Your suggested change has been received. Thank you.


Suggest A Change….





Please Note:


Does the same licensing model apply to physical and virtual appliances?

Yes. Both physical and virtual CipherTrust Manager appliances follow the same licensing model, as explained in this document. A physical appliance comes with a default 90-day trial license, which is replaced by a perpetual license as part of the appliance sale.

While there is no license count for KMIP, how many KMIP licenses do I need to purchase?

Currently, KMIP licensing only provides enablement. With an active KMIP license, the feature is enabled, and when the license expires, the feature is disabled. You still need to purchase the KMIP licenses based on the number of storage controllers or servers that will be communicating with the CipherTrust Manager appliance.

How many KMIP client licenses are required to allow communication from 10 KMIP clients?

Currently, KMIP license count is not enforced. Although having an active KMIP license enables the KMIP service, you should purchase 10 KMIP licenses for 10 KMIP clients. The KMIP connection count and license enforcement will apply in the future.

How can I migrate from KeySecure Classic to the CipherTrust Manager?

As part of the migration process, we have noted your purchase of CipherTrust Manager Connector licenses from the Data Protection Portfolio. Your licenses will be migrated to the new licensing EMS platform.

We strongly encourage you to follow the instructions and complete the license activation process. You should receive an email from with instructions to activate your licenses.

Visit the Thales Support Portal and search for knowledge base articles about migration from KeySecure Classic to the CipherTrust Manager. Articles such as KB0019572 and KB0019579 explain how to migrate your Connectors from KeySecure Classic to the CipherTrust Manager.

How can I manage my purchased licenses when I upgrade from the CipherTrust Manager version 1.5 to version 1.7 or higher?

CipherTrust Manager version 1.7 and higher support licensing through the Sentinel EMS platform. We have noted your purchase of the CipherTrust Manager and its Connector licenses from the Data Protection Portfolio. Your purchased licenses have been moved to the Sentinel Platform. Regardless of the CipherTrust Manager version you are running, you should receive an email from with instructions to activate your licenses on the Sentinel EMS portal.

How can I manage my purchased licenses when I upgrade from the CipherTrust Manager version 1.8.x, 1.9.x, 1.10.x to 2.0 or higher?

Sentinel has been used since the inception of the NextGen KeySecure, and continues to be supported by the CipherTrust Manager 2.0 onward. As the NextGen KeySecure is migrated to a CipherTrust Manager 2.0 or a higher version:

  • A new license is not required for the CipherTrust Manager itself (due to rebranding of NextGen KeySecure).

  • Existing connectors continue to work on the CipherTrust Manager after migration from the NextGen KeySecure.

  • New Connectors (CTE and CCKM) require a new license.

What happens when a ProtectFile license expires on the CipherTrust Manager appliance?

After the ProtectFile license expires, users cannot add new file servers. Currently registered ProtectFile clients continue to work until 90 days after the license expiration. After 90 days, policy changes are not allowed on the CipherTrust Manager. Users can only decrypt the data.

Is there an alert mechanism on the CipherTrust Manager to notify administrators of expiring licenses?

Yes, a banner warning message is displayed on the appliance GUI. In future release, Syslog messages will be added to alert administrators that the license is expiring.

Is a Connector license applicable to all cluster members?

Yes, the installed license is enforced across all cluster members. After it is uploaded to one node, it is replicated across all the nodes in the cluster.

How many ProtectFile Client licenses are required to protect 10 Windows servers with a three node CipherTrust Manager cluster?

10 ProtectFile licenses are required to protect 10 Windows servers. The number of registered clients cannot exceed the number of activated ProtectFile licenses on a CipherTrust Manager cluster. You can install the Connector license on any cluster node, and it is replicated to other cluster members.

What happens if the number of registered ProtectFile clients exceeds the new license count that is uploaded to a CipherTrust Manager cluster?

When a new license is applied, the server begins enforcement according to the new license client count restrictions. When you navigate to the ProtectFile application on the CipherTrust Manager GUI, a warning is displayed if the number of Used Clients under Client Usage exceeds the number of Total Clients. A system banner appears across all pages.

What happens when the CipherTrust Manager license expires before Connector licenses?

A red banner appears that indicates one or more licenses have expired. It does not affect currently registered Connectors or the CipherTrust Manager functionality.

Does the license enforcement impact specific versions of Connectors on the CipherTrust Manager?

No, once the license is enforced, all the Connectors have the same behavior regardless of the client software version.

Does a license expire based on the Connector’s date or the CipherTrust Manager’s date if they are in different time zones?

The license expiration is based on the CipherTrust Manager’s date. Please note the default time zone on the appliance is UTC if no NTP server is configured.

Is there any license expiration alert or log entry on the Connector side?

No, there is no alert or log entry from the Connector side.

What is the process of obtaining a new license when a CipherTrust Manager Virtual appliance is redeployed?

There are two scenarios. Both require assistance from the Thales Customer Support team until a self-service revocation process has been established.

  • Scenario 1 - The redeployed CipherTrust Manager is a standalone appliance. In this case, both the Key Manager Lock Code and Connector Lock Code are changed on the new redeployed CipherTrust Manager Virtual appliance. The old activated CipherTrust Manager and Connector licenses on the previous appliance cannot be used on the redeployed appliance. Thales Customer Support can assist to revoke the old licenses and generate new licenses for the new virtual appliance and its Connectors.

  • Scenario 2 - The redeployed CipherTrust Manager is part of a cluster. In this case, only the Key Manager Lock Code is changed and the Connector Lock Code stays the same as all other nodes in the cluster. Thales Customer Support can revoke the CipherTrust Manager license and generate a new one for the new Key Manager Lock Code. Connector licenses are applied to the redeployed CipherTrust Manager through the cluster.

What is the process of obtaining a new license for the CipherTrust Manager and its Connectors when a CipherTrust Manager Virtual appliance is cloned?

Purchase a new CipherTrust Manager Virtual appliance license and Connector licenses. Contact the Thales Sales team.

How can Connector licenses be moved between two sets of CipherTrust Manager clusters?

To move a Connector license from one CipherTrust Manager cluster to another, revoke the Connector license on one cluster and then reactivate it using the second cluster's Connector Lock Code. The new license string should be uploaded to the second CipherTrust Manager cluster. To revoke a Connector license, contact Thales Customer Support.

Does a CipherTrust Manager Virtual appliance restored from a snapshot need a new license?

When a CipherTrust Manager Virtual appliance is restored from a snapshot, its Key Manager Lock Code and Connector Lock Code do not change. The CipherTrust Manager Virtual appliance does not need a new license.

How are CipherTrust Transparent Encryption (CTE) and Live Data Transformation (LDT) enforced on the CipherTrust Manager?

CTE and LDT licenses are enforced on per client usage. LDT is dependent on a CTE license. An active CTE license is required to use LDT licenses.

How is a CTE - TransparentEncryption feature license different from a CTE_UserSpace license?

A CTE_UserSpace license is required to register the CTE UserSpace clients with a CipherTrust Manager. CTE UserSpace is the rebranded ProtectFile FUSE that follows the same licensing model as ProtectFile.

The CTE - TransparentEncryption feature is required to register CTE (rebranded VTE-Vormetric Transparent Encryption) clients with the CipherTrust Manager.

Can I register CTE_UserSpace clients with the active ProtectFile licenses on the CipherTrust Manager?

Yes, a CTE_UserSpace client honours both ProtectFile and CTE_UserSpace feature activations on the CipherTrust Manager. If both features are active, you can register clients equivalent to the aggregate capacity of the ProtectFile and CTE_UserSpace licenses.

Can I use CTE for SAP HANA on the CipherTrust Manager? Is there a specific license requirement?

If you have purchased a CTE for SAP HANA license, you will have the base CTE - TransparentEncryption feature license to register your SAP HANA servers with the CipherTrust Manager.

Does the CipherTrust Manager 2.0 support Efficient Storage, Container Security, and Teradata licenses?

Efficient Storage, Container Security, and Teradata are not supported on the CipherTrust Manager 2.0. However, they are on the product roadmap. Equivalent licenses will be available when the support for these features is added in future CTE releases.

Is there a mapping for transparent encryption product names with the CipherTrust Manager license features?

The following table lists equivalent license feature names for transparent encryption products:

Product NameFeature Name on CipherTrust Manager
CipherTrust Transparent Encryption (CTE)CTE - TransparentEncryption
CTE Live Data TransformationCTE - LiveDataTransformation
CipherTrust Transparent Encryption UserSpaceCTE_UserSpace