CipherTrust Platform Products

We are pleased to announce the official release of CipherTrust Manager Version 2.9 with added functionality for: CipherTrust Manager, CipherTrust Cloud Key Manager, CipherTrust Transparent Encryption (CTE), and Data Discovery and Classification (DDC). 


The top takeaways are support for: 

  1. Oracle Cloud Infrastructure (OCI) Vaults BYOK – General Availability 
  2. Azure Managed HSM Support via CCKM 
  3. Google Workspace CSE – Google Meet, Google Calendar 
  4. LogForwarders – General Availability 
  5. CTE clients with a CipherTrust Manager cluster – Support to configure order of communication 
  6. CTE for Kubernetes – Support to process signature sets in a future release 

Key features include: 

CipherTrust Manager Version 2.9  

  • The CipherTrust Manager no longer allows the certificate duration to be greater than the CA duration 
  • The certificate duration for Azure Cloud is made configurable. The default certificate duration is 730 days 
  • Added support for: 
  • AWS Regional STS Endpoint in AWS connection manager 
  • OIDC connections in connection manager 
  • Syslog connections in connection manager 
  • LOKI connections in connection manager. 
  • Elastic Search connections in connection manager 
  • Renew CA CRL automatically on expiration 
  • Configure maximum TLS version on interfaces 
  • Certificate revocation check request timeout for Web (cert user login) and NAE/KMIP clients is made configurable 
  • Support of Syslog added in log forwarders 
  • Support added for “y-” prefixed custom attributes from KeySecure to the CipherTrust Manager 
  • Updated ksctl to allow configuration of trusted certificates 
  • Added ability to auto-generate server certificates on restart if CSR parameters or CA is changed 
  • Domain backup now includes users and groups 
  • Registration of new KMIP client certificates now uses DN matching instead of fingerprint pinning 
  • Added ECDSA signing and verification support for REST interface 
  • Added support for custom attribute to KeyVersionModifyRequest 
  • Support to restore selective users/groups from KeySecure backup 
  • Support of certificate-based authentication for users created inside the domain 
  • The default setting of the system generated auto key rotation scheduler for new deployments is now disabled. However, in the previous releases, it was enabled 

Deprecated Feature(s)  

CipherTrust Manager version 2.9 onward: 

  • The ‘global’ user is not generated on restart 
  • The ‘global’ user cannot be created 

While upgrading to CipherTrust Manager 2.9, the ‘global’ user gets deleted. 

In CipherTrust Manager 2.8 and 2.9 mixed cluster environment, if a ‘global’ user exists, you cannot login as a ‘global’ user. 

While upgrading to CipherTrust Manager 2.9 or in mixed cluster environment, if a ‘global’ user is deleted, the keys owned by the ‘global’ user will be accessible to the ‘Key admin’ or ‘admin’ groups. The NAE/KMIP users can also access these keys. 

CipherTrust Cloud Key Manager Version 2.9 

  • Added support for management of: 
  • Oracle Cloud Infrastructure (OCI) Vault BYOK – General Availability 
  • Azure Managed HSMs 
  • Azure Secrets and Certificates using REST API (Tech Preview) 
  • Google Workspace CSE: Google Meet calls and Google Calendar events 
  • Ability to choose CipherTrust Manager key during Google EKM endpoint creation 
  • Salesforce Cloud Data Migration from CCKM Appliance  


SafeNet Trusted Access (STA) does not support multiple redirect URIs. Therefore, this release does not recommend use of STA as an identity provider. 



  • Capability to audit CTE operations on CipherTrust Manager. Now, all create, update, and delete operations performed on CTE resources are logged under Records > Server Records on CipherTrust Manager. 
  • Added support for Kubernetes protection of Container Storage Interface (CS 


CTE for Kubernetes became available in July 2022. 

  • Added capability to update security configuration parameters after CTE client registration. This capability is applicable to CTE clients that support new parameters. Every parameter has the fixed set of values. Refer to the CTE Agent documentation for compatible versions and dynamic parameters. 
  • Introduced a new endpoint that will be used by the CTE Agent to continuously monitor the VMD status. If VMD fails, vmutil on the CTE Agent uses this endpoint to update the CipherTrust Manager about the VMD status 
  • Added support for domain level CTE policy backup and restore 
  • A new licensing model (Thales CipherTrust Manager Community Edition) introduced, which includes CTE for Kubernetes. If your CTE for Kubernetes license is unavailable or has expired, license enforcement switches to the Community Edition. 


CTE resources of Efficient Storage and Container policies on the DSM cannot be migrated to the CipherTrust Manager 2.8 using the backup/restore method. The Container policies are supported only on the DSM. However, Efficient Storage resources can be manually created on the CipherTrust Manager. Migration of Efficient Storage resources will be supported in a future release. 


CipherTrust Data Discovery and Classification Version 2.9 

  • Salesforce Data Store Support. Supports scanning sensitive data in Salesforce Standard, Custom, and Big objects in your production and sandbox environments. 
  • Search Precision Support in Built-in Infotypes. Discovers sensitive data objects based on the High or Low search precisions. 
  • Auditing Scan Execution and Reports Generation Events. Logs Scan execution and Reports generation actions in the Server records (audit).