CTE Licensing Model
CipherTrust Transparent Encryption (CTE) supports the CTE base, CTE for Kubernetes, CTE for Ransomware, and LDT add-on licenses.
CTE base: Standalone license to use the CTE solution. This license is required to use add-on LDT licenses. CTE SAP HANA and Teradata are available as part of the CTE base license.
Note
CTE base is required to register CTE (rebranded VTE-Vormetric Transparent Encryption) clients with the CipherTrust Manager. This is distinct from CTE UserSpace, which is the rebranded ProtectFile FUSE.
CTE for Kubernetes: Standalone license to use the Kubernetes feature. Every node of a Kubernetes cluster consumes one CipherTrust Transparent Encryption for Kubernetes license. The license applies to the worker nodes where Container Storage Interface (CSI) is attached to the application pod.
Thales CipherTrust Manager Community Edition includes CTE for Kubernetes. Refer to Thales CipherTrust Manager Community Edition for details.
CTE for Ransomware Protection: Standalone license to use the Ransomware protection feature. One Ransomware protection-enabled client consumes one CipherTrust Transparent Encryption for Ransomware license on the CipherTrust Manager.
The Ransomware protection feature is independent of the CTE license. To use file system (CTE) and Ransomware (RWP) protection on a CTE for Windows client, then two licenses (one CTE base license and one CTE for Ransomware license) are required.
Thales CipherTrust Manager Community Edition comes with three licenses of CipherTrust Transparent Encryption for Ransomware. Refer to Thales CipherTrust Manager Community Edition for details.
Live Data Transformation (LDT) add-on: Add-on license to use the LDT feature. Add-on licenses require a CTE base license activated on the CipherTrust Manager.
These licenses are offered through the following licensing models:
Refer to Activating CTE Licenses for instructions on how to activate CTE licenses.
Trialware
Provides the fully-functional CTE solution for 90 days with pre-installed trial license. After the trial period expires, CTE continues to work normally, however, new client registrations are not allowed.
This is the default license shipped with the CipherTrust Manager.
Note
After upgrading the CipherTrust Manager from a supported version, to activate the trial licenses, run the command:
ksctl licensing trials activate --id "CipherTrust Manager Full Trial"
Term License
Provides the fully-functional CTE solution for a prepaid charge for a specific period of time, for a specific number of clients.
This license comes with a grace period of 90 days. After the license period expires, the grace period starts. During the grace period, CTE continues to work normally. After the grace period is over, CTE still continues to work normally, but new client registrations are not allowed.
The CipherTrust Manager GUI starts showing a notification about the remaining license time. The license renewal can be ordered before the license expires.
Note
The number of clients that can be registered with the CipherTrust Manager is limited by the number of licenses purchased.
For example, if a 1-year license is purchased for 1000 clients, then only 1000 clients can be registered with the CipherTrust Manager.
Perpetual Licensing Model
Provides the fully-functional CTE solution for a prepaid charge with no time limit, for a specific number of clients.
Note
The number of clients that can be registered with the CipherTrust Manager is limited by the number of licenses purchased.
For example, if a perpetual license is purchased for 1000 clients, then only 1000 clients can be registered with the CipherTrust Manager.
A CipherTrust Manager appliance administrator can install the CTE license.
Add-on Licenses
CTE offers the Live Data Transformation (LDT) feature as an add-on license. To use the LDT feature, you need a CTE base license activated on the CipherTrust Manager.
Thales CipherTrust Manager Community Edition
Thales CipherTrust Manager Community Edition includes:
CTE for Kubernetes
If your CTE for Kubernetes license is unavailable or has expired, license enforcement switches to the Community Edition, as described below.
A maximum of three Kubernetes nodes can be registered with the CipherTrust Manager. Attempts to register more nodes will be rejected.
License-based restrictions apply to the number of Kubernetes nodes registered with the CipherTrust Manager, not to the number of CTE for Kubernetes clients.
All operations are allowed on the CSI resources. No restrictions apply.
CTE for Ransomware Protection
If your CTE for Ransomware Protection license is unavailable or has expired, license enforcement switches to the Community Edition, as described below.
A maximum of three CTE clients with Ransomware Protection enabled can be registered with the CipherTrust Manager. Attempts to register more such clients will be rejected.
License-based restrictions apply to the number of Ransomware Protection-enabled CTE clients registered with the CipherTrust Manager.
Activating CTE Licenses
Activating a CTE license requires a license string for the CipherTrust Manager with which the clients will be registered. This string is generated when a license is activated on the Sentinel EMS License Portal.
Refer to Activating a Connector License for details.
After the CTE base license is activated, its state becomes Active on the Features tab of the Licensing page of the CipherTrust Manager GUI. The license is displayed with the feature name CipherTrust Transparent Encryption. CTE SAP HANA and Teradata are available as part of the CTE base license.
After the base CTE license is installed, LDT add-on license can be activated and installed. The steps to install the add-on licenses are the same as installing a connector license. Refer to Activating a Connector License for details. The installed LDT and CTE for Kubernetes licenses are displayed with the feature names CipherTrust Live Data Transformation and CipherTrust Transparent Encryption for Kubernetes.
Note
When a client is unregistered (unenrolled), the number of Used Clients on the Licensing page remains the same. To update the clients usage, the unregistered client must be deleted from the CipherTrust Manager. After the client is deleted, the license is released and can be used to register another client.
License Enforcement
Expected behavior with CTE is explained in this section.
CipherTrust Manager appliance has activated Connector licenses: When Connector licenses are activated and uploaded to a CipherTrust Manager, you can register clients to the license capacity. The number of clients that you can register cannot exceed the Connector license count.
Reaching license capacity: If you attempt to register additional clients, registration fails because the license count has been exhausted. In this case, you can delete currently configured clients or buy additional licenses to register new clients.
If you have many existing clients, and later apply a new license which allows for fewer client registrations, a warning is displayed and a system banner appears across all pages. This banner persists as long the number of Used Clients under Client Usage exceeds the number of Total Clients. No clients are deleted, but you cannot register more clients.
License expires: The CipherTrust Manager GUI displays a red banner to inform the administrator of expired licenses. A 90-day grace period starts from the license expiry. During the grace period, you can still manage currently registered clients and register new clients. After the grace period is over, existing configurations become read-only. While the registered clients continue to work normally, you can't register more clients.
Note
The total number of clients registered on the CipherTrust Manager shouldn't exceed the total number of CTE licenses available on the CipherTrust Manager.
CTE licenses are enforced on domain level on the CipherTrust Manager. The total license usage is determined by the sum of clients registered across all domains. For example, if 200 CTE clients are registered in the root domain, and 100 more clients are registered in subdomains, the total license usage is 300.