Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Release Notes

Release Notes for CTE UserSpace

search

Release Notes for CTE UserSpace

Release Note Date Version
10.5.0.49 2025-08-28 v2

New Features and Enhancements

Confidential Computing Support

Confidential Computing has been expanded for CTE and is no longer a technical preview. Confidential Computing is a cloud computing technology that can isolate and protect data on Confidential Virtual Machines (CVMs), or Trusted Domains (TDs), while it is being processed by the application, to protect it from a broad range of software attacks. Confidential Computing ensures that all data operations are executed within a Trusted Execution Environment.

Phased Migration from CTE-U 9.x to 10.x

Previously, all clients on a CTE-U network had to contain the same version of CTE-U because CTE-U 10.x could read the header files in the CTE-U 9.x files, but it could not write to them. This was cumbersome for large networks that had large numbers of CTE-U 9.x clients accessing multiple GuardPoints over multiple NFS shares. Now, you can perform a phased migration. CTE-U 9.x and CTE-U 10.x clients can exist on the same network and access the same network share because now, CTE-U 10.x can read from, and write to, the header files in CTE-U 9.x and migrate the data to the latest version.

CTE-U Cloud Object Storage is now supported on Ubuntu AWS

CTE-U now supports B-Tree Filesystem (BTRFS)

New Platform Supported

  • Amazon Linux 2023

Resolved Issues

  • AGT-64589 [CS1612907]: Many Operation not permitted in /var/log/messages

    AFFECTED VERSIONS: 10.3.0.65 — 10.5.0.49

    CTE-U was generating log messages stating failed to restore acc/mod time on <filename> (Operation not permitted). The code was changed so that when this error was encountered, it retried the restore operation as root, and only logged the message if the second attempt also failed. This resulted in CTE-U no longer generating these messages.

  • AGT-64627 [CS1615967]: On Ubuntu 24.04 TLS/SSL, when listing files in a GuardPoint, CTE shows "No data available"

    AFFECTED VERSIONS: 10.2.0.72 — 10.5.0.49

    The issue occurred because the extended attributes were not set properly. This has been fixed. CTE now manages error handling properly when listing extended attributes.

  • AGT-66242: GuardPoint level tuning for setting log level using voradmin command does not work as expected

    AFFECTED VERSIONS: 10.5.0.49

    All voradmin config options are now supported per GuardPoint.

  • AGT-66425: Uploading a file on an S3 bucket GuardPoint failing intermittently for file size greater than 10MB

    AFFECTED VERSIONS: 10.4.0.72 — 10.5.0.49

    This has been fixed.

Known Issues

  • AGT-44852: Cannot delete very long file names in FreeBSD

    AFFECTED VERSIONS: 10.2.0.72 — 10.5.0.49

    A path length longer than 1024 characters is not supported.

  • AGT-45125: Execute program from the GuardPoint

    AFFECTED VERSIONS: 10.2.0.72 — 10.5.0.49

    Due to the implementation of the FreeBSD kernel, executing a program inside of a GuardPoint is not supported. As a result, process sets and signature sets are not supported for programs inside of a GuardPoint in FreeBSD in CTE-U.

  • AGT-46856: FUSE protocol violation warning message

    AFFECTED VERSIONS: 10.2.0.72 — 10.5.0.49

    The kernel driver displays this message because the file size reported by CTE is different than the file size of the actual file. So FuseFS thinks something has changed and triggers the warning. This message is benign and can be ignored.

  • AGT-47108: Enabling Concise logging does not reduce logs as compared to when it is disabled

    AFFECTED VERSIONS: 10.2.0.72 — 10.5.0.49

    In the future, Thales will try to enhance this feature to reduce the logs more.

  • AGT-48284: Access to the GuardPoint displays incorrect GuardPoint path and garbage in path on first access

    AFFECTED VERSIONS: 10.2.0.72 — 10.5.0.49

    CTE-U does not support security rules with process sets, or user sets, for block devices. Refer to Sample Policy for Block Devices.

  • AGT-48348: Raw device GuardPoint gets stuck in processing state after being removed from agent

    AFFECTED VERSIONS: 10.2.0.72 — 10.5.0.49

    In SUSE Linux Enterprise Server 12 SP5, it is not possible to gracefully detach a GuardPoint from the loop device layer. As a result, it is not possible to cleanly stop secfs-fuse. Attempts to do so may result in a hang where recovery is only possible by power cycling the machine. For these reasons, block deviceGuardPoints are not currently supported on SUSE Linux Enterprise Server 12 SP5 or previous versions.

  • AGT-48349: Direct IO does not work with mmap or buffered IO

    AFFECTED VERSIONS: 10.2.0.72 — 10.5.0.49

    Writing to a file without direct IO, and then reading from the same file with direct IO, while using a different file descriptor, without syncing or closing the first file descriptor, causes the read to fail to get the correct data.

    Work-around

    Disable writeback cache:

    voradmin secfs config writeback_cache_local 0 <GP>

  • AGT-48387: FreeBSD: Unable to run dataxform against the same directory more than once

    AFFECTED VERSIONS: 10.2.0.72 — 10.5.0.49

    Work-around

    Run the following Data Transformation cleanup command before transforming the data:

    dataxform --cleanup --gp <gp_path>

  • AGT-48502: CTE to CTE-U migration on NFS v3/v4 with backup user generates I/O error when restored on CTE-U NFS GuardPoint in SLES and RHEL 9.2

    AFFECTED VERSIONS: 10.2.0.72 — 10.5.0.49

    If the file does not have write permissions, then when updating, the keyid fails and CTE-U generates an I/O error.

    Work-around

    In CTE to CTE-U migration, you must have full write OS permissions for the files copied from the CTE backup to the CTE-U GuardPoint.

  • AGT-48532 [CS1506097] Using a Standard Policy with an XTS key, when user migrated from a CipherTrust Manager to another CipherTrust Manager, key stopped working

    AFFECTED VERSIONS: 10.2.0.72 — 10.5.0.49

    When a key is backed up and restored to a different domain or CipherTrust Manager, the keyid may be changed and trigger a protection code in CTE-U that is designed to prevent accidental use of the wrong key or accidental double encryption.

    Work-around

    See Migrating an Encryption Key for more information.

  • AGT-49859: GuardPoints are not healthy when partial config is enabled for CTE-U client

    AFFECTED VERSIONS: 10.2.0.72 — 10.5.0.49

    The Partial Config feature in CipherTrust Manager v2.15 GA requires CTE-U v10.2.0.80, v10.3.0.19 or subsequent versions.

  • AGT-50831 [CS1526318]: Failed to run mkdir from NFS client after guarded by CTE-U

    AFFECTED VERSIONS: 10.2.0.72 — 10.5.0.49

    The issue only occurs on the HP-UX NFS client. It cannot access that problematic directory.

    Work-around

    Unmount the mount point and then remount it. Use the following mount options:

    mount -o hard,vers=4,proto=tcp,retry=10,noac,actimeo=0,readdir

  • AGT-54610: Failed to create a file with only a write action in the key rule

    AFFECTED VERSIONS: 10.2.0.72 — 10.5.0.49

    When a policy on CipherTrust Manager has only write access for user/process set, the corresponding user/process set, on the agent, should be able to write to the file. However, due to the FUSE design, for every operation, CTE-U needs to check for getattr permissions. Due to this limitation, CTE-U did not give the user the write permission.

    Work-around

    Customers must grant read attribute permissions to all of the directories & files in the policy. Select the actions for d_rd_att, f_rd_att and write.

  • AGT-55110: Switching existing MFA client profile, that used register_host, failed on CipherTrust Manager enrollment

    AFFECTED VERSIONS: 10.3.0.65 — 10.5.0.49

    Work-around

    In CipherTrust Manager, change the existing Multifactor Authentication Select MFA Exempted User Set parameter to your new target user set.

  • AGT-59525: CTE-U open() O_RDONLY fails on guarded file with append only attribute

    AFFECTED VERSIONS: 10.3.0.65 — 10.5.0.49

    Running lsattr on a guarded file with the append only attribute fails with Input/output error.

  • AGT-61084: Guarding a bucket which is not present

    AFFECTED VERSIONS: 10.4.0.72 — 10.5.0.49

    The issue occurred when am AWS bucket is added as a GuardPoint, but the bucket does not exist on AWS.

  • AGT-61174: AWS S3 LS operation works even after deleting credential using voradmin cos s3 cred delete

    AFFECTED VERSIONS: 10.4.0.72 — 10.5.0.49

  • AGT-61735: Garbage files being created when CTE-U opened a file in CTE Windows over CIFS

    AFFECTED VERSIONS: 10.4.0.72 — 10.5.0.49

    Workaround

    Disable temp file creation on the CTE Windows.

    voradmin ldt sxf set 0

  • AGT-63130: The mkdir and chown commands fail with HP-UX NFS client where GuardPoint is mounted

    AFFECTED VERSIONS: 10.4.0.72 — 10.5.0.49

    CTE-U does not support process-based access checks with the export scenario. Therefore, you must either disable the authenticator check or add the NFS process as an authenticator.

    See Exporting GuardPoints over NFS for more information.

  • AGT-63195: CTE-U UID authentication not working with TMUX

    AFFECTED VERSIONS: 10.4.0.72 — 10.5.0.49

    Workaround

    To create a TMUX session that has the authority of the user who started the TMUX session, use either of two methods:

    • Add usr/bin/tmuxas an authenticator in the CipherTrust Manager client settings for this client.

    • Run voradmin secfs config uid_search 0 to set the CTE-U UID authentication to its previous method.

  • AGT-65631: Internal server error observed if the awscli version is greater than v2.23.0 and the botocore version is 1.35 or a previous version

    AFFECTED VERSIONS: 10.5.0.49

    Beginning with AWS CLI version 2.23.0 and subsequent versions, AWS implemented enhanced and more efficient checksum algorithms, including CRC-64/NVME, CRC32, CRC32C, SHA1, and SHA256, with CRC64-NVME set as the new default for the CLI. Users needs to utilize an earlier version of the AWS CLI to accommodate this change.

    To get the older version, you can do the following.

    1. Download the image, type:

      wget https://awscli.amazonaws.com/awscli-exe-linux-x86_64-<version number>.zip

      Example:

      wget https://awscli.amazonaws.com/awscli-exe-linux-x86_64-2.22.35.zip

    2. Unzip the file, type:

      $ unzip awscliv2-<version number>.zip

    3. Install the software as an administrator:

      $ sudo ./aws/install

  • AGT-66431: High CPU utilization when deleting large numbers of files

    AFFECTED VERSIONS: 10.5.0.49

    This issue occurred due to a change that was made for memory usage improvement in CTE-U. The problem was that if a very large number of files already have their information stored in a specific memory block, and they are all removed from that block simultaneously, there is a bottleneck in the freeing of the data. This has been fixed.

  • AGT-66896: COS | Unable to upload 0 byte file to the guarded bucket

    AFFECTED VERSIONS: 10.5.0.49

    CTE-U does not support uploading 0 byte files to a Cloud Object Storage GuardPoint.

  • AGT-66913: Unable to download file in ranges from bucket

    AFFECTED VERSIONS: 10.5.0.49

    Range download is not supported on COS for CTE-U.

On this page