We are pleased to announce the official release of CipherTrust Manager (CM) Version 2.21.0 and CipherTrust Cloud Key Management (CCKM) Version 2.21.0.
New Features and Enhancements
Below are highlights from this release. See the full Release Notes here.
CipherTrust Manager (CM) v2.21.0
Expanding TLS Post-Quantum Computing Support
Quantum computing promises significant benefits, such as much faster computation speeds and advancements in AI, drug discovery, and materials science. However, it also poses a serious threat, enabling cybercriminals to decrypt sensitive data. The 2048-bit RSA key is considered secure against classical computers, taking hundreds of trillions of years to crack, but quantum computing could break it in just hours.
Quantum computing isn’t widely accessible yet, but cybercriminals are preparing to exploit it. They employ a “harvest now, decrypt later” tactic, capturing encrypted data for future decryption with quantum computing. Cybercriminals intercept data packets during transmission. To counter this, we must enhance communication security with quantum-safe algorithms to protect encrypted data when quantum computing is available.
In CipherTrust Manager version 2.20.0, Thales introduced support for the Module-Lattice-Based Key Encapsulation Mechanism (ML-KEM), designed to guard against quantum computing threats, available for the API via the Web Interface. CipherTrust Manager Version 2.21.0 now makes ML-KEM configurable through the Graphic User Interface (GUI).
Data communication is secured with ML-KEM enabled on both client and server sides. CipherTrust Manager now supports ML-KEM TLS cipher on the Web Interface, which allows it to protect against Harvest Now Decrypt Later attack when used with any other quantum-safe vendor solutions like Google Chrome supporting the same cipher.
CipherTrust Manager v2.21.0 now supports API and user interface for ML-KEM on the SSH interface, along with Post-Quantum Computing-enabled TLS channels between CipherTrust Cloud Key Manager and Google Chrome as technical previews.
Generally Available: Overall Improvements to CipherTrust Manager
CipherTrust Manager v2.21.0 introduces several security, migrations, and administrative improvements designed to enable organizations to implement a company-wide strategy for standardizing cryptography across the entire data estate.
New security capabilities include:
- Increasing user password hash iterations to 10k can help prevent brute force attacks.
- Prohibit downgrades to lower than factory settings, ensuring that software and firmware maintain a highly secure configuration.
- NIAP CC: CRL checking for log forwarders’ connections. Secure log forwarding requires secure communication channels for sensitive security information. Certificates and TLS are vital for trust and authenticity, and CRL checking ensures that certificates used by log forwarders and receivers have not been revoked, which could indicate a compromise.
Improved migration capabilities include:
- REST Audit trail now delivers the ability to activate cryptography operations status and perimeters. By logging details about cryptographic operations (encryption/decryption attempts, key usage, etc.), you can detect suspicious activity, unauthorized access to encrypted data, or attempts to circumvent security measures.
Administrative Improvements include:
- Web user interface timeout helps prevent unauthorized access to a user’s account if they leave their device unattended while logged in. If the session times out, the user is required to re-authenticate, ensuring only legitimate users can continue to access the systems.
- Extended OIDC Support for Fullscope and Userinfo Endpoint for Groupmaps, to make it easier to retrieve group information, provide more granular control over group information, and greater flexibility for group-based authorization.
The CipherTrust platform continues to demonstrate its strengths in addressing complex organizational needs for data security and cryptographic standardization with support for new technologies, increased security controls, and administrative efficiency.
CipherTrust Cloud Key Management (CCKM) v2.21.0
General Availability: New AWS Key Rotation Feature in CipherTrust Cloud Key Management
With cyber threats growing in complexity and regulatory requirements becoming ever more stringent, the need for robust encryption and seamless key management has never been greater. CipherTrust Cloud Key Management is introducing a new AWS Key Rotation Feature that allows you to create and control cryptographic keys, automate key rotation, and integrate with other AWS services to enhance their security posture.
Key rotation is the practice of periodically updating encryption keys to minimize risks. It’s a critical process that:
- Reduces Exposure: Rotating keys limits the window during which a compromised key can be misused.
- Meets Compliance: Regulatory frameworks, such as GDPR, HIPAA, and PCI-DSS, often mandate key rotation for sensitive information.
- Strengthens Trust: Customers gain confidence that their data is protected according to industry best practices.
Together, with our partners, Thales is focused on building a more secure, resilient, and innovative cloud future. That’s why we’re excited to announce the new AWS key rotation feature, now supported in CipherTrust Cloud Key Management (CCKM) version 2.21.
The AWS key rotation feature allows organizations to automate the periodic updating of AWS KMS (Key Management Service) keys directly from the CCKM console. The integration is designed to be intuitive, scalable, and secure, offering:
- Automated Scheduling: Define rotation policies that suit your organization’s needs, from monthly to yearly cycles.
- Comprehensive Coverage: Supports AWS KMS keys across multiple accounts and regions, giving you centralized control.
- Seamless Auditing: Detailed logs and reporting ensure every rotation is recorded for compliance and peace of mind.
Early adopters of the AWS key rotation feature have shared enthusiastic feedback, highlighting how it simplifies compliance, reduces manual effort, and integrates easily with existing cloud workflows.
Without this new feature, managing AWS KMS keys meant a lot of manual work and cross-team coordination. Now, you set up rotation policies and let the platform handle the rest.
General Availability: Support for Google Workspace Client Side Encryption and CipherTrust Cloud Key Management for secure and compliant collaboration.
Google Workspace Client-Side Encryption (CSE)—Send to Anyone allows enterprise Gmail users to send end-to-end encrypted messages to any user or email inbox without requiring the recipient’s prior setup. CipherTrust CSE can be an alternative to Secure/Multipurpose Internet Mail Extensions (S/MIME), which, although compatible across email clients, often faces usability issues. CSE’s Send to Anyone is an alternative encryption method for client-side encryption that simplifies the process of sending encrypted messages. Cloud Key Management (CCKM) supports the alpha and beta releases of Google CSE, with support for the generally available version expected to be released in August 2025. Google Workspace CSE—Send to Anyone can be easily enabled via the Google Workspace Admin Console. This feature will be automatically enabled in CCKM without requiring any configuration. CCKM supports Google Workspace CSE guiding principles by delivering:
- No access to plain text content: By encrypting file content on Google Chrome browsers before being sent to Google servers for storage. This prohibits Google from unilaterally accessing content. For example, if Google needs access to a decrypted file for support reasons, it requires explicit customer authorization on a per-file basis.
- Customer sovereignty of encryption keys: To use Google Workspace CSE, customers must independently set up their External Key Manager (EKM). CCKM is developed according to CSE specifications and is supported by Google to fulfill this requirement.
- Preserve user experience: By working closely together, Google and CCKM can now assure Enterprise Gmail users that they can send end-to-end encrypted messages to any user on any email inbox without any pre-configuration by the recipient.
- Simplify Gmail encryption processes: CCKM with CSE-Send to Anyone alleviates the complicated process of managing S/MIME certifications, allowing you to easily implement GMail encryption by adopting CCKM.
As we noted in the CipherTrust Manager v2.21.0 section, Post-Quantum Computing support enables TLS channels between CCKM and Google Chrome, allowing Thales to address concerns about quantum computer-related attacks, such as harvesting data now and decrypting it later.
General Availability: Support for AWS KMS on-demand key rotation for imported keys
On June 6th, 2025, AWS added a new feature that makes it easier to change the cryptographic keys of imported keys by enabling you to rotate the cryptographic key material of Bring Your Own Key (BYOK) keys without changing the key identifier (key ARN). This helps organizations stay compliant with security rules and update their keys regularly. Before this feature was introduced, Key aliases were not always honored by AWS services making the process of key rotation manual. The feature removes that manual overhead by allowing for both immediate and scheduled key changes, working smoothly without downtime or manual updates while keeping everything backward compatible.
CipherTrust Cloud Key Management allows organizations to centrally manage their cloud encryption keys while migrating sensitive data to AWS. It offers a single dashboard view across regions for cloud-native, bring your own key (BYOK), and hold your own key (HYOK) options with an intuitive interface to oversee all cloud key management services, helping organizations increase efficiency and meet data protection requirements.
These organizations benefit from the ability to rotate, either manually or with scheduled rotation, cryptographic key material of BYOK keys without changing the key identifier (key ARN). This ability to rotate keys allows them to meet compliance requirements and security best practices that mandate periodic key rotation.