Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Release Notes

Release Notes for CTE UserSpace

search

We're moving!

A new home for CipherTrust documentation will be introduced on December 02, 2025! Visit https://docs-cybersec.thalesgroup.com for a preview.

Release Notes for CTE UserSpace

CTE-U Version Date Version
10.4.0.72 2025-08-28 v2

New Features and Enhancements

Clarified documentation for format compatibility between CTE-U and CTE

Updated the documentation for clarity on format compatibility for AES-CBC-CS1 and AES-CBC.

Confidential Computing Support

Confidential Computing is a cloud computing technology that can isolate and protect data on Confidential Virtual Machines (CVMs), or Trusted Domains (TDs), while it is being processed by the application, to protect it from a broad range of software attacks. Confidential computing ensures that all data operations are executed within a Trusted Execution Environment.

CTE-U and CipherTrust Manager manage the attestation process to provision confidential computing on VMs running on CTE agents to provide end-to-end Data Protection. The role for CTE-U in this confidential computing model is to gather the evidence and provide that to CipherTrust Manager to have it attested for by Intel® Tiber™ Trust Services. If attestation fails, CTE-U prevents access to the encrypted data that it guards.

Caution

This feature is a technical preview for evaluation in non-production environments. Details and functionality are subject to change.

Cloud Object Storage Support

Cloud Object Storage support for CTE-U is identical to Cloud Object Storage for CipherTrust Transparent Encryption.

Added support for the CIFS filesystem

CIFS is supported with Red Hat Enterprise Linux (RHEL) and Ubuntu.

Resolved Issues

  • AGT-61330 [CS1563353]: Build 10.3.0.74 generating a Readdir Segmentation fault error

    The issue occurred when multi-threaded directory listing operations on FreeBSD intermittently caused system hangs. The solution was to introduce a locking mechanism to prevent crashes and ensure thread safety during directory operations.

  • AGT-61331 [CS1563353]: FREEBSD needs analysis for short hang occurred (~2 mins) when lockbox tried to use credential file

    This issue was caused by a multi-threaded application that hung at startup due to a deadlock in the fuse driver. The solution was to avoid calling that driver.

  • AGT-61532 [CS1582276]: Authenticator not working

    The issue occurred when sshd is removed as an authenticator. The CTE-U authenticator code process table had an incorrect initial (default) state, so if you removed sshd as an authenticator, and logged in through ssh, the authenticated user value was not valid. The solution was to correct the default state of the process table.

  • AGT-61644: Agent information is not getting generated by CTE-U agent (Ubuntu) when requested by CipherTrust Manager

    The issue occurred because CTE-U was using an invalid bundle to find the Certificate of Authority (CA) and the "trust store" was not valid, or up to date, so it failed. The issue was to change the code to call the proper bundle to find the CA.

Known Issues

  • AGT-44852: Cannot delete very long file names in FreeBSD

    AFFECTED VERSIONS: 10.2.0.72 — 10.4.0.72

    A path length longer than 1024 characters is not supported.

  • AGT-45125: Execute program from the GuardPoint

    AFFECTED VERSIONS: 10.2.0.72 — 10.4.0.72

    Due to the implementation of the FreeBSD kernel, executing a program inside of a GuardPoint is not supported. As a result, process sets and signature sets are not supported for programs inside of a GuardPoint in FreeBSD in CTE-U.

  • AGT-46856: FUSE protocol violation warning message

    AFFECTED VERSIONS: 10.2.0.72 — 10.4.0.72

    The kernel driver displays this message because the file size reported by CTE is different than the file size of the actual file. So FuseFS thinks something has changed and triggers the warning. This message is benign and can be ignored.

  • AGT-47108: Enabling Concise logging does not reduce logs as compared to when it is disabled

    AFFECTED VERSIONS: 10.2.0.72 — 10.4.0.72

    In the future, Thales will try to enhance this feature to reduce the logs more.

  • AGT-48284: Access to the GuardPoint displays incorrect GuardPoint path and garbage in path on first access

    AFFECTED VERSIONS: 10.2.0.72 — 10.4.0.72

    CTE-U does not support security rules with process sets, or user sets, for block devices. Refer to Sample Policy for Block Devices.

  • AGT-48348: Raw device GuardPoint gets stuck in processing state after being removed from agent

    AFFECTED VERSIONS: 10.2.0.72 — 10.4.0.72

    In SUSE Linux Enterprise Server 12 SP5, it is not possible to gracefully detach a GuardPoint from the loop device layer. As a result, it is not possible to cleanly stop secfs-fuse. Attempts to do so may result in a hang where recovery is only possible by power cycling the machine. For these reasons, block deviceGuardPoints are not currently supported on SUSE Linux Enterprise Server 12 SP5 or previous versions.

  • AGT-48349: Direct IO does not work with mmap or buffered IO

    AFFECTED VERSIONS: 10.2.0.72 — 10.4.0.72

    Writing to a file without direct IO, and then reading from the same file with direct IO, while using a different file descriptor, without syncing or closing the first file descriptor, causes the read to fail to get the correct data.

    Work-around

    Disable writeback cache:

    voradmin secfs config writeback_cache_local 0 <GP>

  • AGT-48387: FreeBSD: Unable to run dataxform against the same directory more than once

    AFFECTED VERSIONS: 10.2.0.72 — 10.4.0.72

    Work-around

    Run the following Data Transformation cleanup command before transforming the data:

    dataxform --cleanup --gp <gp_path>

  • AGT-48502: CTE to CTE-U migration on NFS v3/v4 with backup user generates I/O error when restored on CTE-U NFS GuardPoint in SLES and RHEL 9.2

    AFFECTED VERSIONS: 10.2.0.72 — 10.4.0.72

    If the file does not have write permissions, then when updating, the keyid fails and CTE-U generates an I/O error.

    Work-around

    In CTE to CTE-U migration, you must have full write OS permissions for the files copied from the CTE backup to the CTE-U GuardPoint.

  • AGT-48532 [CS1506097] Using a Standard Policy with an XTS key, when user migrated from a CipherTrust Manager to another CipherTrust Manager, key stopped working

    AFFECTED VERSIONS: 10.2.0.72 — 10.4.0.72

    When a key is backed up and restored to a different domain or CipherTrust Manager, the keyid may be changed and trigger a protection code in CTE-U that is designed to prevent accidental use of the wrong key or accidental double encryption.

    Work-around

    See Migrating an Encryption Key for more information.

  • AGT-49859: GuardPoints are not healthy when partial config is enabled for CTE-U client

    AFFECTED VERSIONS: 10.2.0.72 — 10.4.0.72

    The Partial Config feature in CipherTrust Manager v2.15 GA requires CTE-U v10.2.0.80, v10.3.0.19 or subsequent versions.

  • AGT-54610: Failed to create a file with only a write action in the key rule

    AFFECTED VERSIONS: 10.2.0.72 — 10.4.0.72

    When a policy on CipherTrust Manager has only write access for user\process set, the corresponding user/process set, on the agent, should be able to write to the file. However, due to the FUSE design, for every operation, CTE-U needs to check for getattr permissions. Due to this limitation, CTE-U did not give the user the write permission.

    Work-around

    Customers must grant read attribute permissions to all of the directories & files in the policy. Select the actions for d_rd_att, f_rd_att and write.

  • AGT-55110: Switching existing MFA client profile, that used register_host, failed on CipherTrust Manager enrollment

    AFFECTED VERSIONS: 10.3.0.65 — 10.4.0.72

    Work-around

    In CipherTrust Manager, change the existing Multifactor Authentication Select MFA Exempted User Set parameter to your new target user set.

  • AGT-59525: CTE-U open() O_RDONLY fails on guarded file with append only attribute

    AFFECTED VERSIONS: 10.3.0.65 — 10.4.0.72

    Running lsattr on a guarded file with the append only attribute fails with Input/output error.

  • AGT-61084: Guarding a bucket which is not present

    AFFECTED VERSIONS: 10.4.0.72

    The issue occurred when am AWS bucket is added as a GuardPoint, but the bucket does not exist on AWS.

  • AGT-61174: AWS S3 LS operation works even after deleting credential using voradmin cos s3 cred delete

    AFFECTED VERSIONS: 10.4.0.72

  • AGT-61735: Garbage files created when CTE-U opens a file in CTE Windows over CIFS

    AFFECTED VERSIONS: 10.4.0.72

    Workaround

    Disable temp file creation on the CTE Windows.

    voradmin ldt sxf set 0

  • AGT-63130: The mkdir and chown commands fail with HP-UX NFS client where GuardPoint is mounted

    AFFECTED VERSIONS: 10.4.0.72

    CTE-U does not support process-based access checks with the export scenario. Therefore, you must either disable the authenticator check or add the NFS process as an authenticator.

    See Exporting GuardPoints over NFS for more information.

  • AGT-63195: CTE-U UID authentication not working with TMUX

    AFFECTED VERSIONS: 10.4.0.72

    Workaround

    To create a TMUX session that has the authority of the user who started the TMUX session, use either of two methods:

    • Add usr/bin/tmuxas an authenticator in the CipherTrust Manager client settings for this client.

    • Run voradmin secfs config uid_search 0 to set the CTE-U UID authentication to its previous method.

End of Life

  • IBM discontinued support for Red Hat Enterprise Linux (RHEL) v7.0 on June 30, 2024. Therefore, CTE-U support has been discontinued for RHEL v7.0.

  • As announced previously, in 10.3.0.74, Thales has discontinued support for Oracle 7 and SLES 11/12 starting with CTE-U v10.4.0.

On this page