SafeNet KeySecure 8.2 and 8.2.1

Featuring Scalable User Management, FPE and In-Field Software Updates

Overview:

We are pleased to announce that over the past few months we have continued making great strides with our market-leading data encryption and key management solutions. This month our focus is on ease of migration and improved usability – introducing SafeNet KeySecure 8.2 with Scalable User Management, Format Preserving Encryption (FPE), and In-field updates for our legacy and current customers. Gemalto is also pleased to offer 64-bit support for AWS Marketplace customers using SafeNet Virtual KeySecure version 8.2.1.

 SafeNet KeySecure 8.2 and 8.2.1 Highlights:

1.     Simplified Migration with In-Field Updates:

To ease your migration efforts, in-field software updates are now available for customers running SafeNet KeySecure or SafeNet DataSecure versions 6.x or earlier. After ensuring your legacy appliance has been updated to the latest 6.x release, simply download the SafeNet KeySecure 8.2 software on existing production and non-production environments (after properly backing up appliances) to easily install new features, upgrade core software and apply security patches.  In-field software updates ensure continuity over the next 14 months while you plan your migration strategy before the Start of Good Faith Support on September 30, 2016. In-field updates are also possible for new customers running on k250, k450 or k460 appliances. 

2.     Secure Encryption of Structured Data with FPE:
Encrypt structured data, such as credit card or social security numbers, with FPE. Encrypt data in a way that the plaintext input size matches the ciphertext output size without altering the data format. Currently we offer support for numeric formats, but are planning for alphanumeric support. Watch for more details. 

3.     Encryption Connectors:

Coinciding with the release of SafeNet KeySecure, version 8.2 of the following supported data protection Connectors are now available: SafeNet ProtectApp, SafeNet ProtectDB, SafeNet ProtectFile, and SafeNet Tokenization. Only Gemalto offers a single, high-availability solution that delivers centralized enterprise key management and data protection at all levels of the data flow, including the application, database (column or file), file system, full disk (virtual machine), and network attached storage levels. SafeNet KeySecure’s proven cryptographic performance means critical encryption tasks can be offloaded to a dedicated appliance, ensuring data protection efforts do not interfere with critical business operations.

4.     Scalable User Management:  Key and user management are now asynchronous, providing better operational scalability. 

5.     Galois Counter Mode (GCM) for AES Encryption and Decryption: GCM is a mode of operation for AES keys that provides both confidentiality via data encryption, and authenticity by creating an authentication tag for the entire length of the data. 

6.     Management Console Security Improvements: The session timeout value for the Management Console web interface is now configurable to help meet unique organizational security standards. In addition, extra support has been added to mitigate misuse of forms. 

7.     64-Bit Support: SafeNet Virtual KeySecure 8.2.1 and SafeNet Virtual KeySecure 8.2.1 BYOL featuring 64-bit support are now available on AWS Marketplace. This allows AWS customers to run SafeNet Virtual KeySecure in 64–bit AMI environments. 

For additional information on these new features and capabilities, please contact your Gemalto Representative. 

Available SafeNet KeySecure Products:

Manage keys, unify encryption, and enforce access control across virtualized and cloud infrastructures 

A reminder that in addition to virtual and FIPS-certified appliances, Gemalto also offers the recently launched high-performance and entry-level appliances, giving you more migration options: 

1.       k460 High-Performance, FIPS- Level 3 Certified Appliance:

The k460 appliance, built around the Dell R320 chassis, offers FIPS 140-2 Level 3 support with its K6 card.

2.       k450 High-Performance Appliance:

Designed using the Dell R320 chassis, the k450 is intended as a direct replacement to the SafeNet DataSecure i450 chassis. The k450 offers similar performance and capacity to the i460 without the requirement of a Pin Entry Device (PED) for appliance configuration.

3.       k250 Entry-Level Appliance:

The SafeNet KeySecure k250 is purpose-built as an entry-level appliance for small / medium customers.

4.       SafeNet Virtual KeySecure k150v Appliance for Virtual Environments:

SafeNet offers Virtual KeySecure in Amazon Web Services (AWS) Marketplace and VMware.

Migration Benefits:

Below you will find your SafeNet KeySecure/SafeNet DataSecure Migration Guide. Existing customers are encouraged to migrate to SafeNet KeySecure 8.2. In addition to providing the same functionality and features as SafeNet DataSecure, SafeNet KeySecure offers:

–       More Use Cases

• Take advantage of Gemalto’s growing ecosystem – A wide range of partners provides greater coverage of not only storage appliances but also applications (COTS or in-house), database servers and cloud encryption gateways.
• Access market leading KMIP storage/archive partners – In addition to the encryption capabilities previously offered by SafeNet DataSecure, SafeNet KeySecure allows customers to utilize KMIP (Key Management Interoperability Protocol) to monitor and manage keys residing on storage appliances from leading vendors including NetApp, Dell, HP, Hitachi, Brocade, Quantum, Nutanix, and IBM.
• SafeNet Crypto Pack – a simple licensing option that transforms your key management appliance into a cryptographic server supporting the functionality previously associated with our SafeNet DataSecure product line. This option extends support to select Gemalto’s data protection connectors including SafeNet ProtectApp, SafeNet ProtectDB and SafeNet Tokenization.

–       Route to cloud – SafeNet KeySecure customers the ability to evolve from on-premises or virtual data centers to private / public cloud. SafeNet KeySecure supports virtual appliances for VMware and AWS Marketplace.

–       Single, centralized platform – for managing cryptographic content (keys and related data) and applications capable of running on-premises, in the cloud or hybrid environments.

–       Enhanced Security- Integration with SafeNet’s Network HSM (Luna SA)- a hardware security module for added protection and key storage.

 Migration Guide:

SafeNet KeySecure k150 v6.x and earlier

 NOTE:   To update the SafeNet Encryption Connector licenses, customers must create a new instance for SafeNet Virtual KeySecure, restore contents from the previous version’s backup, and then contact Gemalto Customer Service with the newly generated BoxID.

Non-Production Part Numbers:
Now available. Please contact your local Gemalto Sales Representative for further information.

SafeNet Virtual KeySecure k150v (AWS BYOL)
SafeNet Virtual KeySecure BYOL offers customers flexibility of one-to-one functionality with hardware appliance, provides route to cloud, and use case expansion for dynamic environments. 

Ordering Procedure:

    Download and install AWS BYOL Image

    Take BoxID Generated from install and contact Gemalto Customer Service

    Order Connectors and Maintenance for SafeNet Virtual KeySecure

    License files and installs emailed to customer 

SafeNet DataSecure i150 v6.x and earlier

Existing SafeNet DataSecure Product/s	Previous Part Number	Migration/ Replacement    Product	New Part Number	Benefits
i150     i150 v6.1.1	947-000150-001-000 947-000061-001-000	k250, Crypto Bundle	947-000347-001-000	Entry-level appliance for use in   SMB environments (peer-to-peer equivalent)   Automatically enable SafeNet Crypto Pack and   migrate connector licenses
		k450, Crypto Bundle	947-000503-001-000	For customers requiring additional   performance and key storage   Automatically enable SafeNet Crypto Pack and   migrate connector licenses
		k460, Crypto   Bundle	947-000340-001-000	Added security (FIPS 140-2 Level 3)   Remote management via PED   Additional performance/storage   Automatically enable SafeNet Crypto Pack and migrate connector licenses
		In-Field Software Updates	Free Download from Gemalto Customer Support Portal	Upgrade existing appliances to the   latest version of SafeNet KeySecure   Ensure continuity during migration   Easy installation of new features,   upgrade core software and apply security patches   Run older appliances in cluster   with new appliances

SafeNet DataSecure i450 v6.x and earlier

SafeNet DataSecure Product/s	Previous Part Number		Migration/ Replacement    Product	New Part Number	Benefits
I450 v6.1.1 I450 (Mark I Chassis)	947-000064-001-000 947-000031-001-000		k450, Crypto Bundle	947-000503-001-000	For customers requiring additional   performance and key storage   Automatically enable SafeNet Crypto Pack and   migrate connector licenses
			k460, Crypto   Bundle	947-000340-001-000	Added security (FIPS 140-2 Level 3)   Remote management via PED   Additional performance/storage   Automatically enable SafeNet Crypto Pack and   migrate connector licenses
			In-Field Software Updates	Free Download from Gemalto Customer Support Portal	Upgrade existing appliances to the   latest version of SafeNet KeySecure   Ensure continuity during migration   Easy installation of new features,   upgrade core software and apply security patches   Run older appliances in cluster   with new appliances

 SafeNet DataSecure i460 v6.x and earlier

Legacy SafeNet DataSecure Product/s	Previous Part Number			Migration/ Replacement    Product	New Part Number	Benefits
i460 Bundle with Local PED and iKeys		947-000036-001-000		k460, Crypto Bundle	947-000340-001-000	Includes SafeNet Crypto Pack   License, PED and iKeys   Added security (FIPS 140-2 Level 3   compliance)   Remote management via PED   Additional performance/storage
				In-Field Software Updates	Free Download from Gemalto Customer Support Portal	Upgrade existing appliances to the   latest version of SafeNet KeySecure   Ensure continuity during migration   Easy installation of new features,   upgrade core software and apply security patches   Run older appliances in cluster   with new appliances

SafeNet Virtual DataSecure i150v v 6.x and earlier (VMware)

Legacy SafeNet Virtual DataSecure Product, VMware	Previous Part Number	Migration / Replacement    Product with Crypto Pack Bundle	New   Part Number	Benefits
SafeNet Virtual DataSecure, i150v, VMware, v6.3, 1 Year	947-000232-001-000	SafeNet Virtual KeySecure, V8.x, with SafeNet Crypto Pack, Term Limited, 1 Year, Plus Support	947-000409-001-000	One-to-one functionality with hardware   appliance   Provides route to cloud   Use case expansion for dynamic environments   Upgrade to SafeNet Crypto Pack for encryption use case support (customers need to contact Gemalto Customer Service to   re-submit new BoxID for SafeNet Virtual KeySecure and connector licenses)
SafeNet Virtual DataSecure, i150v, VMware, v6.3, 2 Year	947-000232-002-000	SafeNet Virtual KeySecure, V8.x, with SafeNet Crypto Pack, Term Limited, 2 Year, Plus Support	947-000414-001-000
SafeNet Virtual DataSecure, i150v, VMware, v6.3, 3 Year	947-000232-003-000	SafeNet Virtual KeySecure, V8.x, with SafeNet Crypto Pack, Term Limited, 3 Year, Plus Support	947-000419-001-000
SafeNet Virtual DataSecure, i150v, VMware, v6.3, Perpetual	947-000232-004-000	SafeNet Virtual KeySecure, V8.x, with SafeNet Crypto Pack, Perpetual	947-000298-001-000

 NOTE:   To update the Encryption Connector licenses, customers must create a new instance for SafeNet Virtual KeySecure and restore contents from the previous version’s backup, then contact Gemalto Customer Service with the newly generated BoxID. 

For customers with active and paid service and support contracts, support will be available until the termination date of the contract.

SafeNet Encryption Connectors

With SafeNet KeySecure and its supported data protection connectors, enterprises have the ability to secure sensitive information, wherever it resides in on-premises, virtual, and public-cloud environments. 

SafeNet ProtectFile | File System-Level Encryption

    Performs transparent and automated file-system level encryption of server data-at-rest in the distributed enterprise, including Direct Attached Storage (DAS), Storage Area Network (SAN), and Network Attached Storage (NAS) servers using CIFS/NFS file sharing protocols

    Centralized key and policy management to meet compliance mandates

    Granular access controls to ensure only authorized users or processes can view protected data, including the ability to prevent rogue administrators from impersonating another user with access to sensitive data

    Provides built-in, automated key rotation and data re-keying, as well as comprehensive logging and auditing capabilities

    Support for on-premises, virtual, or cloud environments

SafeNet ProtectDB | Column-Level Database Encryption

    Provides efficient and transparent column-level encryption of sensitive data, such as credit card numbers, social security numbers, and passwords, in multi-vendor database management systems

    Granular access controls by role, user, time of day, and other variables, including the ability to prevent database administrators (DBAs) from impersonating another user with access to sensitive data

    Segregate data within a database and meet compliance mandates

    Support for on-premises, virtual, or cloud environments

SafeNet ProtectApp | Application-Level Encryption

    Provides application-level encryption of sensitive data on web and application servers, as well as an interface for key management operations.

    Centralizes administration of application encryption policy and keys

    Using SafeNet ProtectApp APIs, both structured and unstructured data can be secured in multi-vendor application server infrastructures

    Ensures integrity and authenticity of data through digital signing and verification

    Granular access controls to ensure only authorized users or applications can view protected data

    Features built-in, automated key rotation and data rekeying, comprehensive logging and auditing capabilities, and the option to offload encryption to SafeNet KeySecure for external processing power

    Support for on-premises, virtual, or cloud environments

SafeNet Tokenization | Application-Level Tokenization

    Protects sensitive numeric and alpha-numeric information by replacing it with a surrogate value, or token, that preserves the length and format of the data; the solution supports an unlimited number of token formats

    Single, centralized interface for logging, auditing, and reporting access to protected data, keys, and tokens

    Granular access controls to ensure only authorized users or applications can view protected tokens and data

    Systems with tokens are taken out of the scope of compliance audits, such as PCI DSS

    Requires no changes to application, databases, or legacy systems

    Support for on-premises, virtual, or cloud environments

SafeNet ProtectV | Full Disk Virtual Machine Encryption

    Provides encryption of sensitive data within instances, virtual machines, as well as attached storage volumes, in virtual and cloud environments.

    Maintain complete ownership and control of data and encryption keys by keeping it safeguarded and completely isolated from the cloud service provider, tenants in shared environments, or any other unauthorized party.

    Requires users to be authenticated and authorized prior to launching a virtual machine.

    Track and report on key access to all copies of your data and revoke key access in the event of a breach

    Supported cloud platforms include Amazon Web Services, VMware, and IBM SoftLayer 

SafeNet StorageSecure | Network Attached Storage Encryption

    Network attached storage encryption that connects to Ethernet networks.

    Secures file data stored on NAS servers using CIFS/NFS file sharing protocols

    Backups or replicas of the file shares remain encrypted, adding security to secondary and off-site storage.

    Securely stores all encryption keys and associated parameters in hardware, but can also be deployed with SafeNet KeySecure for centralized management of those keys, as well as other heterogeneous encryption keys

Platform Migration Instructions:    

The following Gemalto client platforms and versions are expected to work with SafeNet KeySecure 8.2. We recommend migrating to the latest Encryption Connector version for the most up-to-date functionality:

CAUTION Gemalto recommends testing older versions of client platforms in a non-production environment to ensure proper functionality. Contact your sales representative or sales engineer for assistance in determining specific compatibility. 

Product	Migration Path			How to Migrate
SafeNet ProtectFile: File System-level Encryption
SafeNet ProtectFile   Linux	Upgrade to v6.5, 6.6, 8.1 or 8.2	Direct software upgrade from a previous release version to v6.5, 6.6,   8.1, or 8.2 is supported. When upgrading from a version earlier than 5.4.1 it   is recommended to perform key rotation on encrypted content after release   version upgrade.
SafeNet ProtectFile   Windows	Upgrade to v6.6,   8.1 or 8.2	It is required   that all data encrypted with a previous release version of SafeNet ProtectFile   for Windows be decrypted. Then uninstall the old version before installing   version 6.6, 8.1, or 8.2.
SafeNet ProtectDB: Column-level Database Encryption
SafeNet ProtectDB   Oracle	Upgrade to v6.4.0,   8.1, or 8.2		Direct software   upgrade from a previous release version to v6.4, 8.1 or 8.2 is supported.   When upgrading from a version earlier than 5.4.0 the columns of BIGINT, INT,   BIT, TINYINT, SMALLINT, DATETIME, SMALLDATETIME, MONEY, and SMALLMONEY data   types must be unencrypted.
SafeNet ProtectDB   SQL Server	Upgrade to v6.1.2, 6.6, 8.1, or 8.2		Direct software upgrade from a previous release to v6.1.2, 6.6, 8.1,   or 8.2 is supported.
SafeNet ProtectDB   DB2	Upgrade to v6.4.0,   or 8.2		Direct software   upgrade to v6.4.0, 8.1, or 8.2
SafeNet ProtectApp:   Application-level Encryption
SafeNet ProtectApp   JCE	Upgrade to v6.6.0,   6.6.0.01, 8.1, or 8.2		Direct software   upgrade from a previous release to v6.6.0, 6.6.0.01, 8.1, or 8.2 is   supported.
SafeNet ProtectApp   .NET	Upgrade to v5.1.2,6.6.0, 8.1, or 8.2		Direct software upgrade from a previous release to v5.1.2, 6.6.0,   8.1, or 8.2 is supported.
SafeNet ProtectApp   ICAPI	Upgrade to v6.3.0,   6.6.0, 8.1 or 8.2		Direct software   upgrade from a previous release to v6.3.0, 6.6.0, 8.1 or 8.2 is supported.
SafeNet Tokenization:   Application-level Tokenization
SafeNet Tokenization	Upgrade to v6.6.0,   6.6.0.01, 8.1, or 8.2		Direct software   upgrade from a previous release to v6.6.0, 6.6.01, 8.1, or 8.2 is supported.
Products No Longer   Supported
SafeNet ProtectZ			No support.

Reminder: SafeNet DataSecure / SafeNet KeySecure 6.x Approaching Good Faith Support

 We would like to remind you that SafeNet DataSecure and SafeNet KeySecure 6.x Start of Good Faith Support starts September 30, 2016. Table A below describes the end-of-life milestones, definitions, and dates for the affected products. Please contact your Gemalto representative with any questions you may have.

Table A – End-of-Life Milestones and Dates for SafeNet DataSecure/SafeNet KeySecure6.x 

Milestone Date End-of-Life Announcement Date September 1, 2014 End-of-Sale Date March 1, 2015 Start of Good   Faith Support September 30, 2016 End-of-Life June 30, 2020

For additional information on the benefits offered by SafeNet KeySecure 8.2 and 8.2.1 or the SafeNet Encryption Connectors, please consult the following documents: 

• KeySecure Product Brief
• Crypto Pack Product Brief
• Virtual KeySecure Product Brief
• SafeNet ProtectApp: JCE, .NET, ICAPI
• SafeNet ProtectDB: Oracle, DB2, SQL
• SafeNet ProtectFile: Windows, Linux
• SafeNet Tokenization
• SafeNet StorageSecure
• SafeNet ProtectV