to client keys when adding a key rule during a policy creation.
AIX clients: Added capability to update security configuration parameters after CTE client registration. This capability is applicable to CTE for AIX clients that support new parameters. Every parameter has the fixed set of values. Refer to the CTE Agent documentation for compatible versions and dynamic parameters.
Deprecated support: Support for CTE clients with the Efficient Storage GuardPoints (ESG) capability is deprecated from CipherTrust Manager 2.14 onward. Already existing ESG GuardPoints will continue to work. New ESG GuardPoints cannot be created.

Note

CTE resources of Container policies on the DSM cannot be migrated to the CipherTrust Manager using the backup/restore method. The Container policies are supported only on the DSM.

Notes on CTE UserSpace

CTE UserSpace is a kernel-independent file encryption product. The resources of CTE UserSpace clients running 10.0 and higher Agent versions are managed by the Transparent Encryption application on the CipherTrust Manager. These clients can't be managed by the ProtectFile & Transparent Encryption UserSpace application.

This release adds support for the FREEBSD operating system.

This release does not support the following features:

Kernel Compatibility Matrix
Agent and System locks
CBC and XTS keys
COS, ESG, IDT, and LDT policies and GuardPoints

Note

To manage the clients running the previous versions of the CTE UserSpace Agent, use the ProtectFile & Transparent Encryption UserSpace application only. Alternatively, upgrade those clients to CTE UserSpace 10.0 or a higher version.

DDC

UI Improvements and Changes

The "Executed vs Not Executed" pie chart in the scans main page was replaced with a pie chart containing the following information:
- Number of scans executed more than 1 year ago
- Number of scans executed more than 6 months ago
- Number of scans executed more than 3 months ago
- Number of scans executed more than 1 month ago
- Number of scans executed within the last 30 days
Additional details are provided in the scan list page, namely the list of data stores associated with the specific scan.
In the scan list page, previously when a scan was running, the progress bar was green and the icon was yellow. The bar is now yellow for a "running scan" and grey for a "paused scan".
The vertical scroll was removed from the scan wizard.
The user will not be able to expand or contract the Description field while creating data stores, scans or reports.

Resolved Issues

This table lists the issues resolved in 2.14.2.

Issue	Synopsis
KY-78293	If you run a cluster set up for about 30 days, the host-daemon service stops responding due to a file descriptor leak. This means that operations that access the CipherTrust Manager at the host system level fail. Some examples are restarting, retrieving system information, or kscfg commands. Error messages from `host-daemon` are visible in /var/log/hostd.log.

This table lists the issues resolved in 2.14.1.

Issue	Synopsis
KY-73883	Upgrade to 2.14 fails for Trusted Cyber Technologies (TCT) CipherTrust Manager k570 with Luna PCIe Root of Trust Hardware Security Module. See the advisory note for more details. Resolution: You can now upgrade this model to 2.14.1 instead of 2.14.0.
KY-74128, KY-74556	If the LDAP connection property `User's distinguished name (user_dn_field)` is set to `distinguishedName` for LDAP Group Mapping, when the user or client authenticates, it loses all permissions in fewer than 5 minutes.
KY-66306	When Google Drive is configured to use a language other than English (for example, Portuguese), scans specifying both 'My Drive' or 'Meu Drive ' will result in a failed/incomplete scan.

This table lists the issues resolved in 2.14.0.

Issue	Synopsis
KY-75787	When new configurations are done on a CipherTrust Manager's cluster node not reachable by the clients, the clients don't receive new configurations from the reachable nodes of the cluster.
KY-71979	The Admin Settings > System Properties is erroneously displayed when you are logged into a child domain on the CipherTrust Manager GUI. If you attempt to edit any field, the operation fails with the error "Insufficient Permissions".
KY-71050	If a local user is created with a different username and full name, the user cannot change its own password.
KY-66545	Luna HSM: On first time refreshing a Luna HSM partition after updating the Luna HSM connection from non-HA to HA enabled, the `ha_enabled` flag is set to `false`.
KY-62550, KY-58948	High memory and CPU consumption can lead to CipherTrust Manager declining user and client application requests.
KY-70018	When attempting to update an external Custom Key Store that is a local, linked, and connected store to enable success audit events using the Enable success audit events toggle and/or to enable Mutual TLS using the Enable Mutual TLS toggle, the update is not successful and an error message displays.
KY-69999	You cannot add URLs with a wildcard asterisk character `*` to the proxy exemption list.
KY-66135	If you add an NTP server more than 1024 times and then restart all services, multiple services fail to restart. The server audit records contain a message `Following services have stopped after starting:` followed by a list of services.
KY-62702	Server audit records include messages about the Akeyless SSO token when the Akeyless console is not open or in use.
KY-61402	The `emptyMaterial` parameter is set to `false` for a destroyed key. As the key material is deleted, `emptyMaterial` should be set to `true`.
KY-65935	If domains are deleted without deleting the linked `protectapp` profiles, the NAE service will not restart after the upgrade.
KY-68418	The custom attribute value of the keys migrated from DSM to CM can not be modified.
KY-66324	The misleading error message appears when a user authenticates with a valid password and the user cache is expired.
KY-66851	When you try to add a user to a group, a quorum error message is displayed even if the `AddUserToGroup` quorum is deactivated. Instead of the quorum error, an actual permission error should be displayed.
KY-65796	If you attempt to create a duplicate Application Data Protection client profile with the same name as an existing client profile, the operation appears to fail with the error `NCERRConflict: failed due to a conflict with the current state of the target resource.` However, the client profile is created and visible on the Access Management > Client Profiles page. You cannot select the duplicate when creating a new registration token.
KY-64955	Azure: If a vault (say `vault-1`) is first added and synchronized in the CipherTrust Manager in a domain (say `domain-1`), and later added to another domain, the associated `key_vault_id` is changed for keys in `domain1`, leaving keys in `domain-1` unuseable. Now, if `vault-1` in `domain-1` is refreshed, all the keys (except those marked as DELETED) are again useable. Note that, even after the refresh, the users cannot perform any operations on the keys marked as DELETED in `domain-1`.
KY-64797, KY-64804	If the names of Access policy and Protection policy exceed 256 characters, an error is returned.
KY-59377	When you create a new password policy without providing the `failed_logins_lockout_thresholds` value, the internal server error occurs.
KY-70088	Partial domain restore fails when users have a `global` password policy applied.
KY-65543	When the external CM is in a cluster and the client is registered in a non-root domain of the CM, the test connection will fail. This happens because the client cannot fetch the cluster information from the root domain.
KY-65539	If the client registration fails when registering the client using the certificate, then an invalid entry may be displayed in the response.
KY-67568	AWS GUI: Incorrect policy behavior on switching the policy method from "Create New Policy" to "Select Saved Policy", and finally reverting to "Create New Policy". The values previously selected for the "Create New Policy" method remain selected. Either the values should be cleared or taken as input for the replica. A similar issue is observed with the Link Key operation.
KY-67554	After you upgrade a Virtual CipherTrust Manager to 2.13.0, the Key Manager Lock Code changes, invalidating the current Virtual CipherTrust Manager license and putting the instance into Community Edition mode. Resolution: 2.14 no longer changes the Key Manager Lock Code on upgrade. If you are at a version below 2.13.0, upgrade to 2.13.1 or 2.14 instead. If you are at 2.13.0, contact customer support to have a new license issued, apply the license, and then upgrade to 2.14.
KY-67550	GUI: The Features tab of the Licensing page shows active licenses as Expired.
KY-67506	If you attempt to resize a Virtual CipherTrust Manager disk on Google Cloud Platform with cloud-init, the Virtual CipherTrust Manager image fails to launch.
KY-67474	GCP GUI: Unable to add a key version using CipherTrust (External) from the details page of the key.
KY-67193	CipherTrust Manager allows changing the key rules on active GuardPoints.
KY-65764	If you attempt to create a duplicate KMIP client profile with the same name as an existing client profile, the operation appears to fail with the error `NCERRConflict: failed due to a conflict with the current state of the target resource.` However, the client profile is created and visible on the Access Management > Client Profiles page. You cannot select the duplicate when creating a new registration token.
KY-65575	CipherTrust Manager as an external key source shows incorrect status in the audit records. Also, the CipherTrust Manager does not show a detailed message if a CCKM User does not have the refresh and create key ACLs.
KY-65520	CCKM: System might appear slow when the cloud event logs are more than 10 million.
KY-65503	CCKM: User cannot see cryptospace endpoints after giving view permission to the user in Google project ACLs.
KY-64780	SAP Cloud: CLI does not list the disabled keys.
KY-64593	If you create a Loki log forwarder connection with TLS configuration in connection manager and use the test connection function, the test fails with the error `400 Bad Request`.
KY-64482	AWS KMS: Removing assume role and external ID values does not remove the values from the AWS KMS.
KY-62235	CTE GUI: On selecting group membership, the Select Groups field lists only 300 groups.
KY-62196	CTE LDT policies which have "allow browsing" checked for the first secure rule, which is a legacy configuration from DSM version 5.x, are not migrated to CM correctly. The migration fails with the error `[NCERRBadRequest: Bad HTTP request]: Invalid Params supplied. With LDT policy, first security-rule must be created with action as key_op, effect as applykey,permit, browsing(partial_match) as disabled and without any UserSet/ProcessSet/ResourceSet present`.
KY-61292	In a configuration with multiple Luna Network HSMs acting as root-of-trust in high availability mode, when the HSM in use becomes unavailable, the CipherTrust Manager occasionally does not failover to the remaining HSMs, and CipherTrust Manager becomes unavailable.
KY-61056	After first restart/reboot of CipherTrust Manager for cluster certificate renewal, cluster nodes statuses still display as down.
KY-60595	If you attempt to create a domain with an existing name, the domain creation fails as expected. However, you can no longer delete the user specified as the domain administrator.
KY-59906	AWS GUI: When updating the region of a KMS created with AssumeRole, the GUI displays all the available regions. They should be separated according to the assumed role.
KY-65964	OCI HYOK GUI: While creating an HYOK key, the incorrect policy cannot be edited.
KY-59819	Occasionally when a second nShield Connect HSM is added as root of trust, the error `[NCERRInvalidParamValue]: Failed to add member` displays.
KY-59705	UI always shows server/client records disabled and logs ReadProperties authorization error for users in the `Audit Admins` group.
KY-58939	Displayed Domain Level Usage for KMIP Clients on Licensing page shows total client usage for all domains instead of just the current domain.
KY-57097	Users in the `Read-Only Admin`s group are not able to download files for debug logs, web activity logs, NAE activity logs, or KMIP activity logs.
KY-55676	Azure GUI: On the certificate details page, the X.509 SHA-1 Thumbprint is displayed as base64 encoded.
KY-49082	If you set a CipherTrust Manager to use a non-default port for the web interface, other than 443, you cannot join the CipherTrust Manager to a cluster. The join operation hangs and never completes.
KY-47374	If you migrate a non-exportable VAE key from Data Security Manager to the CipherTrust Manager, the imported key is shown as "exportable".
KY-39123	SAP Data Custodian: When a SAP group is added again, then performing any enable, disable, update, and add new version operation on a key in the group returns the "500 Internal Server Error".

Advisory Notes

This section highlights important issues you should be aware of before deploying the CipherTrust Manager. There is also a full list of known issues associated with the release.

Upgrade Trusted Cyber Technologies (TCT) CipherTrust Manager k570 with Luna PCIe Root of Trust Hardware Security Module to 2.14.1 Directly

There is a known issue with upgrading when using the TCT Luna PCIe HSM internal to a TCT CipherTrust Manager k570 in 2.14.0. We strongly recommend upgrading directly to 2.14.1 if using the TCT Luna PCIe HSM as the CipherTrust Manager root of trust.

There is no issue with upgrading the Thales CipherTrust Manager k570 to 2.14.0. If you are unsure which k570 model you have, we recommend skipping 2.14.0 and upgrading directly to 2.14.1.

Note

If you must upgrade to 2.14.0, first confirm which k570 model you have. You can check the front bezel label, view the order summary, or examine the terminal response for the initial LunaCM command.

For example, login as ksadmin, and run the /usr/safenet/lunaclient/bin/lunacm command. The displayed Model is Luna K7 for the Thales CipherTrust Manager k570 or Luna T7 for the TCT CipherTrust Manager k570. It is safe to upgrade k570 models displaying Luna K7 to 2.14.0. It is strongly not recommended to upgrade k570 models displaying Luna T7 to 2.14.0.

Increased Disk Space and Cluster Node Downtime Required for Upgrade to 2.14

Due to a major internal database upgrade, CipherTrust Manager upgrade requires more free disk space and cluster node downtime.

You require 35 GB of free disk space to exercise the upgrade.
In-place online cluster upgrade requires additional downtime for cluster nodes. An individual cluster node might be unavailable for 10 minutes or more.
During upgrade, the message NOTICE: skipped replication for captured CCL command "LOCK TABLE in replication sets (kylo) is displayed multiple times. This is an expected part of backend database configuration and does not indicate a problem.

Required System Volume Disk Size for Virtual CipherTrust Manager

If you have deployed at a Virtual CipherTrust Manager with the previous evaluation disk size of 50 GB, you need to increase the system volume disk space to exercise the upgrade. We recommend at minimum 100 GB.

NextGen KeySecure and ProtectFile End-of-Support in 2023

NextGen KeySecure firmware and the ProtectFile connector will be End of Support in December 2023.

In most cases, you can upgrade from NextGen KeySecure to CipherTrust Manager directly. If you are running the legacy k450 or k460 hardware model, you must migrate data to the k470 or k570 model.

We strongly recommend migrating ProtectFile to CTE or CTE Userspace.

Quorum

Do not enable quorum on the ManagePolicyAttachment and DeletePolicy operations until all the CipherTrust Manager nodes in a cluster are upgraded to 2.10 or a higher version.

SMB Connection

The Host and Port fields must be specified together, or do not specify any of them. If Host and Portare not specified while creating an SMB connection, these fields cannot be added later.

Recommendation for Secure Initialization Vector in DESede CBC, AES CBC, and AES GCM Encryption Requests

When generating a new AES or DESede key CipherTrust Manager currently generates and stores a Default IV associated with the new key. This is mainly used to support specific legacy integrations and applications.

We strongly recommend future crypto applications use a secure, unique initialization vector (IV) for each AES CBC, AES GCM, and DESede CBC encryption request, rather than relying on a default IV provided by CipherTrust Manager for the security of your data. For example, unpredictable, unique IVs for AES CBC requests protect against oracle attack techniques such as ROBOT, DROWN, POODLE, and BEAST.

We recommend to use CipherTrust Manager's random number generation to produce secure IVs, or you can provide your own IV with each AES CBC, AES GCM or DESede CBC encryption request following the security guidelines for constructing secure IVs in NIST SP800-38A and NIST SP800-38D.

Caution

The IV value used for an encryption request is needed to decrypt the data later.

In the KMIP interface, always set the RandomIV object in the Cryptographic Parameters attribute to true or provide your own secure IV in the Request Payload as an IV/Counter/Nonce object.

In the REST and NAE interfaces, use CipherTrust Manager's random number generation to produce secure IVs for cryptographic requests, or provide your own secure IV.

Some Key States Change After Upgrade

After upgrade from 2.4 some key states are remapped as a result of harmonizing NAE-only key states. In most cases, the allowed operations for a key remain the same before and after upgrade, so key usage is not disrupted.

As you cannot upgrade directly from 2.4 to 2.14, these changes take effect when you first upgrade from 2.4 to an intermediate minor version, 2.5, 2.6, or 2.7.

When a key has an NAE state of Retired and the deactivation date is set in the future, the key is set to Deactivated immediately upon upgrade. No cryptographic operations are allowed.
When a key has an NAE state of Restricted and Protect Stop Date is set in future, the key is set to Active and the Protect Stop Date is set to the current time. Decryption, signature verification, unwrapping, and MAC verification are allowed.
When a key has an NAE state of Active and Activation Date is not set, the activation date is set to the current time. All cryptographic operations are allowed.
When a key has an NAE state of Active and Activation Date is set in the future, the key is set to a Pre-Active state and the Activation Date is retained. No cryptographic operations are allowed until the Activation Date is reached.
When a key has a state of Deactivated before upgrade, its state will be unchanged after upgrade. However, the allowed operations for the Deactivated state change for 2.5. The key loses its ability to decrypt, verify signatures, unwrap, and verify MACs. You can re-activate the key after upgrade and set the ProtectStop date to restore those operations.

System Upgrade and Downgrade Supported Releases

System upgrades on a single unclustered device have been tested from releases 2.11.1, 2.11.2, 2.12.x, and 2.13.x. We have also tested upgrade from lower 2.14.x versions to higher 2.14.x patches.

Note

Upgrades from other versions have not been tested and may not work correctly. Upgrade from 2.11.3-2.11.6 to 2.14.x is not supported as these patches will be released after 2.14.x and contain bug fixes not present in 2.14. Upgrading from these patches to 2.14 can re-introduce bugs. If you are using one of these 2.11 patches, wait for future releases to obtain the new features introduced in 2.14.x.

An unclustered CipherTrust Manager can be downgraded to the previous minor version. For release-specific upgrade/downgrade information, refer to the release notes for your release.

Warning

As we cannot guarantee stability, we strongly recommend using downgraded systems for test environments only. Do not use a downgraded CipherTrust Manager in a production environment.

Refer to the System Upgrade page for instructions to perform an upgrade or downgrade.

The cluster upgrade section provides instructions to perform an upgrade on a cluster of devices. Supported upgrade paths depend on the method used to upgrade the cluster.

Cluster remove/rebuild is supported from 2.11.1, 2.11.2, 2.12.x, and 2.13.x.
In-place cluster upgrade is performed from one minor version at a time, so there is no limit on starting version.

Restoring a backup from release 2.11.x or later is supported; however, restoring a newer backup to an older version is never supported.

Protect the ksadmin Private SSH Key

The private SSH key for the ksadmin account is critical to system security and must be carefully protected. Failure to do so could allow an attacker to compromise the system.

TLS/SSL Must be Enabled in a Production System

As it may be useful for troubleshooting, it is possible to disable TLS/SSL for the NAE interface. This will lead to an insecure system. Therefore, TLS/SSL should always be enabled for a production system.

Key Usage Mask Selection

If you want to perform any operation (for example, Wrap/Unwrap) from the NAE/KMIP connector, set the usage mask explicitly for that operation while creating keys through UI.

DDC

Clusters

Only one CipherTrust Manager node in the cluster can have DDC activated. To access DDC, create a new DNS entry to point to the active CipherTrust Manager node.
DDC functionality cannot be accessed through the CipherTrust Manager FQDN. DDC requests sent to an inactive CipherTrust Manager node fail (and return the impression that DDC fails randomly).

Licensing

Overlapping licenses are not supported (except for the trial license).

Upcoming End of Support for Platforms and Features

Linux 2.4 Node Agents
Email Targets - Microsoft Exchange (EWS)
Microsoft 365 - Exchange Online (EWS)
Web Browser - Internet Explorer

Compatibility

This section documents known compatibility topics to be considered before deploying the CipherTrust Manager.

TLS Compatibility

This table identifies the supported TLS versions for each of the CipherTrust Manager interfaces. The default minimum value reflects the default minimum_tls_version setting. This setting controls the lowest acceptable TLS version allowed for connections to the interface.

Interface	Minimum TLS version	Maximum TLS version	Default Minimum TLS version
Web UI	TLS 1.2	TLS 1.3	TLS 1.2
NAE	TLS 1.0	TLS 1.3	TLS 1.2
KMIP	TLS 1.0	TLS 1.3	TLS 1.2

Caution

TLS 1.0 and TLS 1.1 support will be discontinued in a future release.

By default, CipherTrust Manager accepts the following ciphersuites for TLS 1.2+ connections:

TLS_AES_256_GCM_SHA384 (TLSv1.3)
TLS_CHACHA20_POLY1305_SHA256 (TLSv1.3)
TLS_AES_128_GCM_SHA256 (TLSv1.3)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS Deprecation Notices

Use of TLS 1.0 and 1.1 protocols is deprecated. This support will be discontinued in a future release. Upgrade all applications connecting to CipherTrust Manager interfaces to TLS 1.2 or higher as soon as feasible.
Use of the following CBC-based ciphersuites is deprecated, and support will be discontinued in a future release:
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA

Client Platforms

The following client Platforms are supported by the CipherTrust Manager.

Caution

Older versions of most client platforms (versions earlier than the minimum versions listed below) may have incompatible TLS clients. We recommend testing older versions of client platforms in a non-production environment to ensure proper functionality.

For the purpose of transitioning from SafeNet KeySecure Classic, you can temporarily connect to CipherTrust Manager with TLS/SSL disabled on the CipherTrust Manager NAE interface; however, this is recommended only in a non-production environment.

CipherTrust Application Data Protection

CADP for .NET Core: minimum version 8.11.0
CADP for C: minimum version 8.14.0
CADP for Java: minimum version 8.13.0

CipherTrust Application Key Management

CAKM for Oracle TDE: minimum version 8.10.0
CAKM for Microsoft SQL Server EKM: minimum version 8.5.0

CipherTrust Cloud Key Manager

Minimum version 1.6.3.20532

CipherTrust Database Protection

CDP for Oracle: minimum version 8.12.0
CDP for MSSQL: minimum version 8.12.0
CDP for DB2: minimum version 8.12.0
CDP pdbctl: minimum version 1.5.1
CipherTrust Teradata Protection: minimum version 6.4.0.12
Transformation Utility: minimum version 8.4.3

CipherTrust Transparent Encryption

Minimum version 7.0.0

CipherTrust Transparent Encryption UserSpace

Minimum version 10.0

CipherTrust Transparent Encryption for Kubernetes

Minimum version 1.0.0

CipherTrust Vaulted Tokenization

Minimum version 8.7.1

CipherTrust Batch Data Transformation

Minimum version 2.2.0.2816

CipherTrust Vaultless Tokenization

Minimum version 2.5.2.19

ProtectFile

Minimum version:

ProtectFile Windows 8.12.3
ProtectFile Linux 8.12.3, 8.12.4p02 (for migration to CTE)

The latest three GA versions of ProtectFile are tested with CipherTrust Manager. Older versions are expected to work, but they are not tested explicitly.

Data Discovery and Classification Agents

Linux minimum kernel version is 2.6.

There are no changes in Agent requirements if you are upgrading from CM 2.4 to 2.5.1. If you are upgrading from a version older than 2.4 please refer to Upgrading Agents.

Note

ODBC driver for Microsoft SQL: To connect to Microsoft SQL, DDC Agent requires the ODBC drivers to be installed on the host. If DDC cannot find a suitable agent, make sure that these drivers are installed. If necessary, upgrade them to the latest available version. Thus, if your MSSQL Server is configured with TLS 1.2 only, install the ODBC Driver 17 for MSSQL Server.

TDP Version Compatibility

Data Discovery and Classification requires TDP 3.1.5.1 or newer.

If you have an existing TDP 3.1.5 cluster, you should apply the patch 3.1.5.1.
Following the TDP upgrade users are required to Configure TDP service HDFS again and also Configure TDP service Livy.

Known Issues

This section lists the issues known to exist in the product at the time of release.

CipherTrust Manager

Reference	Synopsis
KY-93937	Problem: If you configure an LDAP connection for CipherTrust Manager user management, and set up group maps in a child domain, group permissions are not applied when users are logged into the child domain.
KY-92312	Problem: If you attempt to configure an HSM root-of-trust on the CipherTrust Web UI, the UI sometimes displays a timeout error, but the HSM configuration succeeds. Workaround: Wait two minutes and refresh the page to see if the HSM configuration succeeded. If the HSM configuration fails, retry with the `ksctl hsm setup --timeout 120` CLI command.
KY-92080	Problem: If the client certificate is renewed before its expiration date, on the original expiration date, the client goes into the expired state, which breaks communication between the client and the CipherTrust Manager. Recommendation: Before the certificate expiration date, do either of the following: • Re-register the client with the CipherTrust Manager using the new client certificate. • Upgrade the CipherTrust Manager to 2.16.1 or higher. Workaround: After the client moves to the expired state, renew the client certificate as a client administrator. Refer to Renewing client certificates for details on renewing client certificates. For CTE-specific instructions, refer to Client Certificate Renewal.
KY-91730	Problem:If a network interface connection goes down on a node, the cluster status for that node displays as `ready` on other nodes, even though the node is unreachable.
KY-88925	Problem: If you add connections to multiple Luna Network HSM V1 partitions in HA mode in connection manager, CCKM Luna key source and HSM-anchored domains are not usable. Workaround: Use Luna Network HSM V0 partitions for HA groups formed through the connection manager. Delete existing connections to Luna Network HSM V1 partitions.
KY-84562	Problem: Deactivating the `CipherTrust Manager Full Trial` license does not deactivate individual trial licenses. Workaround: Reactivate the Full Trial license and re-attempt deactivation.
KY-84105	Problem: You cannot restore backups containing ProtectV objects. The restore operation fails with the error `schema "pvm" already exists` in the debug log. Workaround: Reset the CipherTrust Manager and retry the restore operation.
KY-78303	Problem: If you configure OIDC authentication for CipherTrust Manager users with an identity provider with a short `id_token` lifetime, users are logged out of their sessions frequently, every time the `id_token` expires. The error message `Wrong username or password` is displayed.
KY-71399	Problem: For SCP, if algorithms with `sha1` are disabled on the destination server, SCP doesn't work with the CipherTrust Manager
KY-80554, KY-81695	Problem: If a client certificate contains both OCSP and CRL URLs, the certificate revocation check (for NAE and KMIP clients) only considers the OCSP and never falls back to check the CRL even if the OCSP URL is inaccessible.
KY-83840	Problem: The `/v1/usermgmt/connections/{id}/users/` API returns all users instead of users associated with the specified connection.
KY-80453	Problem: If you are using Entrust nShield Connect HSM as a root of trust, remove the admin card from the HSM, and then attempt to reboot the CipherTrust Manager, the CipherTrust Manager does not reboot successfully. Workaround: None.
KY-73963	Problem: Listing latest version of the keys throw an internal server error when a key policy exists on the CipherTrust Manager. Workaround: • Either delete the key policy present on the CipherTrust Manager. OR • Don't list the latest version of keys using Latest Version Only check box on the CipherTrust Manager UI. • Don't list latest version of keys using the filter `version` as `-1` in the API/CLI.
KY-72032	Problem: RSA signing fails on the remote mode for CADP for JAVA when performing the EC encryption and RSA signing using the same connection.
KY-78305	Problem: During the cluster join operation, the joining node's cluster status is not displayed. Workaround: None. Wait for the join operation to complete to view the newly joined node's status. This operation can take up to a few hours depending on data and network latency.
KY-78293	Problem: If you run a cluster set up for about 30 days, the host-daemon service stops responding due to a file descriptor leak. This means that operations that access the CipherTrust Manager at the host system level fail. Some examples are restarting, retrieving system information, or kscfg commands. Error messages from `host-daemon` are visible in /var/log/hostd.log. Workaround: Restart the host-daemon service in an SSH session as ksadmin. Use the command `sudo systemctl restart host-daemon`.
KY-77181	Problem: Prometheus metrics with the `node_` prefix are not exported. An error `msg:fetching metrics for node_exporter:9100 failed with error: Get "http://node_exporter:9100/metrics` is present in the debug logs.
KY-75452	Problem: The auto-registered clients don't get auto-renewed after expiration. Workaround: • For manually registered clients, renew the clients. • For auto-registered clients, delete and re-register the clients.
KY-71490	Problem: If you create a key with six or more versions, and attempt to search for version 0 on the key's details page, there is no result. Workaround: Search for the key on the main Keys page.
KY-71188	Problem: Users in the Key Admins group are unable to create a new key version for a key owned by another user. Workaround: Create a custom policy for a group to be able to perform key rotations on all keys.
KY-67373	Problem: If two or more required user approvals are done within the interval of 1-2 seconds, and after the total required approvals the operation gets executed, the quorum still appears in the approved state instead of the executed state.
KY-71113	Problem: The upgrade fails intermittently because the NAE service fails to start. Workaround: Restart the CipherTrust Manager to complete the upgrade.
KY-68495	Problem: When you change the port of the default interfaces (NAE, KMIP, & WEB) and take a backup of the CipherTrust Manager, while restoring this backup on any CipherTrust Manager, the `/v1/backupStatus` API reports the incorrect status and also the success audit record for restore doesn't appear.
KY-71086	Problem:When you upgrade from the CipherTrust Manager 2.10 or lower versions having auto-registered NAE clients, the NAE/KMIP service fails. Workaround: PATCH such clients before or after upgradation. Follow the steps mentioned in the https://jira.tesdev.io/browse/KY-70143.
KY-71060	Problem: For upgrades from 2.13.2 to 2.14.0, the upgrade tool erroneously displays "Attempting to upgrade CipherTrust Manager from 2.13.1". Workaround: Disregard this display.
KY-70904	Problem:If you attempt to upgrade a Virtual CipherTrust Manager hosted on Microsoft Azure, the upgrade sometimes fails with the message `Errors were encountered while processing:grub-pc` present in the upgrade log. Workaround: If you see this error, contact customer support to complete the upgrade.
KY-70603	Problem: If you attempt to add an HSM-anchored domain through the CipherTrust Manager GUI, the operation times out with the error `Failed to create domain kek` in the debug logs. Workaround: Set the `KSCTL_TIMEOUT` value to `60` (corresponding to 60 seconds), and then use the `ksctl domains create` command to add the HSM-anchored domain.
KY-69666	Problem:If you attempt to join a node to a cluster using the web console UI, the request fails, and within a few minutes, add the node to the cluster allowlist, the join request sometimes re-runs successfully. Workaround:Use the `ksctl cluster join` command or `/v1/cluster/join/` REST API endpoint to join nodes to a cluster with an allowlist.
KY-69549	Problem: If you have configured an LDAP connection to manage CipherTrust Manager users and the LDAP server is not reachable, you cannot retrieve users with "return_groups=true" on GUI, API, or CLI. Workaround: Resolve LDAP connectivity issue so that the CipherTrust Manager can retrieve user's group details.
KY-66205	Problem:When custom interfaces are created in a cluster, with certificate auto-generation turned off, the node on which the interface is created accepts the client connections. However, on other nodes, the connection fails. Workaround:Update the local trusted CA on the other nodes.
KY-65962	Problem: OCI test connection fails when an OCI user is part of an identity domain.
KY-65947	Problem: If you attempt to add an alarm configuration from a specific record using the UI's Add Alarm Config from Record option, the conditions for boolean type fields are populated incorrectly. For example, the UI sets conditions such as `input.success == "true,boolean"` or `input.success == "false,boolean"` which are not in compliance with Open Policy Agent's Rego query language, and will not trigger alarms correctly. Workaround: Edit the alarm configuration to reformat the condition as `input.success == true` or `input.success == false`. Alternatively, add new alarm configurations through the + Add Alarm Configuration button available in the Alarm Configurations tab.
KY-65821	Problem: The `ls -l` command fails in SSH sessions as ksadmin user, in the /home/ksadmin and /opt/keysecure directories. Workaround: Use `ls` without the `-l` flag.
KY-64767	Problem: After upgrade, if a system was previously configured to send host syslog messages, USB syslog messages may not appear. Workaround: Use the `kscfg` utility to delete and re-add host syslog configuration.
KY-64600	Problem: If you create multiple automatic key rotation scheduled jobs, and they are scheduled to run at the same time, a key rotation intermittently fails with the message 'There is an ongoing key rotation job, cannot add another'. Workaround: Schedule automatic key rotation jobs to run at different times from one another.
KY-64597	Problem: Typing a `%` (percent character) into the embedded API Guide for GET operations leads to inconsistent results, and sometimes crashes the page. Workaround: As a best practice, avoid naming resources with the `%` character. If you must retrieve a resource with a `%` in its name, use the UI or CLI to do so.
KY-64562	Problem: Policy attachments can be detached (deleted) from system policies even though those policies are read-only. Workaround: Restart CipherTrust Manager to populate the deleted system policy attachment.
KY-66351, KY-63083	Problem: Clients registered in a deleted domain are not excluded from the License usage. Workaround: 1. Log on to the root shell. 2. Delete the entries of the clients registered with the deleted domain from the database.
KY-62563	Problem: After auto-registering a client, the server audit record for creating a token has an incorrect value for `client_id`. Workaround: Note the client_name value in the record. Run `ksctl clientmgmt clients list --client-name <client_name_value>` to return client details including the client ID.
KY-61892	Problem: The NAE and KMIP clients get auto-registered even if the system property, `ALLOW_USER_IMPERSONATION_ACROSS_DOMAIN`, is disabled and the user impersonated by the client certificate is not created in the root domain and the registration token is generated in the root domain. However, the client wont be able to communicate using impersonated user for interface mode `'TLS, verify client cert, user name taken from client cert, auth request is optional'`.
KY-61722	Problem:Deleting a domain that contains an NAE (ProtectApp) client returns status code `500`.
KY-61373	Problem: The support for ProtectV is removed from the CipherTrust Manager, but the ProtectV license still shows up after the upgrade from version 2.10.0.
KY-61196, KY-64823	Problem: In a CipherTrust Manager cluster, if two nodes are disconnected and you create the same user on both nodes and update them with same DN, on re-connect, duplicate users get created. Workaround: Duplicate users cannot be authenticated as regular users, therefore, function as redundant users. It is recommended to delete these users to avoid any confusion. However, if you don't delete them, you will be allowed to log in with one user only.
KY-61054	Problem: While migrating from KeySecure Classic to CipherTrust Manager, if the local CA is signed by an external CA, the migration will fail for the local CA even if the external CA is added to the known CA list. Workaround: If an externally imported CA and its certificates are used on the NAE/KMIP interface of KeySecure Classic, the CA will be migrated as an external CA, but the certificates will not be migrated to the CipherTrust Manager. Therefore, to use the same certificate for the NAE/KMIP interface on the CipherTrust Manager, select the migrated external CA and upload its certificate manually by editing the NAE interface on the CipherTrust Manager. Similarly, if a local CA and its certificates are used on the NAE/KMIP interface of KeySecure Classic, use auto-generation or issue a new certificate and upload the certificate to the interface.
KY-56426	Problem: Deleted groups still show up in the key details information on the CipherTrust Manager.
KY-56213	Problem: If you attempt to create a Luna Network HSM STC partition in connection manager and upload a partition identity file, the upload fails with the `error Code 14: NCERRInternalServerError: unexpected error`. This is because CipherTrust Manager doesn't recognize the format of the partition identity file downloaded from Luna Network HSM. Workaround: Use the Linux command `base64 -wo` on the partition identity file to convert it to base64 format, and then re-attempt the STC partition creation.
KY-55987	Problem: If you have a scheduled job set to run on a particular cluster node, remove the node from cluster, and then rejoin it, the scheduled job runs on all cluster nodes instead. Workaround: After making any changes to cluster membership, update the scheduled job `run_on` parameter to reflect the current cluster node ID.
KY-55416	Problem: Alarms table does not support retention policy. Record based alarms will fill up the table. Workaround: Contact customer support.
KY-54039, KY-55544	Problem: Syslog message redirection from child domains to parent domains stops when 30 or more child domains enable this feature.
KY-53681	Problem: You cannot delete the default backup key if it is uploaded from another domain. Workaround: Contact customer support.
KY-53100	Problem:Acknowledging/clearing alarms changes alarm's source and source_id to the cluster member node which updated the alarm.
KY-52137	Problem: If you rotate the root of trust key for an HSM and then reboot the appliance, services fail to start up and the reboot does not complete. This can happen when the HSM contains two root of trust keys with the same name, and the wrong HSM key is loaded. Workaround: If you are stuck in services startup, access the HSM with another client, and re-label one of the duplicate keys.
KY-51664	Problem: When nShield Connect HSM is configured as root of trust, there are intermittent connectivity issues. The nShield HSM occasionally returns a `ServerAccessDenied` error, and CipherTrust Manager raises the `HSM is offline` system alarm. Workaround: Wait for connectivity issues to resolve after a few automatic reconnection attempts.
KY-49376	Problem: If a CipherTrust Manager is deployed at a version lower than 2.8, a CTE license is installed, and the CipherTrust Manager is upgraded to 2.8 or higher, the displayed CTE license usage count is incorrect. Workaround: In a domain with pre-existing CTE clients, create or register a new CTE client, and then delete the new client.
KY-49126	Problem: After the external CA is uploaded on the CipherTrust Manager, the GN and DC fields are not displayed as part of the record.
KY-48284	Problem: Domain backups with local users cannot be restored into another domain in the same cluster. Workaround: Restore the backup to a CipherTrust Manager in a new cluster, or to a different CipherTrust Manager instance which isn't clustered.
KY-47184	Problem: After upgrade, services sometimes fail to restart with an error message starting with `Forcing migration for retry`. Workaround: Contact customer support to recover from this state.
KY-39354	Problem: Scheduled Partial Domain Backups and Domain Backups fail when there is an SCP connection. The backup file is created on CipherTrust Manager, but it is not forwarded through SCP, and the file is invalid. Workaround: If scheduled backup through SCP is needed, create a System Backup.
KY-39235	Problem: If a user fails to log in to a domain, an audit record is created in the root domain instead of the intended domain.
KY-27450	Problem: Local Certificate Authorities (CAs) do not allow commas `,` in any of the fields. Workaround: Configure an External CA instead. Use a backslash `\` in the Distinguished Name (DN) while creating a user if you are using certificate based login. For example, `C=IN,ST=UP,L=Noida,O=Thales\,INC,OU=ENC,CN=test` is an accepted value. All other printable characters are allowed, as per RFC 5280 definition of PrintableString. `@` and `&` are also allowed, beyond the definitions of the RFC.
KY-25152	Problem: You cannot pass in a custom SSH key via cloud init on Oracle Cloud instances for initial launch. You also cannot use cloud-init to auto-generate an initial password for the `admin` user on Oracle Cloud instances. Workaround: Login to the GUI to enter the SSH public key on initial access. You can also change the password for the `admin` user on this login.
KY-17338	Problem: KMIP: LDAP users cannot be set in the KMIP profile. Workaround: To use LDAP authentication, use the KMIP auto registration.
KY-13343	Problem: Uploading an existing backup results in error but is displayed in the list with status "Uploading". Workaround: Delete the backup using the "uploadID" as backup ID.
KY-11517	[ProtectApp Application] The Invalid algorithm string error occurs when signing data with SHA384withRSA/PSSPadding.
KY-7289	Problem: When migrating a KMIP application from KeySecure Classic to CipherTrust Manager, for encrypt/decrypt operations, the KMIP server always uses the ECB mode regardless of the provided mode. Workaround: For migration use cases, if Cryptographic Usage Mask is specified with the CBC mode on KeySecure Classic: Decrypt the data using KeySecure Classic. Encrypt the data with keys stored on CipherTrust Manager.
KY-7288	Problem: When migrating from KeySecure Classic to CipherTrust Manager, AES-GCM encrypt/decrypt operations, AuthenticatedEncryptionTag is returned appended to CipherText. Workaround: For migration use cases, when using AES-GCM with KeySecure Classic: Decrypt the data using KeySecure Classic. Encrypt the data with keys stored on CipherTrust Manager. After migration to CipherTrust Manager, the AAD tag is not appended to the data. It is sent as a separate tag.
KY-7193	Problem: Sub-domain System Defined Groups do not show "Domain Admins", "ProtectApp Users", and "ProtectDB Users" groups. Workaround: Manually create missing groups in sub-domains. Policies for the groups are automatically created.
KY-504	Problem: Integration with CloudHSM Cluster: Fail-over is not supported between different ENI IPs within an AWS CloudHSM cluster.
NC-2063	Problem: If a user is deleted (or LDAP connection name changes), they fail to display in the keys table.

CipherTrust Application Data Protection (CADP for C)

Issue	Synopsis
KY-47385	Problem: If you migrate a non-deletable VAE key from Data Security Manager to the CipherTrust Manager, the imported key is shown as "deletable". Workaround: After migration, edit the key attributes on the CipherTrust Manager to make it non-deletable.

CipherTrust Cloud Key Manager

Issue	Synopsis
KY-92814	Problem: CCKM GUI: After applying a filter to a column, if you navigate away from the screen and return back, the filter may not persist. Workaround: Apply the filter again.
KY-87019	Problem: GWS GUI: When creating a new endpoint, the Identity Provider list displays only 10 identity providers. Workaround: Use the API to create a new endpoint using the required identity provider.
KY-86980	Problem: Salesforce GUI: When adding a new Salesforce key using DSM to configure the source key, the DSM Domain field on the Configure DSM Key screen may not display all the available DSM domains. Workaround: Use the API to add a new Salesforce key by uploading a DSM key created in a specific DSM domain.
KY-92234	Problem: AWS GUI: AWS connection linked with an AWS KMS account can't be changed. Workaround: Run the `patch /v1/cckm/aws/kms/{id}` API to change the AWS connection.
KY-89038	Problem: GCP GUI: Only 100 key rings are listed on the Add Key Rings screen even if more than 100 key rings exist. Workaround: View all the existing key rings using the API.
KY-89969	Problem: Cloud key management APIs don't work behind a proxy for Google EKM, Google Workspace CSE, OCI HYOK, SAP, DSM, and external CipherTrust Manager. Workaround: Add the proxy URLs for your cloud to the proxy exception list and allow this URL in the firewall. Refer to URLs to Whitelist for Running CipherTrust Manager Behind Proxy.
KY-86632	Problem: Azure GUI: When adding a new Azure key, the Vault drop-down doesn't display all available vaults. Workaround: If a vault is not displayed on the GUI, use the API to create keys in the desired vault.
KY-84440	Problem: AWS GUI: Alias specified when linking an unlinked AWS HYOK key is not attached to the key. Workaround: Add the alias on the detail page of the key.
KY-82370	Problem: In a configuration with multiple Luna Network HSMs in high availability mode configured in the connection manager, when the HSM in use becomes unavailable, CCKM occasionally doesn't failover to the remaining HSMs.
KY-81514	Problem: SFDC: Refresh operations on CCKM don't remove certificates that are deleted from the SFDC console.
KY-80439	Problem: While editing a Cryptospace service account, the entry is removed from the list and added back to the Add Service field on the top. lf you keep clicking the Edit option on the next entry, it causes the previous entry to disappear.
KY-78298	Problem: SAP GUI: The Algorithm filter on the SAP Keys page doesn't show the RSA 8192 algorithm.
KY-77825	Problem: CCKM GUI: Account filtering doesn't work for the AWS keys and saved policies.
KY-76609	Problem: The custom policy statement doesn't update when rotating an AWS key on which the encrypt permissions are disabled (the "Disable Encrypt Permissions on Current Key" check box is selected).
KY-76521	Problem: CCKM: Intermediate keys in Luna HSM aren't cleaned up when the sync operation is performed.
KY-76510	Problem: CCKM: [Intermittent] After migrating source keys from CCKM Enterprise in multiple domains on the CM, AWS key rotation might return resource not found error.
KY-73919	Problem: Synchronize Salesforce certificate operations don't display error messages in audit logs.
KY-73679	Problem: Azure GUI: While importing an Azure certificate, if you select Yes for "Is Certificate File Password Protected?" and specify a password, later if you change to No without clearing the entered password, the password parameter is still picked up from the GUI. Workaround: Clear the specified password, and select the No option for "Is Certificate File Password Protected?".
KY-73123	Problem: Salesforce: When MTLS is turned on, new certificates can't be uploaded to the Salesforce cloud.
KY-72770	Problem: OCI: The origin field of asymmetric HSM keys with External BYOK as Origin Type is set inconsistently for initial and subsequent versions. The origin of the initial version is correctly set to EXTERNAL. However, the origin of subsequent versions is incorrectly set to INTERNAL. This issue is at the Oracle end.
KY-72549	Problem: OCI HYOK: After a CipherTrust source key is deleted, it persists in the cache until the CipherTrust Manager services are restarted. Workaround: Restart the CipherTrust Manager services.
KY-72210	Problem: AWS, Azure, and Luna HSM GUI: When adding a new container or changing the connection of a container, the GUI lists only 10 connections. Workaround: Use the API or CLI to view all connections added to the CipherTrust Manager.
KY-72067	Problem: GUI: Salesforce mTLS connection doesn't work when the Salesforce connection to the CipherTrust Manager is configured using the Password authentication. Workaround: Use the authentication type of Certificate or Client Credential (My Domain) when creating the Salesforce connection to the CipherTrust Manager.
KY-71243	Problem: GUI: Intermittent: If the key source has a large number of keys (say, in thousands), fetching all the keys may take a significant amount of time or the request may time out. Workaround: Use the API or CLI to fetch the keys.
KY-71194	Problem: AWS GUI: Intermittent: If the CipherTrust Manager has a large number of keys (in thousands), while adding an external key store, request to fetch the health check keys times out. The Health Check Key drop-down list does not display the existing keys. Workaround: Add the external key store using the API or CLI.
KY-65165	Problem: SAP: A delete key job remains in the PENDING state for long time and fails intermittently. This issue is at the SAP end.
KY-56952	Problem: GCP GUI: ACLs of Google Projects for cryptospaces and cryptospace endpoints can't be updated with the "CCKM Users" group. Workaround: Use the API to update the ACLs with the "CCKM Users" group.
KY-42082	Problem: SAP Data Custodian: SAP key activity report doesn't show any data. This issue is at the SAP end.
KY-31186	Problem: If your proxy server does not support HTTP CONNECT, the CCKM Google cloud connection cannot use the CipherTrust Manager's proxy feature with a certificate. Workaround: Add an exception (`cloudkms.googleapis.com`) with `no_proxy` or use the proxy with username and password, and restart the services.
KY-17213	Problem: When a CipherTrust Manager key is created using an auto rotation schedule on AWS cloud native key, its owner is set to "Global". Workaround: A CipherTrust Manager administrator can assign the ownership of the key to a desired user in the CCKM Users group.

CipherTrust Database Protection

Issue	Synopsis
KY-82266	Problem: CDP: A non-admin user of the ProtectDB Users group can't migrate tables on the CipherTrust Manager.
KY-81007	Problem: `DatabaseID` is not set in `metadb ing_property`. Workaround: Perform `adddb` operation using the pdbctl utility once.
KY-72709	Problem: Can't recognize domain user in user mapping. Workaround: Use the pdbctl utility to add user mapping.
PDB-3293	Problem: If `datatype` of a column changes from `char` family to `blob` after migration, the Return replacement value option for the Error Replacement feature does not work.

Application Data Protection

Issue	Synopsis
KY-64541	Problem: Unable to update encoding mode of a Character Set on UI. Workaround: Use the `patch /v1/data-protection/character-sets/{id}` API to modify the encoding mode.
KY-62820	Problem: Single hex-digit is allowed while creating a Character Set.
KY-71691	Problem: When a protection policy is created without selecting a character set, blank screen appears and an error is thrown on the console.

CipherTrust Data Discovery and Classification

Issue	Synopsis
KY-9098	Problem: DDC cannot automatically assign an Agent for empty NFS shared folders. You cannot create an NFS type Data Store with an empty folder. When an empty folder is shared over NFS and scanned by DDC, the probe fails. Workaround: Introduce any document in the empty folder and manually trigger the Agent selection. Click the "Find Agent" button to relaunch the Agent selection. The button is visible when you click the ellipsis (overflow) button next to the data store.
KY-9104	Problem: Scan fails with “Error scanning. The target for Data Store XYZ cannot be accessed.” This happens when the Data Store is created and an Agent is selected for the Data Store but then the Agent is no longer available and there is no way to select a new Agent from the UI. Workaround: Edit the Data Store and edit any configuration parameters so the DDC Server automatically searches for a new suitable Agent.
KY-9399	Problem: The XVA file contains a data object that is was reported when it should not. The XVA file format is not correctly handled. After an XVA file is scanned and the report is generated, an additional data object in the Data Objects tab is displayed in the UI. You should ignore it.
KY-8990	Problem: Scheduled scans and those launched manually via ‘run now’ only start after X hours. If an Agent and server have the wrong time set, DDC’s ability to schedule scans or to start them immediately when they are manually launched from the UI or API will be affected and the scan start may be delayed. Workaround: Configure an NTP server for DDC and all Agent hosts.
	Problem: None of the clustered nodes responds to requests to DDC. DDC is only active in one of the CipherTrust Manager nodes. Requests sent to any other nodes will return this error. This will be improved in next releases. Solution: Run `ksctl ddc active-node` to identify the CipherTrust Manager node responsible for answering DDC requests and send the requests to the indicated IP. If this does not work, please restart the CipherTrust Manager node with that IP. If the node identified by `ksctl ddc active-node` does not answer DDC requests correctly or is no longer active, contact Thales Customer Support.
KY-22666	Problem: DDC may not scan big Data Objects for Data Stores other than local storage. The threshold to consider is a file as big as half of the assigned scan RAM. When a DDC scan encounters a file exceeding this threshold, it may completely skip the file or scan just up to that threshold. The user has no way to identify the issue from DDC reports. Possible Workarounds: Download large files to a local storage, and run the scan on this local storage data store. Increase the scan RAM as indicated in the Tuning Scan Settings section.
KY-19763	Problem: OracleDB and IBM DB2: uppercase schema/table name issues. User cannot launch Oracle/DB2 scan if schema OR table was created with lowercase and DDC is configured with lowercase. Workaround: Set the target path in uppercase.
KY-21981	Problem: Postgres tables without primary keys are not completely scanned DDC can only scan Postgres tables if they have at least one primary key defined. Workaround: Configure at least one primary key in the tables and run the scan again.
KY-34462	Problem: In G-Drive DDC scans all the path to which the scan path is prefixed. When scanning a specific G-Drive folder, the scan is extended onto all folder names that contain the name of the folder that you intended to scan.
KY-46340	Problem: Office365: OneDrive for Business - Using wrong OneDrive domain while probing or scanning does not return an error. Also a scan with the wrong domain and path does not return any error and it completes successfully.
KY-48874	Problem: A scan with MySQL datastore (version 8.0.30) fails due to "failed status in the scanner service".
KY-49115	Problem: Discrepancies in scan results of infotypes for the same file in DDC 2.10 and 2.9. These infotypes show discrepancies: - Australian Passport Number: 1070 (in version 2.9), 204 (in version 2.10) - China Union Pay: 1000 (in 2.9), 921 (in 2.10) - Discover: 1001 (in 2.9), 919 (in 2.10) - Diners Club: 1001 (in 2.9), 1002 (in 2.10) The above discrepancy is because of the new and improved data types, which are as follows: - The Australian Passport Number data type has been enhanced for improved accuracy and coverage of the newer passport series, with additional updates made to enable the Australian Passport Number to be detected on the passport MRZ line. - Discover Global Network cardholder data types including China Union Pay, Diners Club, Discover, and JCB have been updated to identify 14-19 digit primary account numbers (PANs) for all supported BIN ranges.
KY-51301	Problem: For SMB Data Stores with remediation enabled, scans performed after remediation completes may not find matches in encrypted files. Workaround: Automatic agent selection does not narrow the selection of DDC Agents to those installed on host with a CTE Agent in the Agent Group protecting the SMB GuardPoint. If DDC selects any of those agents, further scans on the SMB will read the encrypted content and therefore will be unable to find any match. In order to avoid this issue, please assign use labels to force DDC to select only the right agents as follows: - Add one dedicated label to the DDC Agents installed on the hosts with valid CTE Agent, - Associate that same label to the SMB Data Store, in order to guide automatic agent selection algorithm.
KY-51550	Problem: Office365: OneDrive for Business - Scan progress reaches more than 100%.
KY-51586	Problem: A scan of a LONGBLOB file in MySQL gets stuck while scanning. DDC should be able to scan a 20 MB table, as LONGBLOB data type supports up to 4 GB of data, yet it fails.
KY-51623	Problem: Partial Scan in BLOBs of size greater than 100 MB in MSSQL. NOTE: If a file is partially scanned, it will be considered in the inaccessible location list.
KY-52297	Problem: DDC scan fails with an empty GuardPoint path for a SMB data store. Solution: A GuardPoint for a data store must always have a path configured in CTE.
KY-51695	Problem: DDC is only able to scan the initial 4 KB of any text file stored as a large binary object in database tables.
KY-52494	Problem: From this DDC version on (DDC-2.10), RHEL-compatible Agents can only be installed on environments running the matching and officially supported kernel version.
KY-52532	Problem: Autopause feature not working as expected in Azure Table scans. A scan of Azure Table with the "Autopause" feature enabled has the following issues: it fails to resume after autopause end time after it enters the "Autopaused" state from the "Pending" state, it fails to enter the "Autopaused" state from the "Running" state.
KY-42593, KY-42491	Problem: Launching a second scan with any Data Stores in common with a running scan may restart the first scan progress on the shared Data Store, or even fail it if the first scan is manually paused. Workaround: Minimize scan concurrency on any given Data Store and use automatic pause, as automatically paused scans normally do not fail.
KY-23163	Problem: A scan goes into an interrupted state for CIFS after restarting the agent. This only happens on Windows Server agents and for the Exchange Server and Windows Local Storage. Solution: 1) Restart the Windows agent with the scan in the "Paused" state. Then resume the scan, and it will go into the "Scheduled" state. 2)Restart the Windows agent one more time and the scan comes back to normal.
KY-55916	Problem: Full DS scan on SAP HANA fails with an "Internal Error". SAP HANA scans on specific target paths (the schema to which the user has privileges) are successful. The database can contain schemas to which the user does not have privileges. The scan on a full datastore will try to scan all schemas that are present in the database and as a result the scan will fail due to the lack of privileges on some schemas.
KY-56387	Problem: The count of data stores in the Agent List section does not change for the Exchange Server data store. The number of data stores linked to an agent on the agents page is updated once the data store is ready, except for the Exchange Server data store.
KY-53620	Problem: Targeted scans of a smaller dataset in a G-Drive data store take a long time, if the overall data that is stored in G-Drive is of a larger size (for example, over 500 GB).
KY-56390	Problem: Scanning of any data from an Exchange Server data store works only if the agent is installed on the same machine as the Exchange Server.
KY-60493	Problem: A scan is failing with an internal error when an entire SMB share is scanned. A scan of a full SMB datastore takes a long time and and ends with an internal error. Scanning a sub folder only gives no problem and you can generate a report.
KY-62708	Problem: The 'SSH Private Key' infotype does not show any matches for scans over its respective datasets, although the matches for 'SSH Private Key' are getting covered in another infotype called 'Private Key'. Because both of these infotypes are under a single classification profile 'Secrets', in effect there will not be any incorrect match difference for scans over the 'Secrets' classification profile.
KY-66074	Problem: Azure Table: The Issue related to Azure Table Data Store has been fixed as 'Cloudant Credentials', 'Basic Auth Secret' infotypes showing correct matches if relevant data resides inside the dataset. Mongo DB: The IBM COS HMAC Credentials infotype is getting correct matches when quotes are not used while creating the dataset. But still it will get less matches with double quotes. For example, if the dataset has more than one pair of double quotes like so: "IBM COS HMAC TOKEN [-secret_accesskey]:: "687a726d2d905d575248759459871a2c4f92c54bdec6b78f"" In the above example, there are quotes around the '687a726d....' string. It will be considered an escape character, and MongoDB automatically appends '\' to ensure the string is preserved correctly. Due to this '\', the infotype will skip the match.
KY-66217	Problem: The 'IBM COS HMAC Credentials' infotype from DDC shows fewer matches for EBCDIC formatted dataset. The conversion of the text dataset to EBCDIC format leads to this issue.
KY-58714	Problem: When OCR is enabled with low memory usage (e.g. 1GB RAM), the scan produces less sensitive matches. Therefore, you should manually select a minimum of 2GB RAM for scanning OCR datasets.
KY-69460	Problem: The scan configuration parameter to control the volume of Data Objects configures the scan as if the user always selected the 'Maximum - No saved info' value.
KY-67484, KY-71568	Problem: SharePoint Online Scan functionality is currently not available for a "Specific List" and "All List" as Target.

CipherTrust Secrets Management

Issue	Synopsis
KY-72796	Problem: The CipherTrust Manager constantly communicates with multiple IPs of the akeyless SAAS server (for example, "52.223.11.194", "35.71.185.167", "35.192.171.171") over port 9443, which leads to a lot of irrelevant log entries.
KY-64648	Problem: The "Forgot Password" feature for email is not supported through akeyless gateway on the CipherTrust Manager. Only "Forgot API Access Key" feature is supported. Workaround: Use "Forgot Password" feature for email directly on the Akeyless website.
KY-70144	Problem: During secret creating for Docker Hub target in Akeyless, the connection is refused. Workaround: Add an explicit DNS Host entry to the CipherTrust Manager for Docker Hub.
KY-67413	Problem: After creating a secret, akeyless provides a functionality to share the secrets to an external user through email. This functionality doesn't work on the akeyless console UI integrated with the CipherTrust Manager and throws an error. Workaround: The user can share the secret through email using the akeyless account on `console.akeyless.io`.
KY-64835	Problem: If you attempt to modify the protection key for an existing certificate-type secret in the Akeyless console, an exception stating `Unexpected error` is displayed. Workaround: Delete and re-create the existing secret with the desired protection key.
KY-64751	Problem: If you launch the Akeyless console from the Secrets Management tile, and the CipherTrust Manager session expires or is manually logged out, the Akeyless console session logs out as well. Workaround: Refrain from logging out from the CipherTrust Manager UI unless you also want to log out from the Akeyless UI.
KY-63288	Problem: Some internet browsers, such as Mozilla Firefox, Google Chrome, or Microsoft Edge launch the secrets management tile as a pop-up, and prompt to allow pop-ups. Workaround: Allow pop-ups from the CM UI if prompted.
KY-63116	Problem: If you restart all services, the Akeyless console and Akeyless gateway services return a 502 bad gateway error, and display the message "Oops! Something went wrong..." in the browser, instead of displaying in the "Following services are starting up:" message on the CM login page. Workaround: Wait 40 seconds for the Akeyless services to start up and then re-attempt visiting Akeyless console or Akeyless gateway.
KY-61568	Problem:The `POST /v1/connectionmgmt/services/akeyless/connections` operation in the API playground to create a new Akeyless connection introduces unnecessary parameters "meta", "products", and "category". Workaround: Ignore these parameters. They do not affect the functioning of the Akeyless connection.

CipherTrust Transparent Encryption

Issue	Synopsis
KY-75999, KY-84128	Problem: The CTE licenses are not updated, when the domain gets deleted from the CipherTrust Manager or the clients of a domain are migrated from DSM to CipherTrust Manager. Workaround: If the clients of a domain are migrated from DSM to CipherTrust Manager and the license count is incorrect for that domain, create a CTE client (for example, ABC) in the same domain and then delete it. This will correct the license count for that domain.
KY-72180	Problem: Secure Start configuration changes on the CipherTrust Manager are not pushed to the CTE Agent. Workaround: Manually restart the VMD service (`secfs restart`) on the client or change other configurations such as the linked profile on the ${cm).
KY-72096	Problem: CTE UserSpace: After upgrade to CipherTrust Manager 2.14.0, CTE UserSpace 10.1.0 clients don't show the Healthy status on GUI. This issue is resolved in the CTE-U 10.2.0 release. Workaround: Upgrade the clients to 10.2.0 or manually restart the CTE-U services (`secfs-fuse restart`) to restore the client communication to the Healthy state for older CTE-U client versions.
KY-72095	Problem: After upgrade to CipherTrust Manager 2.14.0, CTE clients can take up to 25 minutes to show the Healthy status on GUI. This issue has no impact on the functioning of GuardPoints. This issue is resolved in the CTE 7.5.0 release. Workaround: Upgrade the clients to 7.5.0 or manually restart the VMD service (`secfs restart`) to restore the client communication to the Healthy state for older CTE client versions.
KY-60249	Problem: The `get /v1/transparent-encryption/policies` API does not return the complete list of policies added to the CipherTrust Manager. Workaround: Run the `get /v1/transparent-encryption/policies` API with `limit` as `-1`.
KY-59893	Problem: Signature rules are not copied to a clone policy. Workaround: On the policy details page, manually add the missing signature rules.
KY-59066	Problem: Displayed Domain Level Usage for CTE Clients on Licensing page shows client usage for all domains instead of just the current domain.
KY-55739	Problem: When a CipherTrust Manager user having only CTE Admins group permissions initiates a Quorum-dependent operation, a corresponding Quorum is created. After the required Quorum approvals, the operation does not auto-trigger in the background. Workaround: Retry the operation after the required Quorum approvals.
KY-55511, KY-55527, KY-55275, KY-55528	Problem: Simultaneous composite operations (for example, update and delete) are not supported for quorums.
KY-55273	Problem: If quorum is activated for client group deletion, then bulk client group deletion generates multiple quorums in pre-active state. Workaround: Delete client groups individually.
KY-55064, KY-54442	Problem: In case of bulk client or client GuardPoint deletion, the quorum details may not be available. However, quorum operations (such as approval, rejection) can be performed. This issue has no impact on functionality.
KY-51759, KY-51754	Problem: When quorum is enabled, if you perform an operation to delete clients or GuardPoints in bulk, the quorum is created in pre-active state. Workaround: Activate the quorum using the `/v1/quorum-mgmt/quorums/{id}/activate` API.
KY-51135	Problem: Group members cannot be imported from ldap for user sets.
KY-34329	Problem: Browsing VxVM raw devices that have slash in the path names shows non-existing directory in the GuardPaths. Workaround: Create GuardPoints by manually entering the raw device paths.

Batch Data Transformation (BDT)

Issue	Synopsis
KY-72695	Problem: 500 Status code occurs when fetching BDT policies.

ProtectApp

Issue	Synopsis
KSCH-16415	Problem: The Host Name field on the Client Registration screen does not have validation for host availability. Workaround: Add clients using the API.

ProtectFile

Issue	Synopsis
KSCH-573	Problem: Encryption rules cannot be modified to reset values for include and exclude extension parameters.
KSCH-568	Problem: Encryption rules do not prevent specifying both include and exclude extension parameters simultaneously.
KSCH-567	Problem: Modifying a file level encryption rule to set the “isRecursive” flag does not return error.
KSCH-564	Problem: Non-encryptor clients cannot be removed from a Linux cluster while a cryptographic operation on an encryption rule is in progress.

CipherTrust Intelligent Protection

Issue	Synopsis
KY-56816	Problem: Unencrypted report is generated for few files if user reboot the machine during remediation. Workaround: User need to run scan with reclassify option or full scan again to generate correct report.
KY-55480	Problem: Cross domain client registration is not working with CIP.
AGT-43391	Problem: All files are not encrypted on performing bulk rename during remediation on Linux Local Storage with STD/LDT policy. Workaround: All remaining files will get encrypted after a periodic CIP scan which runs after 8 hours (default).
KY-36741	Problem: File becomes plain with `MOVE` operation of a tagged file with ACL and STD policy on Linux.
KY-65540	Problem: PQS configurations are not visible on GUI after saving remediationconfig via API using the ID/UUID for the `knox_connection_identifier` name. Workaround: • Solution 1: Use GUI to configure PQS. • Solution 2: Use the `knox_connection_identifier` name instead of ID/UUID via API.

Suggest A Change

Release Notes

Product Description

Product Abbreviations

Release Description

Features and Enhancements

Release 2.14.2

Release 2.14.1

Release 2.14.0

Platform

Limitations

Application Data Protection

CCKM

CTE and CTE UserSpace

DDC

UI Improvements and Changes

Resolved Issues

Advisory Notes

Upgrade Trusted Cyber Technologies (TCT) CipherTrust Manager k570 with Luna PCIe Root of Trust Hardware Security Module to 2.14.1 Directly

Increased Disk Space and Cluster Node Downtime Required for Upgrade to 2.14

Required System Volume Disk Size for Virtual CipherTrust Manager

NextGen KeySecure and ProtectFile End-of-Support in 2023

Quorum

SMB Connection

Recommendation for Secure Initialization Vector in DESede CBC, AES CBC, and AES GCM Encryption Requests

Some Key States Change After Upgrade

System Upgrade and Downgrade Supported Releases

Protect the ksadmin Private SSH Key

TLS/SSL Must be Enabled in a Production System

Key Usage Mask Selection

DDC

Clusters

Licensing

Upcoming End of Support for Platforms and Features

Compatibility

TLS Compatibility

TLS Deprecation Notices

Client Platforms

CipherTrust Application Data Protection

CipherTrust Application Key Management

CipherTrust Cloud Key Manager

CipherTrust Database Protection

CipherTrust Transparent Encryption

CipherTrust Transparent Encryption UserSpace

CipherTrust Transparent Encryption for Kubernetes

CipherTrust Vaulted Tokenization

CipherTrust Batch Data Transformation

CipherTrust Vaultless Tokenization

ProtectFile

Data Discovery and Classification Agents

TDP Version Compatibility

Known Issues

CipherTrust Manager

CipherTrust Application Data Protection (CADP for C)

CipherTrust Cloud Key Manager

CipherTrust Database Protection

Application Data Protection

CipherTrust Data Discovery and Classification

CipherTrust Secrets Management

CipherTrust Transparent Encryption

Batch Data Transformation (BDT)

ProtectApp

ProtectFile

CipherTrust Intelligent Protection

On this page