Your suggested change has been received. Thank you.


Suggest A Change….


CipherTrust Manager Deployment

Hardening Guidelines


Please Note:

Hardening Guidelines

The CipherTrust Manager should be deployed into as secure an environment as possible. Every effort has been made to make the CipherTrust Manager as secure as possible, however, additional precautions should be taken especially when the CipherTrust Manager is deployed into an untrusted environment.

Network Security Groups

A network security group includes security rules that permit or deny inbound network traffic to required ports of CipherTrust Manager interfaces and outbound network traffic from CipherTrust Manager clients. For the list of available CipherTrust Manager inbound network traffic ports, refer to the following Recommended Interface Types and Port Assignments.

The recommended interface types and port assignments for the CipherTrust Manager are:

TypeProtocolPort Number
SSHTCP22 Inbound
SSH (if using Luna Network HSM, TCT Luna T-Series Network HSM, or AWS CloudHSM)TCP22 Outbound
HTTPTCP80 Inbound
HTTPSTCP443 Inbound for most deployment types. 9443 Inbound for Virtual CipherTrust Managers launched from AWS China.
HTTPS for DPoD Luna Cloud HSM Service TCP 443 Outbound
PostgreSQL (Applies only to Clustering).TCP 5432 Inbound/Outbound
NAETCP9000 Inbound
KMIPTCP5696 Inbound
If using Luna Network HSM or TCT Luna T-Series Network HSMTCP1792 Outbound
If using AWS CloudHSMTCP If you have a Virtual CipherTrust Manager deployed on an AWS EC2 instance, attach the cluster security group to the EC2 instance, as described AWS documentation.
For all other deployments, configure the network security group to allow 2223-2225 Inbound/Outbound.
NTPUDP123 Outbound
SyslogUDP514 Outbound
TCP6514 Outbound
SNMPUDP161 Inbound
UDP162 Outbound

If you are using the Secrets Management feature, the included Akeyless Gateway service requires public network connectivity to Akeyless SaaS Core Services.

Rules with source IP of (IPv4) and ::/0 (IPv6) allow all IP addresses to access the instance. It is recommended to set security group rules to allow access from known IP addresses only.

Whenever a new interface is added, the respective port should be added to the security group also.

Encryption of Virtual CipherTrust Manager

It is best practice to encrypt any Virtual CipherTrust Manager used in production. This is especially true if the Virtual CipherTrust Manager is deployed into an untrusted environment. When a Virtual CipherTrust Manager instance first boots, there are a number of secrets generated specific to that instance. To ensure that these secrets are never exposed, the CipherTrust Manager should be encrypted on first boot before it generates these. Please refer to Disk Encryption for details.

System Administrative Key

The SSH Private Key, used to access the System Administrative account "ksadmin", is extremely sensitive and should be kept in a secure environment.

HSM Configurations

If configured to use an HSM (SafeNet Luna Network HSM, Luna T-Series Network HSM, DPoD's Luna Cloud HSM service, or AWS CloudHSM), the CipherTrust Manager will protect all of its secrets with a non exportable HSM key. To protect all secrets, the CipherTrust Manager must be connected to the HSM on first boot. This is the most secure configuration. Special configuration is required to use an HSM with a cluster of appliances.

TLS Compatibility

This table identifies the supported TLS versions for each of the CipherTrust Manager interfaces. The default minimum value reflects the default minimum_tls_version setting. This setting controls the lowest acceptable TLS version allowed for connections to the interface.

InterfaceMinimum TLS versionMaximum TLS versionDefault Minimum TLS version
Web UITLS 1.2TLS 1.3TLS 1.2
NAETLS 1.0TLS 1.3TLS 1.2

TLS 1.0 and TLS 1.1 support will be discontinued in a future release.

In a production environment, always enable SSL/TLS with the NAE interface. You should only disable SSL/TLS with NAE for troubleshooting purposes.

Administrative Session Timeout

By default, there is no timeout for a ksadmin administrative session taking place through SSH or serial connection to the appliance.

We recommend setting a timeout so that ksadmin must re-authenticate after a period of inactivity.

To set a timeout

  1. Login via SSH as ksadmin.

  2. Edit the /home/ksadmin/.bashrc file.

    vi /home/ksadmin/.bashrc
  3. Append the following line:

    TMOUT=<desired timeout value in seconds>
  4. Reload the .bashrc file to apply the new setting.

    source /home/ksadmin/.bashrc