Release Note for CTE v7.7.0 for Linux

This release of CipherTrust Transparent Encryption (CTE) for Linux adds new features, fixes known defects and addresses known vulnerabilities.

New Features and Enhancements

Ransomware Protection Support

CTE Linux agent now supports Ransomware Detection and Protection. CTE Agent now monitors GuardPoints and detects Ransomware on Linux systems. It protects all of your data from a Ransomware attack inside a CTE GuardPoint.

• See Ransomware Protection Support for more information.

Confidential Computing Support

Confidential Computing is a cloud computing technology that can isolate and protect data on Confidential Virtual Machines (CVMs), or Trusted Domains (TDs), while it is being processed by the application, to protect it from a broad range of software attacks. Confidential computing ensures that all data operations are executed within a Trusted Execution Environment.

CipherTrust Transparent Encryption and CipherTrust Manager manage the attestation process to provision confidential computing on VMs running on CTE agents to provide end-to-end Data Protection. The role for CTE in this confidential computing model is to gather the evidence and provide that to CipherTrust Manager to have it attested for by Intel® Tiber™ Trust Services. If attestation fails, CTE prevents access to the encrypted data that it guards.

Support for Designated Primary Set in an LDT GuardPoint Group

You can now manually designate a preferred primary node in an LDT Communication Group.

• See Managing Designated Primary Set for more information.

CipherTrust Data Security Platform Services (CDSPaaS) Support

Support added for CipherTrust Data Security Platform Services (CDSPaaS) as a key manager.

Specify directory-process combinations in Trusted Process Exception list

Starting from CTE 7.7.0, Users can now exclude specific directory-process combinations from Ransomware detection and protection. The Process set now also allows for inclusion of Signature sets so that the processes can be exempted from Ransomware Protection.

Users can create a combination of trusted processes-directory combination, include signature sets, and exclude these directories and processes from Ransomware protection monitoring.

• See Adding Trusted Processes in the Ransomware Protection policy (Linux) for more information.

Loss of LDT Primary Host NAS Connection

Loss of NAS connection requires failover of the primary client to another client in the LDT GuardPoint Group. An LDT GuardPoint Groups that only contains one primary client cannot failover to another client when the primary client is the only member of the LDT GuardPoint Group. In this release, CTE Agent does not perform a failover within an LDT GuardPoint Group in which the primary client in the sole member of the group. In the event of loss of the NAS connection, LDT operations are blocked until a NAS connection is restored, depending on hard or soft options enforced for mounting a NAS share.

Enhancement of Dynamic Resource Sets on LDT Local GuardPoints with no_key_rule status

When using Dynamic Resource Sets with LDT in CTE 7.7, when registering with CipherTrust Manager v2.17 or a subsequent version, the CTE Agent sets the rekey status of the files not associated with a key rule as rekey_no_keyrule. Previously, such files were set to rekey_excluded. The new key rule allows LDT to launch and rekey the files associated with the resource set. Before inclusion of the key rule, the files associated with the resource set were in clear-text.

New Platform Support

The following platforms are supported starting with CipherTrust Transparent Encryption 7.7.0:

Ubuntu

• Ubuntu 22.04 (6.5 Azure kernels)

• Ubuntu 24.04 (6.8 generic and Azure kernels)

Resolved Issues

• AGT-59437 [CS1551737]: LDT over NFS, slow rekey

  LDT inner messaging process for NFS GuardPoints was improved. This improvement makes rekey operations significantly faster.

• AGT-59512: [CS1558298] Server is hanging due secfs2 filesystem

  Resolved a potential cause of system hang under low, or fragmented memory conditions, which might cause soft lockups for tasks running on all CPUs.

Known Issues

• AGT-46320: Backup file with exclusion clear_key on LDT NFS GuardPoint does not contain ldt xattr

  This issue occurs because the resource was not defined in the key rule.

• AGT-61568: Renaming /dir1 with LDT encrypted data to /dir2 with implicit exclude, results in the wrong sum value

  Moving directories between LDT encrypted directories with an exclusion key rule, and an implicit exclude with a dynamic resource policy, does not work properly.

• AGT-61687: Renaming directories crossing conflicting key rules corrupts files affected by the rename

  Work-around

  Rename the key rule with a unique key rule name.