We are pleased to announce the official release of CipherTrust Manager (CM) Version 2.17.0 and CipherTrust Cloud Key Management (CCKM) Version 2.17.0.
New Features and Enhancements
Below are highlights from this release. See the full release notes.
CipherTrust Manager (CM) v2.17.0
New CipherTrust Manager Downloadable Reports
CipherTrust Manager now allows users to download the following reports:
- Interface Certificate
- Client Certificate
- Cluster Nodes
- Domains
- Licensing
These newly added reports can be downloaded in CSV or PDF formats to share within the organizations or for audit purposes.
Automated Cluster Certificate Renewal
Thales CipherTrust Manager v2.17.0 greatly simplifies the cluster certificate renewal and updating process for clustered nodes. Before the v2.17.0 release, the renewal and application of new cluster certificates to nodes required system administrators to be alerted of an upcoming certificate expiration and then manually renew and update the certificate for the nodes during a scheduled maintenance window.
v2.17.0 allows for automated “hot” renewal of node certificates within clusters. With the new release, organizations no longer need to wait for an alert that the cluster certificate will expire and then manually take action. CipherTrust Manager will now automatically renew the certificate 90 days before expiration and apply it to the proper nodes without a maintenance window.
This new capability streamlines the certificate renewal process and ensures that nodes have proper certificates.
CipherTrust Manager Cloud Key Management (CCKM) v2.17.0
CipherTrust Cloud Key Management support for double-key encryption on Microsoft 365 Now Generally Available.
In June 2024, Thales CipherTrust previewed the ability to use double-key encryption (DKE) within Microsoft 365 environments. CCKM v2.17.0 now makes this capability generally available.
DKE empowers you to protect highly sensitive data and meet stringent security requirements. DKE gives you the ability to maintain control of your encryption keys securely. It uses two keys to protect data. One key is maintained within your CipherTrust Cloud Key Management, and the second is stored securely in Microsoft Azure. This lets you control one of your keys directly using the DKE service. Note that the key stored in Microsoft Azure can also be a bring-your-own (BYOK) generated key on CCKM, if you choose. This provides you visibility and control of both keys.
DKE helps you meet regulatory compliance across multiple regulations and standards, including General Data Protection Regulations (GDPR), Health Insurance Portability and Accountability (HIPAA), and many others.
HYOK and the already available bring-your-own-key (BYOK) support allow CCKM to support the two Microsoft 365 offerings for key management.
User Interface Licensing: Report on Subdomain Usage on Root.
CipherTrust Cloud Key Manager now allows you to view and report the subdomains associated with a Root account and the number of licenses being used within each subdomain.
This new feature provides a more granular view of how licenses are consumed within the CipherTrust Cloud Key Management environment to align license consumption to business needs effectively.
This capability provides information for the new downloadable licensing report in CipherTrust Manager v2.17.0.
Enhanced AWS Bring Your Own Key (BYOK) user interface support for Asymmetric and HMAC Keys.
CipherTrust Manager (Local) is the first key source to support the visualization of AWS BYOK for Asymmetric and HMAC keys. This feature was previously enabled on the API but is now represented visually within the CipherTrust Cloud Key Manager user interface.
With the new feature, users can now easily add an external BYOK for symmetric (AES 256, HMAC) or asymmetric keys (RSA, Elliptic Curve) within their AWS environment from the CipherTrust Cloud Key Management user interface. This simplifies the process of adding keys and streamlines operations.
Vault-level Point-in-Time Backups.
In CCKM v2.16.0, Thales introduced Microsoft point-in-time key backups, which allow users to define periodic backups for specific keys to align with their security practices and business requirements. In CCKM v2.17.0, we extend the point-in-time backup concept to Microsoft Azure Key Vaults. Instead of backing up individual keys, you can back up entire Key Vaults at the cadence you choose to align with your operational guidelines or compliance needs.
For example, you may back up a Key Vault that contains mission-critical keys daily to ensure you have the most up-to-date key stored at all times. If you need to restore to a backup, you can restore to any available backups performed over time.
CCKM Now Offers Reporting on Discovered and Added Subscriptions and Key Vaults for Azure.
CCKM uses Azure Cloud subscription and Key Vault discovery to automatically identify existing and new Azure Subscriptions and Key Vaults to be managed by CCKM.
The new reporting capability allows users to instantly view pertinent information related to Key Discovery jobs for your Azure environment. Reports are directly accessed via a hyperlink from the Job ID within the CCKM schedule. You can see information regarding a particular job, including the date it was executed, the Cloud Service Provider and connection, the job type, and its’ status. You can also view a summary of the results, including newly discovered Keys and Key Vaults alongside already managed ones within the Microsoft Azure Cloud. The report also lists which Keys and Key Vaults were discovered, added, and already existed.
This report can be downloaded and shared within the organization or used as part of your documentation control process.
To learn more about CCKM and its reporting capabilities, please visit the Click-through Demo, which is available here.
Enable re-import of destroyed BYOK versions on Google Cloud Platform API
Using CipherTrust Cloud Key Management (CCKM) for Cloud Managed Encryption Keys within your Google Cloud Platform environment delivers additional control over backups and destroyed keys. The CipherTrust Cloud Key Management service now supports key re-import, which allows you to restore a previously imported key version in a ‘DESTROYED’ or ‘IMPORT_FAILED’ state to an ‘ENABLED’ state by providing the original key material. Any key material may be supplied if no original key material has been imported due to initial import failure.
Important to note:
- Only previously imported ‘CrytoKeyVersion’ can be re-imported.
- Re-imported key material must match the original key material exactly if the version was previously successfully imported.
- ‘CryptoKeyVersions’ destroyed prior to the release of this feature on Google Cloud cannot be re-imported. This is determined if the ‘reimport_eligible’ field of the ‘CryptoKeyVersion” is set to true (eligible) or false (ineligible).