Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CTE-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Widows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Release Notes

Release Notes for CTE UserSpace

search
printsuggest an edit

Release Notes for CTE UserSpace

Release Note Version Date
10.4.0.72 2025-02-14

copy link to clipboardNew Features and Enhancements

copy link to clipboardClarified documentation for format compatibility between CTE-U and CTE

Updated the documentation for clarity on format compatibility for AES-CBC-CS1 and AES-CBC.

copy link to clipboardConfidential Computing Support

Confidential Computing is a cloud computing technology that can isolate and protect data on Confidential Virtual Machines (CVMs), or Trusted Domains (TDs), while it is being processed by the application, to protect it from a broad range of software attacks. Confidential computing ensures that all data operations are executed within a Trusted Execution Environment.

CTE-U and CipherTrust Manager manage the attestation process to provision confidential computing on VMs running on CTE agents to provide end-to-end Data Protection. The role for CTE-U in this confidential computing model is to gather the evidence and provide that to CipherTrust Manager to have it attested for by Intel® Tiber™ Trust Services. If attestation fails, CTE-U prevents access to the encrypted data that it guards.

Caution

This feature is a technical preview for evaluation in non-production environments. Details and functionality are subject to change.

copy link to clipboardCloud Object Storage Support

Cloud Object Storage support for CTE-U is identical to Cloud Object Storage for CipherTrust Transparent Encryption.

copy link to clipboardAdded support for the CIFS filesystem

CIFS is supported with Red Hat Enterprise Linux (RHEL) and Ubuntu.

copy link to clipboardResolved Issues

  • AGT-61330 [CS1563353]: Build 10.3.0.74 generating a Readdir Segmentation fault error

    The issue occurred when multi-threaded directory listing operations on FreeBSD intermittently caused system hangs. The solution was to introduce a locking mechanism to prevent crashes and ensure thread safety during directory operations.

  • AGT-61331 [CS1563353]: FREEBSD needs analysis for short hang occurred (~2 mins) when lockbox tried to use credential file

    This issue was caused by a multi-threaded application that hung at startup due to a deadlock in the fuse driver. The solution was to avoid calling that driver.

  • AGT-61532 [CS1582276]: Authenticator not working

    The issue occurred when sshd is removed as an authenticator. The CTE-U authenticator code process table had an incorrect initial (default) state, so if you removed sshd as an authenticator, and logged in through ssh, the authenticated user value was not valid. The solution was to correct the default state of the process table.

  • AGT-61644: Agent information is not getting generated by CTE-U agent (Ubuntu) when requested by CipherTrust Manager

    The issue occurred because CTE-U was using an invalid bundle to find the Certificate of Authority (CA) and the "trust store" was not valid, or up to date, so it failed. The issue was to change the code to call the proper bundle to find the CA.

copy link to clipboardKnown Issues

  • AGT-44852: Cannot delete very long file names in FreeBSD

    A path length longer than 1024 characters is not supported.

  • AGT-45125: Execute program from the GuardPoint

    Due to the implementation of the FreeBSD kernel, executing a program inside of a GuardPoint is not supported. As a result, process sets and signature sets are not supported for programs inside of a GuardPoint in FreeBSD in CTE-U.

  • AGT-46856: FUSE protocol violation warning message

    The kernel driver displays this message because the file size reported by CTE is different than the file size of the actual file. So FuseFS thinks something has changed and triggers the warning. This message is benign and can be ignored.

  • AGT-47108: Enabling Concise logging does not reduce logs as compared to when it is disabled

    In the future, Thales will try to enhance this feature to reduce the logs more.

  • AGT-47230: Missing IOCTL in CTE-U causes VMSec challenge to claim that a challenge is needed

    Invalid. CTE-U does not support challenge/response.

  • AGT-48249: Direct IO does not work with mmap or buffered IO

    Writing to a file without direct IO, and then reading from the same file with direct IO, while using a different file descriptor, without syncing or closing the first file descriptor, causes the read to fail to get the correct data.

    Work-around

    Disable writeback cache:

    voradmin secfs config writeback_cache_local 0 <GP>

  • AGT-48284: Access to the GuardPoint displays incorrect GuardPoint path and garbage in path on first access

    CTE-U does not support security rules with process sets, or user sets, for block devices. Refer to Sample Policy for Block Devices.

  • AGT-48348: Raw device GuardPoint gets stuck in processing state after being removed from agent

    In SUSE Linux Enterprise Server 12 SP5, it is not possible to gracefully detach a GuardPoint from the loop device layer. As a result, it is not possible to cleanly stop secfs-fuse. Attempts to do so may result in a hang where recovery is only possible by power cycling the machine. For these reasons, block deviceGuardPoints are not currently supported on SUSE Linux Enterprise Server 12 SP5 or previous versions.

  • AGT-48387: FreeBSD: Unable to run dataxform against the same directory more than once

    Work-around

    Run the following Data Transformation cleanup command before transforming the data:

    dataxform --cleanup --gp <gp_path>

  • AGT-48502: CTE to CTE-U migration on NFS v3/v4 with backup user generates I/O error when restored on CTE-U NFS GuardPoint in SLES and RHEL 9.2

    If the file does not have write permissions, then when updating, the keyid fails and CTE-U generates an I/O error.

    Work-around

    In CTE to CTE-U migration, you must have full write OS permissions for the files copied from the CTE backup to the CTE-U GuardPoint.

  • AGT-48532 [CS1506097] Using a Standard Policy with an XTS key, when user migrated from a CipherTrust Manager to another CipherTrust Manager, key stopped working

    When a key is backed up and restored to a different domain or CipherTrust Manager, the keyid may be changed and trigger a protection code in CTE-U that is designed to prevent accidental use of the wrong key or accidental double encryption.

    Work-around

    See Migrating an Encryption Key for more information.

  • AGT-49859: GuardPoints are not healthy when partial config is enabled for CTE-U client

    The Partial Config feature in CipherTrust Manager v2.15 GA requires CTE-U v10.2.0.80, v10.3.0.19 or subsequent versions.

  • AGT-50831 [CS1526318]: Failed to run mkdir from NFS client after guarded by CTE-U

    The issue only occurs on the HP-UX NFS client. It cannot access that problematic directory.

    Work-around

    Unmount the mount point and then remount it. Use the following mount options:

    mount -o hard,vers=4,proto=tcp,retry=10,noac,actimeo=0,readdir

  • AGT-54610: Failed to create a file with only a write action in the key rule

    When a policy on CipherTrust Manager has only write access for user/process set, the corresponding user/process set, on the agent, should be able to write to the file. However, due to the FUSE design, for every operation, CTE-U needs to check for getattr permissions. Due to this limitation, CTE-U did not give the user the write permission.

    Work-around

    Customers must grant read attribute permissions to all of the directories & files in the policy. Select the actions for d_rd_att, f_rd_att and write.

  • AGT-55110: Switching existing MFA client profile, that used register_host, failed on CipherTrust Manager enrollment

    Work-around

    In CipherTrust Manager, change the existing Multifactor Authentication Select MFA Exempted User Set parameter to your new target user set.

  • AGT-59525: CTE-U open() O_RDONLY fails on guarded file with append only attribute

    Running lsattr on a guarded file with the append only attribute fails with Input/output error.

  • AGT-61084: Guarding a bucket which is not present

    The issue occurred when am AWS bucket is added as a GuardPoint, but the bucket does not exist on AWS.

  • AGT-61174: AWS S3 LS operation works even after deleting credential using voradmin cos s3 cred delete

  • AGT-61735: Garbage files being created when CTE-U opened a file in CTE Windows over CIFS

    Workaround

    Disable temp file creation on the CTE Windows.

    voradmin ldt sxf set 0

  • AGT-63130: The mkdir and chown commands fail with HP-UX NFS client where GuardPoint is mounted

    CTE-U does not support process-based access checks with the export scenario. Therefore, you must either disable the authenticator check or add the NFS process as an authenticator.

    See Exporting GuardPoints over NFS for more information.

  • AGT-63195: CTE-U UID authentication not working with TMUX

    Workaround

    To create a TMUX session that has the authority of the user who started the TMUX session, use either of two methods:

    • Add usr/bin/tmuxas an authenticator in the CipherTrust Manager client settings for this client.

    • Run voradmin secfs config uid_search 0 to set the CTE-U UID authentication to its previous method.

copy link to clipboardEnd of Life

  • IBM discontinued support for Red Hat Enterprise Linux (RHEL) v7.0 on June 30, 2024. Therefore, CTE-U support has been discontinued for RHEL v7.0.

  • As announced previously, in 10.3.0.74, Thales has discontinued support for Oracle 7 and SLES 11/12 starting with CTE-U v10.4.0.

On this page