Thales CipherTrust 2.16 Now Available

We are pleased to announce the official release of CipherTrust Manager (CM) Version 2.16.0 and CipherTrust Cloud Key Management (CCKM) Version 2.16.0.

New Features and Enhancements

Below are highlights from this release. See the full release notes.

CipherTrust Manager (CM) v2.16.0 

Google Cloud Hardware Security Module (HSM) can Now Serve as the Root of Trust.

Root of Trust (RoT) is a source that can always be trusted within a cryptographic system. Because cryptographic security depends on keys to encrypt and decrypt data and perform functions such as generating and verifying digital signatures, RoT schemes generally include a hardened hardware module. A principal example is the hardware security module (HSM), which generates and protects keys and performs cryptographic functions within its secure environment. CipherTrust Manager enables organizations to leverage HSMs from multiple vendors, including Thales, AWS, Azure, IBM, and others. With v2.16.0 CipherTrust Manager extends HSM support to the eagerly anticipated Google Cloud HSM.   

As organizations look to increase their security posture and adhere to higher security regulations such as FIPS, they often employ an HSM module to serve as the RoT for key encryption. For example, organizations can now adhere to FIPS 140-2 Level 3 by leveraging the Google Cloud HSM. 


CipherTrust Manager can forward server audit records and KMIP and NAE activity logs to external log aggregators such as ElasticSearch and Loki. This allows server audit records and activity logs to be queried along with other system and infrastructure logs within your environment. CipherTrust Manager v2.16.0 adds new capabilities to LogForwarding, including:   

o   Child-to-Parent Redirection

CipherTrust Manager can define multiple domains and sub-domains for logical and security segregation. Using this concept, an organization can create a domain hierarchy with as many layers as possible to align with business needs. CipherTrust Manager v2.16.0 introduces Redirection, which enables the ability to direct audit logs and activity logs from sub-domains or child domains to their parent domain(s). This is achieved through the simplified process of configuring the forwarding connection at a central point. Once configured, all logs from the sub or child domain will be forwarded to the parent domain. This minimizes the need to configure a log connection for each sub-domain one by one.

o   Connection Down Monitoring and Alerting

CipherTrust Manager v2.16.0 introduces proactive monitoring of log connections. This monitoring and alerting allows administrators of higher-level domains to understand if a log connection to a sub-domain has failed. This allows administrators to quickly be alerted of and remediate issues with the log connections critical to forwarding logs. This minimizes the impact of log connection failures on the continuity of audit and activity log data.

CipherTrust Manager Cloud Key Management (CCKM) v2.16.0

Technology Preview: CipherTrust Cloud Key Management support for double-key encryption on Microsoft 365

Today, when CipherTrust Cloud Key Management (CCKM) first connects to an Azure Key Vault, it automatically syncs to the vault, downloads, and stores a backup of the key(s). Microsoft Azure Point-in-Time Backups is a groundbreaking approach that extends the backup service by allowing users to define periodic backups of specific keys to align with their security and business requirements.

This capability allows you to back up important keys at your chosen cadence. For example, you may back up a mission-critical key daily to ensure you have the most up-to-date key stored at all times. If you need to restore to a key backup, you can restore to any available backups performed over time. The Phase 1 release of Microsoft Azure Point-in-Time Backups in CCKM 2.16.0 supports up to 30 backups per key.

This enhancement is available to all CCKM with your upgrade to v2.16.0.

CCKM Now Offers Reporting on Discovered and Added Projects and Keyrings for Google Cloud Platform

Project and Key Rings discovery on the Google Cloud Platform is one of CCKM’s most utilized capabilities. This ability allows organizations to automatically discover existing and new Google Projects and Keyrings to be managed by CCKM. This capability provides confidence that your organization effectively identifies new keys without much operational overhead.

The new reporting capability allows users to instantly view pertinent information related to Key Discovery jobs for your Google Cloud Platform. Reports are directly accessed via a hyperlink from the Job ID within the CCKM schedule. You can see information regarding a particular job, including the date it was executed, the Cloud Service Provider and connection, the job type, and its’ status. You can also view a summary of the results, including newly discovered Projects and Keyrings alongside already managed ones within the Google Cloud Connection. The report also lists which Projects and Keyrings were discovered, added, and already existed.

This report can be downloaded and shared within the organization or used as part of your documentation control process.

CCKM Luna Hardware Security Module (HSM) Key Support for crypto discovery (AES/RSA/ECC)

For organizations that leverage Luna HSMs and are currently investigating Post Quantum Cryptography, CCKM has enhanced the inventory and algorithm visualization of Luna HSM Keys. CipherTrust Manager (CM) and CCKM empower users to visually see the inventory of Key sources within the environment, with Luna HSM being one of the many supported Key sources. Recently, Luna HSMs delivered the ability to support Elliptical Curve Cryptography (ECC), an asymmetric encryption algorithm employing the algebraic architecture of elliptic curves with infinite fields. In short, ECC is architecturally more quantum-resistant than the preceding RSA algorithms.

CCKM v2.16.0 can now show which ECC algorithms are configured within your Luna HSM. This highly anticipated capability allows users to quickly see the inventory of Luna HSMs and the ECC algorithms, along with AES and RSA algorithms.