We are pleased to announce the official release of CipherTrust Manager Version 2.10 with added support for: AWS, Azure, Google and Terraform.
The top CM takeaways are support for:
- nShield Network HSM as Root of Trust
- Prometheus – Cluster Health can now be monitored and alerts defined for intervention and remediation
The top CCKM takeaways are support added for:
- AWS – Policy management is now available on the UI, in addition to the API
- Azure – Support for Confidential Computing when Luna Network HSM is the key source and the Azure key vault is a premium vault or Managed HSM
- Google Workspace CSE – Gmail and multiple IDPs, for sharing files with external users
- Terraform Provider – Introduces support for AWS Roles and Google EKM & CSE Endpoint management
Features and Enhancements
CipherTrust Manager Version 2.10.0
- Released the Quorum feature for general availability.
- Added capability to browse LDAP users and groups using connections created in the LDAP connection manager.
- Added ability to verify whether the time is in sync between the CipherTrust Manager and AWS when testing AWS connections.
- Extended support for Secure Trusted Channel (STC) mode to Luna network HSM connections in connection manager.
- Added capability to control allowed authentication methods for users.
- Added support for preventing deletion of in-useSMB connections.
- Added ability to create system policies to control login based on groups and interfaces.
- Added support for granular access (based on clients, users, groups) to group of keys.
- Added option to filter keys by effective permissions.
- Made the SSH interface port configurable.
- Enhanced the nodesAPI to specify additional cluster information.
- Added cluster information metrics for Prometheus log monitoring system.
- Added connection management support for LDAP.
- Added support for external certificates for Azure and Salesforce connections.
- Added capability to use certificates on multiple interfaces of same type.
- GUI enhancement: Made consistent use of the term username.
Tech preview
-
- Expanded HSM-anchored domain capabilities:
- Added support for domain-scoped backup and restore.
- Added ability to update domains to recover a lost association to the original domain Key Encryption Key (KEK) stored in an HSM partition.
- Added support for nShield Connect HSM as root of trust.
- Enhancement to OIDC connection for CipherTrust Manager user authentication. CipherTrust Manager now checks and refreshes the signing keys from the identity provider on each authentication, to keep up with key rotation.
- Small user-friendly enhancements to the ks-upgrade.sh upgrade script.
- Due to design stability, the Prometheus metrics endpoint is now fully supported and no longer technical preview.
Limitations
- Currently, the log forwarders are not configured to use the system’s proxy configuration. If proxy is configured, the log forwarders bypass the proxy servers.
- The backup and restore of users and groups in a domain only works among the domains of different CipherTrust Managers. This feature does not support backup and restore among different domains of the same CipherTrust Manager.
Deprecated Feature(s)
The CipherTrust Manager version 2.9 onward:
- The ‘global’ user doesn’t get generated on restart.
- The ‘global’ user cannot be created.
While upgrading to CipherTrust Manager 2.9, the ‘global’ user gets deleted.
In CipherTrust Manager 2.8 and 2.9 mixed cluster environment, if a ‘global’ user exists, you cannot login as a ‘global’ user.
While upgrading to CipherTrust Manager 2.9 or in mixed cluster environment, if a ‘global’ user is deleted, the keys owned by the ‘global’ user will be accessible to the ‘Key admin’ or ‘admin’ groups. The NAE/KMIP users can also access these keys.
Application Data Protection
- Added support for access policies that allow you to select how to display data in a RESTful API call during the reveal operation based on the user. The data can be revealed as:
- Plaintext
- CipherText
- Masked Value
- Error/Replacement Value
- Added licensing enforcement for DPG.
CCKM
- Added support for GCP key purpose “MAC” for signing and verification for symmetric keys using the API.
- Added capability to automatically rotate keys after a specific number of days of the last key rotation.
- Added support for dynamically pushing policy updates to the associated AWS keys using the API.
- Added support for Technical Users for connecting to the SAP Data Custodian.
- Added capability to schedule key rotation at the key vault level using the API.
- Added capability to include roles in AWS key policies. Now, key administrators and key users access can be granted to IAM roles.
- Added support for the Azure Key Vault Managed HSM cloud service using the GUI. Azure Managed HSM vaults support RSA-HSMand EC-HSM keys only. Other functionalities are the same as regular Azure vaults.
- Enabled support for Microsoft Confidential Computing for Luna Network HSM as a key source with Azure Managed HSMs or Premium Azure Key Vaults. For this, an exportableflag has been introduced for keys in Azure Key Vaults.
- GWS Workspace CSE: Added capability to attach multiple identity providers (IdP) to individual endpoints.
- GWS Workspace CSE: Added support for client side encryption of Gmail messages.
- Google EKM: Support for a new Key Access Justification Reason, MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION.
- Added support to manage AWS CloudHSM Custom Key Stores.
- Officially documented instructions to prevent CCKM users from exporting source key material.
CTE
- Added support for CipherTrust Manager’s quorum control for CTE operations and resources. A CipherTrust Manager administrator can configure a quorum policy to have multiple approvers for supported operations.
- Added support for signature sets for CTE for Kubernetes clients.
- Added support for COS policies for Wasabi cloud storage.
- Enhanced the CTE clients GUI to display different client types – FS (CTE), CSI (CTE for Kubernetes), and CTE-U (CTE UserSpace).
- Enhanced CTE reports to filter reports based on client type – FS (CTE), CSI (CTE for Kubernetes), and CTE-U (CTE UserSpace).
NOTE
CTE resources of Efficient Storage and Container policies on the DSM cannot be migrated to the CipherTrust Manager 2.10 using the backup/restore method. The Container policies are supported only on the DSM. However, Efficient Storage resources can be manually created on the CipherTrust Manager. Migration of Efficient Storage resources will be supported in a future release.
CTE UserSpace
CTE UserSpace is a new kernel-independent file encryption product based on CTE and CTE UserSpace (rebranded ProtectFile FUSE).
- The resources of CTE UserSpace clients running 5and higher Agent versions are managed by the Transparent Encryption application on the CipherTrust Manager. These clients can’t be managed by the ProtectFile & Transparent Encryption UserSpace application.
This release does not support the following features:
- Kernel Compatibility Matrix
- Agent and System locks
- CBC and XTS keys
- COS, ESG, IDT, and LDT policies and GuardPoints
To manage the clients running the previous versions of the CTE UserSpace Agent, use the ProtectFile & Transparent Encryption UserSpace application only. Alternatively, upgrade those clients to CTE UserSpace 9.5 or a higher version.
- Added support for CipherTrust Manager’s quorum control for CTE operations and resources. A CipherTrust Manager administrator can configure a quorum policy to have multiple approvers for supported operations.
- Enhanced the CTE clients GUI to display different client types – FS (CTE), CSI (CTE for Kubernetes), and CTE-U (CTE UserSpace).
- Enhanced CTE reports to filter reports based on client type – FS (CTE), CSI (CTE for Kubernetes), and CTE-U (CTE UserSpace).
CIP
- Added support for NFS and SMB/CIFS DataStores
- Added capability to scan SMB/CIFS DataStores
- Added capability to generate reports for NFS/SMB/CIFS DataStores
- Extended policy support to NFS and SMB/CIFS GuardPoints
DDC
- Support for RHEL 8 Agents
- Support for SCRAM-SHA-256 authentication in PostgreSQL
- OneDrive for Business data store support
- BLOB support for Oracle, Microsoft SQL, PostgreSQL, MySQL, Teradata, and IBM DB2
- Collecting Agent logs for troubleshooting purposes
- Enhanced scan progress status allows you to see if a scan with a blocked percentage is stuck or is progressing