We are pleased to announce the official release of CipherTrust Manager (CM) Version 2.20.0, and CipherTrust Cloud Key Management (CCKM) Version 2.20.0.
New Features and Enhancements
Below are highlights from this release. See the full Release Notes here.
CipherTrust Manager (CM) v2.20.0
Tech Preview: Post-Quantum Protection with Module-Lattice-Based Key Encapsulation Mechanism (ML-KEM)
Quantum computing promises significant benefits, such as much faster computation speeds and advancements in AI, drug discovery, and materials science. However, it also poses a serious threat, enabling cybercriminals to decrypt sensitive data. The 2048-bit RSA key is considered secure against classical computers, taking hundreds of trillions of years to crack, but quantum computing could break it in just hours.
Quantum computing isn’t widely accessible yet, but cybercriminals are preparing to exploit it. They employ a “harvest now, decrypt later” tactic, capturing encrypted data for future decryption with quantum computing. Cybercriminals intercept data packets during transmission. To counter this, we must enhance communication security with quantum-safe algorithms to protect encrypted data when quantum computing is available.
The Module-Lattice-Based Key Encapsulation Mechanism (ML-KEM) is a NIST-approved algorithm designed to guard against quantum computing threats. Data communication is secured with ML-KEM enabled on both client and server sides. CipherTrust Manager now supports ML-KEM TLS cipher on the Web Interface, which allows it to protect against Harvest Now Decrypt Later attack when used with any other quantum-safe vendor solutions like Google Chrome supporting the same cipher. Current ML-KEM support on the Web Interface of CipherTrust Manager is in Tech Preview for customer testing.
CipherTrust Cloud Key Management
General Availability: SAP Hold Your Own Key (HYOK)
Gain complete control of encryption key management for SAP. SAP and Thales have expanded their collaboration to enhance cloud security by introducing Hold Your Own Keys (HYOK) support in CipherTrust Cloud Key Management and SAP Data Custodian Key Management Service. This provides SAP customers with even greater control over their encryption keys, building on our earlier efforts with Bring Your Own Key (BYOK) solutions. CCKM’s BYOK and HYOK offerings deliver robust control over your encryption keys, ensuring compliance with regulatory requirements and enhancing data sovereignty.
Thales supports both RSA and AES key types, offering flexibility in selecting the encryption algorithm that best suits the organization’s needs. The platform enables immediate block/unblock and archive/recovery of Keystores and HYOK keys. This new HYOK support allows organizations to utilize CCKM to gain practical experience with HYOK operations using SAP Data Custodian keys. Current support for BYOK and HYOK for SAP applications is detailed below.
| SAP Applications | BYOK | HYOK |
| SAP Cloud Products based on SAP HANA | ✓ | ✓ |
| SAP S/4HANA Private Cloud Edition (RISE and non-RISE) | ✓ | ✓ |
| SAP S/4HANA Cloud (Grow) IBP | ✓ | ✓ |
| SAP On-premises product using SAP HANA Platform | ✓ | ✓ |
| SAP BTP* | ✓ | ✓ |
| SAP HANA Enterprise Cloud | ✓ | ✓ |
| SAP Integrated Business Planning for Supply Chain | ✓ | ✓ |
| SAP Successfactors Incentive Management | ✓ | ✓ |
| SAP Successfactors HCM** | ✓ | ✓ |
| SAP Analysis Cloud - Private Edition | ✓ | ✓ |
| SAP Datasphere | ✓ | ✓ |
| SAP HANA Cloud, data lake | ✓ | ✓ |
| SAP Cloud Identity Services | ✓ | |
| SAP Commissions | ✓ | |
| SAP Fieldglass Vendor Management System | ✓ | |
| Backup/Wrapping Keys | ✓ | |
| General/IaaS Applications (General) | ✓ | |
| *The integration with SAP Data Custodian is not currently supported across all BTP applications. **SAP SuccessFactors HCM is supported with HYOK, customers need to purchase the advanced encryption feature from the SuccessFactors product line. SuccessFactors advanced encryption allows the customer to manage their keys through SAP Data Custodian KMS. | ||
SAP licensing requires organizations to use one Cloud Unit license per SAP application for BYOK. For HYOK, CCKM requires one Cloud Unit license per CCKM Keystore, where one SAP group will map to one CCKM Keystore.
Visit the Thales SAP Encryption Solutions page here.
General Availability: Oracle Cloud Infrastructure (OCI) EKMS HYOK multi-user support for new cross-region replication
Thales CipherTrust Cloud Key Management provides seamless failover within OCI environments. Oracle’s implementation of cross-region replication for hold-your-own-key (HYOK) vaults ensures uninterrupted service. This powerful feature enables organizations to maintain service continuity, even when a region faces issues that require failover.
Thales CCKM effectively uses global and regional identifiers in key management operations, ensuring no downtime and enhancing the customer experience during disaster recovery scenarios. Initially, it utilizes the global identifier; CCKM switches to the regional identifier if the global identifier is unavailable to ensure key availability.
General Availability: Reporting Enhancements for AWS and Azure Service/Usage Reports
CipherTrust Cloud Key Management enables organizations to quickly grasp key usage related to cloud services within AWS and Azure environments. CipherTrust CCKM now displays common language cloud service names, such as SQL, storage, etc., instead of API identifier strings, simplifying reporting for easier comprehension.
General Availability: Automatic detection and addition of AWS accounts
CipherTrust Cloud Key Management (CCKM) now provides robust support for the AWS environment by enabling comprehensive discovery, visibility, and management of AWS accounts. In version 2.20, CCKM automatically identifies and adds all AWS accounts within an organization utilizing KMS services. CCKM provides this insight via a user interface dashboard that includes reporting within that dashboard.
A scheduler runs on a predefined schedule to ensure that accounts remain current and that all new AWS accounts are seamlessly integrated as they become available. This significant enhancement minimizes the manual process of tracking and adding new AWS accounts, resulting in greater operational efficiency.
Tech Preview: Automated and manual archiving of and recovery of AWS accounts for API
CipherTrust Cloud Key Management enables the manual archiving and recovery of AWS KMS containers. After a KMS container is archived, it becomes read-only. This maintains a historical record of AWS accounts, but operations like sync, key rotation, and XKS credential rotation will cease once a KMS container is archived. Additionally, CCKM offers the ability to recover accounts if the need arises. Please note that when an account is archived, a CCKM license is released; when an account is recovered, a CCKM license is consumed.
Early Support: Google Workspace Client-Side Encryption (CSE) for secure and compliant collaboration.
Google Workspace CSE—Send to Anyone enables enterprise Gmail users to send end-to-end encrypted messages to any user or email inbox without the recipient’s pre-configuration. CipherTrust Cloud Key Management supports the alpha and beta releases of Google CSE, with future support for the generally available version. Google Workspace CSE—Send to Anyone can be easily enabled on the Google Workspace Admin Console.
