We are pleased to announce the official release of CipherTrust Manager (CM) Version 2.19.0, and CipherTrust Cloud Key Management (CCKM) Version 2.19.0.

New Features and Enhancements

Below are highlights from this release. See the full Release Notes here.

CipherTrust Manager (CM) v2.19.0

Ability to Monitor Key States for Prometheus

CipherTrust Manager effectively leverages the Prometheus open-source framework to enable infrastructure owners and application administrators to monitor health and function. Thales also provides an open-source and ready-to-use Grafana dashboard, allowing organizations to clearly understand the key health metrics for their CipherTrust Manager appliances.

The pre-defined containerized dashboards are developed and readily accessible through GitHub repositories, ensuring swift deployment within Grafana.

Organizations can now monitor the number of keys created in the CipherTrust Manager and utilize these metrics to set proactive alerts. For instance, an alert will notify the organization if the number of managed keys rises unexpectedly. Additionally, these new metrics allow organizations to view keys categorized by state—such as pre-active, active, compromised, retired, and re-activated—facilitating quick identification of changes to keys in specific states. For example, this capability enables organizations to establish alerts to detect increases in keys that are in a compromised state, enhancing their security posture.

Reduce sizing issues when moving from dev to production.

Virtual CipherTrust Manager introduces 100 Gigabyte disk default with thin provisioning.  Organizations can effectively leverage thin provisioning for the disk size of Virtual CipherTrust Manager instances. This feature automatically increases disk storage size based on actual needs, making it especially advantageous for staging, development environments, or sandbox setups that initially require limited disk space. As these virtual instances transition to production, increasing the default disk size is essential to meet the demands of production workloads.

Virtual CipherTrust Managers support a default disk size of 100 Gigabytes. With the thin provisioning capability, disk space can expand up to 100 Gigabytes without manual intervention, ensuring that storage efficiently scales according to demand rather than consuming the entire allocated space upfront. This intelligent storage management enhances operational efficiency and resource utilization.

Username Field Mapping for Open ID Connections (OIDC)

CipherTrust Manager has consistently provided SSO capabilities to align with organizational security policies and operating models. With established policies in identity management systems, users authenticate to access CipherTrust Manager with approved permissions for specific operations.

Before version 2.19, organizations were required to know the username created upon a user’s first sign-in, which was typically defined in the sub-claim field for unique identification. This necessitated system administrators to obtain the sub-claim value beforehand for every user accessing CipherTrust Manager, which could be time-consuming depending on the Identity Provider (IdP) in use. However, with the latest update, CipherTrust administrators now have the flexibility to utilize various fields beyond the sub-claim value for usernames, such as email addresses. The default remains the sub-claim value, but the flexibility to change the identification field ensures a streamlined user identification process.

CipherTrust Cloud Key Management (CCKM) v2.19.0

General Availability: SAP Bring Your Own Key (BYOK) v2

CipherTrust Cloud Key Management, in partnership with SAP, now asserts its support for SAP key storage through the new AWS Keystore Connection option for Bring Your Own Key (BYOK) solutions. This support is officially available and effectively future-proofs CipherTrust Cloud Key Management for the upcoming SAP Custodian capabilities.

CipherTrust Cloud Key Management v2.19 empowers organizations to create master or primary keys for SAP directly through its platform for Bring Your Own Key (BYOK), eliminating the cumbersome process of transferring the master key role from an SAP native to a CCKM BYOK key management operation.

Tech Preview: SAP Hold Your Own Key (HYOK)

CipherTrust Cloud Key Management leads the industry with its hold-your-own-key (HYOK) management solution specifically designed for SAP deployments. Thales has formed a strong collaboration with SAP, launching new BYOK and HYOK cloud services that offer unique functionalities not available in other key management solutions. This technical preview can be seen in the CCKM user interface.

Once generally available, Thales will offer manual and scheduled key rotation for SAP HYOK keys without requiring manual adjustments to SAP Data Custodian Keys, saving time and improving efficiency. Furthermore, Thales is set to support both RSA and AES key types, providing flexibility when choosing which encryption algorithm suits the organization’s needs. The platform facilitates immediate block/unblock and archive/recovery of Keystores and HYOK keys. This preview empowers organizations to leverage CCKM to gain hands-on experience with HYOK operations using SAP Data Custodian keys.

Note: The technical preview does not currently support key rotation.

Oracle Cloud Infrastructure (OCI) EKMS HYOK multi-user support for new cross-region replication in API

Thales CipherTrust Cloud Key Management provides seamless failover within OCI environments. Oracle’s implementation of cross-region replication for hold-your-own-key (HYOK) vaults ensures uninterrupted service. This powerful feature enables organizations to maintain service continuity, even when a region faces issues that require failover.

Thales CCKM effectively uses global and regional identifiers in key management operations, ensuring no downtime and enhancing the customer experience during disaster recovery scenarios. Initially, it utilizes the global identifier; if the global identifier is unavailable, CCKM switches to the regional identifier to ensure key availability.

Tech Preview: Automatic detection and addition of AWS account in API

CipherTrust Cloud Key Management (CCKM) now provides robust support for the AWS environment by enabling comprehensive discovery, visibility, and management of AWS accounts. In version 2.19, CCKM automatically identifies and adds all AWS accounts within an organization utilizing KMS services.

A scheduler runs on a predefined schedule to ensure that accounts remain current and that all new AWS accounts are seamlessly integrated as they become available. This significant enhancement minimizes the manual process of tracking and adding new AWS accounts, resulting in greater operational efficiency.

Tech Preview: Google CSE Delegate Access

CipherTrust Cloud Key Management now supports Google Client-Side Encryption’s ability to delegate access to Google Meet devices. Google Meet’s Client-Side Encryption has introduced a crucial requirement for authentication against an identity service hosted by the organization when joining a call. Traditionally, meeting rooms joined calls by being added as a resource in the meeting calendar event. However, the hardware in a meeting room lacks a pre-existing authenticating user interface, so it cannot meet the new authentication requirement. The new Google Meet Delegate Access API call allows Google Meet Devices to join calls on the user’s behalf.

Users are required to split their authentication across multiple devices. To facilitate this, Google has introduced a new API call. This call returns a new authentication token that enables a user or entity to access specific Google Meet hardware resources on behalf of an authenticated user.