Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Release Notes

Release Note for CTE v7.3 for Linux

search

Please Note:

Release Note for CTE v7.3 for Linux

Release Note Version Date
v7.3.0.135 2022-11-22

Release v7.3.0.135 of CipherTrust Transparent Encryption (CTE) for Linux adds new features, fixes known defects and addresses known vulnerabilities.

New Features and Enhancements

The major improvements to CTE for Linux in this release are:

  • Cloud Object Storage GuardPoints now supported for RHEL 9

    See CTE for Cloud Object Storage for more information.

  • Support for LDT Multiple communication groups

  • Dynamic Configuration support: ptrace protection

    To prevent a process injection attack Thales implemented a global blocking for the ptrace system call. The purpose of this feature is to provide configurable options for disabling the ptrace system call based on user need.

    See Blocking ptrace system calls to prevent process injection attacks.

  • SystemD Protection

    In RedHat 7 and subsequent versions, a lot of system functionality has been moved to /etc/systemd/ which was previously not protected in CipherTrust Transparent Encryption. CipherTrust Transparent Encryption now gives you the option to protect it, meaning that no one can modify or delete files.

    See SystemD Protection.

  • User Cache Lookup Improvements

    CTE has added this feature to improve the performance of the user cache lookup function, which contains information such as username and group name(s), plus timestamps and other supporting flags. This feature improves lookup performance by allowing user-configurable values for lookup retries and user information refresh times.

    See User Cache Lookup Improvements.

New Platform Support

The following kernel is supported starting with CTE MISSING VARIABLE: 74:

RHEL

  • RHEL 8.8

Rocky Linux

  • Rocky Linux 8.7

Ubuntu

  • New 5.15 kernels for Ubuntu 20.04

  • New 5.15 kernels for Ubuntu 22.04

Secure Boot Advisory

For CipherTrust Transparent Encryption to support Secure Boot, the signing key for CTE kernel modules must be renewed every three years. Thales' current schedule for changing the signing key is the first week of 2024. For customers who take advantage of Secure Boot with CTE, the new certificate, matching the new signing key, must be added to their systems by the end of this year 2023 to ensure a smooth upgrade. In CTE 7.5, Thales will provide instructions for obtaining the new certificate.

Resolved Issues

  • AGT-40029: Log level for ptrace_protection not set correctly

    If you select 'Disabled for All', make sure that you set the log level on CipherTrust Manager to WARN or higher. If it is set to the default log level of ERROR, there will not be any messages related to ptrace logged in the vmd.log file.

  • AGT-40486: [CS1331851] CTE installation fails to load kernel on hardened SLES-12 SP5

    On Linux, with CTE version 7.2.0 and previous versions, if the sysctl parameter kernel.kptr_restrict is set to a value > 0, then installation fails. The solution is to upgrade to CTE 7.3.0.

  • AGT-41593: User is able to guard a GuardPoint while a single file rekey is occurring

    For Linux, LDT Communication Group member hosts cannot guard or unguard GuardPoints that have single file rekey jobs in progress. Attempts to guard or unguard result in a warning message and the operation is automatically retried until all single file rekey jobs are finished and the state of the GuardPoint can be changed.

  • AGT-41712: LDT GuardPoint could not be guarded after upgraded from 7.2.0 to 7.3.0 for LDT over CIFS

    When upgrading from CipherTrust Transparent Encryption 7.2.0, all nodes in an LDT Communication Group must be upgraded together to 7.3.0. Rolling upgrades do not work because CipherTrust Transparent Encryption 7.3.0 introduces security improvements and authentication features that involve LDT communication groups. All nodes must contain CipherTrust Transparent Encryption 7.3.0 to be able to communicate.

    See Upgrading the CTE-LDT Agents in an LDT Communication Group from 7.2.0 to 7.3.0 for more information.

Known Issues

  • AGT-44159: GuardPoint reports as busy when user tries to uninstall so uninstall fails

    Work-around

    Manually terminate the process that is holding the service. Error message should indicate which process is causing the problem.

    See Excluding Files or Directories from Rekey

  • AGT-41663: After adding files to an exclusion key rule in an existing LDT policy, files are not excluded, they are encrypted with the LDT key

    Work-around:

    Create a new policy. It works when the exclusion key the rule is created in a new policy.

  • AGT-41671: For Rhel8: Upgrade on Reboot: error generated for Rh8_selinux_permission: command not found

    When scheduling an upgrade on reboot, user will get the error message "./installer: line 608: rh8_selinux_permission: command not found"

    Work-around:

    Ignore the message. Scheduling the upgrade on reboot will be successful.

On this page