Your suggested change has been received. Thank you.


Suggest A Change….


Release Notes


Please Note:

Release Notes

Product Description

CipherTrust Manager is the center of the CipherTrust Data Security Platform. It serves as the central point for managing configuration, policy and key material for data discovery, encryption, on-premise and cloud based use cases. It is the successor to both the Thales eSecurity (formerly Vormetric) DSM and the Gemalto (formerly SafeNet) KeySecure platforms.

Product Abbreviations

CipherTrust Batch Data TransformationBDT
CipherTrust ManagerCM
CipherTrust Application Data ProtectionCADP
CipherTrust Cloud Key ManagerCCKM
CipherTrust Data Protection GatewayDPG
CipherTrust Database Protection (formerly known as ProtectDB)CDP
CipherTrust Transparent EncryptionCTE
CipherTrust Transparent Encryption UserSpace (formerly known as ProtectFile FUSE)CTE UserSpace
CipherTrust Teradata ProtectionCTP
CipherTrust Intelligent ProtectionCIP
CipherTrust Data Discovery and ClassificationDDC
Data Protection on DemandDPoD
CipherTrust TokenizationCT
CipherTrust Vaulted TokenizationCT-V
CipherTrust Vaultless TokenizationCT-VL

Release Description

This release is available on the Customer Support Portal in the following formats:

2.13.2 release

  • An upgrade file for k170v Virtual CipherTrust Manager instances on Google Cloud Platform only. This upgrade is not supported on any other private or public clouds.

2.13.1 release

  • An upgrade file for k470 appliances, Thales CipherTrust Manager k570 appliances, and all existing k170v Virtual CipherTrust Manager instances.


    This release is not supported on Thales TCT k160 devices or Thales TCT CipherTrust Manager k570 devices.

  • An OVA image file for deploying a new Virtual CipherTrust Manager on VMWare vSphere or Nutanix AHV.

  • A VHDX image file for deploying a new Virtual CipherTrust Manager on Microsoft Hyper-V.

  • A QCOW2 image file for deploying a new Virtual CipherTrust Manager on OpenStack.

In addition, 2.13.x Virtual CipherTrust Manager will be available on the following public clouds, as the Community Edition:

  • Amazon Web Services: SafeNet Cloud Provisioning System

  • Google Cloud


    As 2.13.x is not the default version, you must use the gcloud CLI to retrieve it.

  • Microsoft Azure: Available as a BYOL image in the Microsoft Azure Marketplace

  • Oracle Cloud

  • IBM Cloud

    • An OVA image file for deploying a new Virtual CipherTrust Manager on IBM Cloud VMWare.

    • A QCOW2 image file for deploying a new Virtual CipherTrust Manager IBM Cloud Virtual Private Cloud Gen2.

2.13.x contains a number of new features and enhancements. Refer to Features and Enhancements for details. For the list of known issues, refer to Known Issues.

Features and Enhancements

Release 2.13.2

The 2.13.2 release includes a stability fix for Virtual CipherTrust Manager disk resizing on Google Cloud Platform. The fix is described in the resolved issues list. This release is available as an upgrade file and only supported for Virtual CipherTrust Manager instances running on Google Cloud Platform. The upgrade can be applied directly on CipherTrust Manager version 2.13.1.

Release 2.13.1

The 2.13.1 release includes a stability fix for the Virtual CipherTrust Manager license. The fix is described in the resolved issues list. This release is available as a new virtual instance, or as an upgrade file. The upgrade can be applied directly on CipherTrust Manager versions 2.13.0, 2.12.x, 2.11.0, 2.11.1, and 2.10.x.

Release 2.13.0


  • Added support in the Connection Manager to configure CipherTrust Manager as an external key source for CCKM.

  • Added provision to set the state of the previous version of the key to either "protectstop" or "deactivated" after rotation using the "replaced-key-state" parameter. The key state "protectstop" is mapped to restricted and "deactivated" to "retired" in NAE.

  • Support for AWS IAM roles anywhere in the Connection Manager for CCKM.

  • Added UI support for renewing an interface certificate and local Certificate Authority (CA) certificate.

  • Added provision in the Update /v1/vault/keys2/{id} API to modify the "Key Usage" for all versions of a versioned key in one go.

  • Added option to allow users to specify key owner during DSM restore.

  • Connection Manager support for SFDC using "client_credentials OAuth grant type" through API and CLI.

  • Added support for multiple IPs in DNS host record. It enables outbound requests from the CipherTrust Manager to be scattered over multiple IPs in a round-robin fashion.

  • Added user_member_field and group_dn_attribute fields to support different LDAP Schemas in LDAP-connection manager through API and CLI. Also, fixed DSM parities for Platform CTE LDAP Browsing.

  • Added provision to send SMTP notifications for system alarms.

  • Auto-execution support added for AddUserToGroup quorum.

  • Enhanced UI, API, and CLI for key management by adding a "description" field.

  • Added UI options to upload license and certificate files where needed, in addition to existing options to paste in text values.

  • Added an option to disable automatic creation of a user for OIDC and LDAP connections in Access Management.

  • Added a UI option to set a saved query as the default query for Loki Audit Records.

  • Added ability to download Loki Audit Records to a JSON file.

  • Added more UI options to finely control key rotation schedule. Which keys are rotated can be determined relative to the time the scheduled job runs.

  • Enhanced client profile and registration token UI menus to provide better control of CA configuration.


    The Client Profiles page on the CipherTrust Manager GUI is labeled Tech Preview as it will continue to expand further. However, any feature that uses this page is not affected by the label.

  • The GUI flow to create registration tokens has changed. When creating a registration token, you now need to select a pre-created client profile instead of selecting a CA.


    • If you automate registration token creation using the /api/v1/client-management/regtokens API endpoint, it is recommended to provide value for the client_management_profile_id attribute that points to an existing client profile.

    • This is not enforced for backward compatibility reasons.

  • The support for ProtectV is removed from the CipherTrust Manager, so when you upgrade from CipherTrust Manager 2.11 or lower versions, the ProtectV Admins, ProtectV Clients, and ProtectV Users groups still show up but are not usable. These groups can be manually removed if required.
    However, when you upgrade a fresh CipherTrust Manager 2.12 to 2.13 or higher, this issue is fixed and groups are not visible.

  • If a domain has more than 1000 cryptographic objects (keys and opaque objects), to fetch keys, it is recommended to use KeyNamesRequest instead of KeyQueryRequest. The response time of KeyQueryRequest is proportional to the number of keys on the CipherTrust Manager, therefore, it may lead to a timeout exception on the client side.

  • Currently, the log forwarders are not configured to use the system's proxy configuration. If proxy is configured, the log forwarders bypass the proxy servers.

  • The backup and restore of users and groups in a domain only works among the domains of different CipherTrust Managers. This feature does not support backup and restore among different domains of the same CipherTrust Manager.

  • During client renewal, if another client (which has authentication_mode mode set to dn) already exists in the system with a matching subject DN, the client renewal may fail. This applies to external or local CA clients. For external CA certificates, delete the client to be renewed and register a new client with a new certificate and different subject DN.
    However, for local CAs, it is not required to delete the client to be renewed, rather set the do_not_modify_subject_dn field to false. Refer to Renewing Local CA Clients for details.

Application Data Protection

  • Added support of internal, external, and disable versioning in protection policy.

  • Added option to clean erroneous clients.

  • Added provision to view client versions in application.


  • [Public Preview]: Added support for OCI HYOK to manage external vaults and external keys.

  • Added UI support for CCKM integration with Google Cloud KMS for the use EKM key management with EKM via VPC connections to create, rotate, and destroy coordinated external keys in CCKM cryptospaces. Note that these keys can only be managed thru the Google Cloud KMS (and not thru CipherTrust Manager or CCKM).

  • From the CCKM UI, you can now enable or disable audit recording of successful operations within an AWS external key store. Note that enabling this feature significantly impacts the performance of the key store. Enable this feature only for the purpose of troubleshooting or presenting a demo.

  • From the CCKM UI, CCKM administrators can now manage user and group permissions on Google Cloud projects to allow users and groups to manage Google cryptospaces and cryptospace endpoints.

  • Added support to check the health of the connection between a CipherTrust Manager node and an HSM, which are deployed behind a load balancer, using the Health Check URI Path value.

  • You can now assign a credential rotation schedule for the credentials of a given external custom key store in CCKM. You also now have the ability to assign or unassign a credential rotation schedule for these credentials in CCKM. The key store must be in a linked state, which allows the auto rotated (new) credentials to be updated in AWS KMS.

  • In this release, AWS health check response includes the status of an external custom key store, which uses a Luna HSM or a CipherTrust Manager as a key source. This health check validates whether the key store is available, working, and ready to handle requests.

  • CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING, a new Key Access Justification (KAJ) reason, is now available for use by the Key Access Justifications feature in Google Cloud. When justification reasons are set, they need to be provided for Google Cloud EKM to initiate a wrap or unwrap operation.

  • Added support for external CipherTrust Manager as a key source.

  • Added support to migrate source keys from DSM to an external CipherTrust Manager while migrating to CipherTrust Manager (CCKM embedded) for cloud key management.

  • Added new options to manage SFDC connections on the CipherTrust Manager. Added support for Multifactor Authentication (MFA) for SFDC cloud.

  • Added support for AWS IAM Roles Anywhere.

  • Added capability to manage GCP key policies using the API.

  • Added support for AWS bulk jobs to perform enable and disable operations on multiple AWS keys in one attempt through the GUI. A maximum of 100 keys are supported for bulk operations.

  • [Google Workspace CSE]:

    • Enhanced the wrapPrivateKey API for Gmail.

    • Implemented changes to accommodate the renamed privilegded unwrap API (from privileged_unwrap to privilegedunwrap per the latest Google spec 0.9.2).


In the CipherTrust Manager 2.12 and older versions, Oracle BYOK was licensed based on OCI Compartments. Release 2.13 onward, both BYOK and HYOK use cases are licensed based on the OCI Tenancies.

CTE and CTE UserSpace

Information in this section applies to all types of CTE and CTE UserSpace Agents unless stated specifically.

  • Support for configuration of CTE Agents to communicate with a CipherTrust Manager cluster behind a network load balancer.

  • Reintroduced support for the Unique to Client Keys. Support for these keys was suspended in the CipherTrust Manager 2.12 release.

  • Extended quorum control support for the following new operations:

    • DeleteCSIStorageGroupCTE

    • DeletePolicyCTE

    • DeletePolicyElementsCTE

    • DeleteProfileCTE

    • UpdateCSIStorageGroupCTE

    • UpdateGuardPointCTE

    • UpdatePolicyElementsCTE

    • UpdateProfileCTE

  • GUI enhancements:

    • Added the Description field to the CTE reports pages.

    • Enhanced GUI to filter members while adding LDAP members to a user set over LDAP connections. You can also specify an LDAP Query to filter members meeting specific criteria.

CTE Specific

  • Added support for protection of Teradata devices using LDT GuardPoints. This feature will be available from CTE version 7.5.

  • Added support for migration of CTE resources shared across DSM domains.

  • Removed GuardPath restrictions for Windows clients. CTE for Windows now supports protection of the following folders that contain open files:

    • The top-level Program Data folder on Windows Vista and Windows 2008

    • The top-level Documents and Settings folder on all other Windows platforms

    • The Users folder

  • Included three Ransomware Protection licenses for the CipherTrust Manager Community Edition.


  • CTE resources of Efficient Storage and Container policies on the DSM cannot be migrated to the CipherTrust Manager 2.13 using the backup/restore method. The Container policies are supported only on the DSM. However, Efficient Storage resources can be manually created on the CipherTrust Manager.

  • Support for CTE clients with the Efficient Storage GuardPoints (ESG) capability will be deprecated from CipherTrust Manager 2.14 onward.

Notes on CTE UserSpace

CTE UserSpace is a kernel-independent file encryption product. The resources of CTE UserSpace clients running 10.0 and higher Agent versions are managed by the Transparent Encryption application on the CipherTrust Manager. These clients can't be managed by the ProtectFile & Transparent Encryption UserSpace application.

This release does not support the following features:

  • Kernel Compatibility Matrix

  • Agent and System locks

  • CBC and XTS keys

  • COS, ESG, IDT, and LDT policies and GuardPoints

To manage the clients running the previous versions of the CTE UserSpace Agent, use the ProtectFile & Transparent Encryption UserSpace application only. Alternatively, upgrade those clients to CTE UserSpace 10.0 or a higher version.


Search for Secrets - This capability allows customers to discover secrets, like password and tokens, that are key to access secured elements such as apps, intellectual property, or infrastructure. Secrets can be misplaced in local hosts, databases or cloud locations that are not secured. Finding where secrets are located provides the opportunity to reduce or avoid the risk of exposure. This feature brings 23 new infotypes under the new classification profile 'Secrets'.

Resolved Issues

This table lists the issue resolved in 2.13.2

KY-67506If you attempt to resize a Virtual CipherTrust Manager disk on Google Cloud Platform with cloud-init, the Virtual CipherTrust Manager image fails to launch.

This table lists the issue resolved in 2.13.1

KY-67554Problem: After you upgrade a Virtual CipherTrust Manager to 2.13.0, the Key Manager Lock Code changes, invalidating the current Virtual CipherTrust Manager license and putting the instance into Community Edition mode.
Resolution: 2.13.1 no longer changes the Key Manager Lock Code on upgrade. If you are at a version below 2.13.0, upgrade to 2.13.1 instead. If you are at 2.13.0, contact customer support to have a new license issued, apply the license, and then upgrade to 2.13.1.

This table lists the issues resolved in 2.13.0.

KY-60264CCKM: Issues observed in managing AWS keys through an assumed role when the CipherTrust Manager is deployed in VPC.
KY-65503CCKM: User cannot see cryptospace endpoints after giving view permission to the user in Google project ACLs.
KY-65151Problem: If you navigate to Cloud Key Manager > Containers > Oracle Vaults, an error is displayed in the browser console, "Why is lifecycle_state not in {region {...}} ".
KY-64955[Azure]: If a vault (say vault-1) is first added and synchronized in the CipherTrust Manager in a domain (say domain-1), and later added to another domain, the associated key_vault_id is changed for keys in domain1, leaving keys in domain-1 unuseable.
Now, if vault-1 in domain-1 is refreshed, all the keys (except those marked as DELETED) are again useable. Note that, even after the refresh, the users cannot perform any operations on the keys marked as DELETED in domain-1.
KY-64933A CCKM User with the View BYOK ACL on AWS KMS can view the AWS Native keys. The user can view BYOK keys if it only has the View Native ACL.
KY-63518The create custom password policy throws an error with invalid values when default values are not provided.
KY-63347The SNMP trap notification linkDown, indicating a network interface is down, is not sent immediately in a multi-NIC environment. The trap notification is sent after CipherTrust Manager reboot.
KY-65469Unable to delete a GCP project from a domain in CCKM. This issue only occurs when the same project is added in two different domains.
KY-64877If you upgrade a CipherTrust Manager which has more than 100 domains and then perform a service reset, the system might fail to come up.
KY-64755After creating an EKM-UDE endpoint on CCKM with Confidential VM for unwrap selected, the error associated with the decryption of data from a non-confidential VM is not logged in the CipherTrust Manager Loki logs. However, it should have been logged as this operation is not allowed for the given EKM-UDE endpoint when Confidential VM for unwrap is configured.
KY-64700Problem: [AWS GUI]: While configuring a key policy, the Key Admins and Key Users tabs show 100 admins/users only.
KY-62721When an invalid cryptospace ID is provided to the checkCryptoSpacePermissions API in CCKM, an error code of 500 indicating check cryptospace permissions is returned. This API now appropriately returns error code 404 indicating record not found.
KY-62472When creating a new schedule using post /v1/scheduler/job-configs without specifying the disabled parameter, CCKM fails to set this parameter to the default value of false.
KY-61914When creating a cryptospace endpoint API, CCKM fails to check whether the region and project added matches the cryptospace's region and project.
KY-61560Checking the health status of a deleted AWS custom key store in CCKM generates a 200 response code with a null value instead of the error code 404 indicating record not found.
KY-61517If you create a group mapping for an LDAP Access Management connection on a child domain, the UI lists an additional LDAP connection prefixed with the domain name.
KY-61423KMIP Query request doesn't return supported operations such as encrypt, decrypt, and sign.
KY-61252Problem: When using an AWS Assume Role KMS account, the ARN of a modified key policy on CCKM is different than the key policy ARN on the AWS cloud.
KY-60913Occasionally, if you change from a child domain to the root domain on the UI, an error "The connection does not exist." displays.
KY-60718Problem: When you create a new domain in the UI, and select "Admins" for the new domain, duplicate user names are displayed. The users are duplicated for each LDAP Access Management connection which is configured.
Resolution: The source connection name is now displayed for each user. Setting a user with a specific source connection still means that the user can login and act as the domain administrator on any LDAP connection or as a local user.
KY-60628When granting permissions for the cryptospaceekmenable and cryptospaceekmdisable actions in the ACL, CCKM fails to also grant permission for the cryptospaceview action implicitly. By design, the cryptospaceview action is automatically added when a user is granted one of the following permissions: cryptospacecreate, cryptospaceupdate, cryptospaceblock, cryptospaceunblock, cryptospacedelete, cryptospaceekmenable, and cryptospaceekmdisable.
KY-60614Problem: When a policy template (P1) is created in a KMS (for example, K1), then if the KMS is deleted, and re-added with the same name (K1), the policy template can be listed, but its details cannot be viewed.
KY-60420If you download Luna STC Client Identity from the CM web console GUI, the file is formatted incorrectly and registration on Luna Client fails.
KY-60048, KY-60057Problem: Adding more than 26 external trusted CAs to KMIP interface throws "pq: payload string too long" error. This issue is fixed in version 2.13.
However, for mix version clusters, user needs to restart the lower version node if more than 26 trusted CAs are added on the CM 2.13 interface.
For example, in a mix version cluster of 2.13 and 2.12 nodes, if more than 26 trusted CAs are created on the 2.13 interface, then user has to restart the 2.12 nodes to support all client authentication with trusted CAs added.
KY-60380Problem: [Azure Certificates]: When a certificate issued by DigiCert is pending approval from them, CCKM does not show the in progress, failed, or cancelled certificates. They are marked as deleted.
KY-60354Problem: [AWS]: When a key is created, the path is not concatenated with the admin and user name in the policy.
KY-60249The get /v1/transparent-encryption/policies API does not return the complete list of policies added to the CipherTrust Manager.
KY-60113Problem: [SAP]: Deleted Luna HSM keys are displayed when uploading a new key or adding a new version.
KY-60048, KY-60057Problem: Adding more than 26 external trusted CAs to KMIP interface throws "pq: payload string too long" error.
KY-60008, KY-59449Problem: [Azure]: Should not show release policies and export option for non-exportable keys while adding a new version or a schedule.
KY-59993Problem: CipherTrust Manager does not validate the CA certificate file on creating or updating a legacy syslog connection in Admin Settings
Resolution: CipherTrust Manager now rejects PEM files which are formatted incorrectly or which contain a key instead of a certificate.
KY-59952Only the 10 most recent alarm configurations are listed in the GUI.
KY-59893Signature rules are not copied to a clone policy.
KY-59842MFA setting cannot be modified from the View/Edit option for a GuardPoint.
KY-59807Start CipherTrust Platform Evaluation request takes 18-20 seconds and Stop CipherTrust Platform Evaluation takes 12-15 seconds, and occasionally times out.
KY-59762UI Search results are not retained for users when navigated to another page.
KY-59495Problem: [AWS]: The Create Key Policy page becomes nonresponsive when adding a policy with formatting issues.
KY-59483Problem: OCI test connection does not work if the OCI user has access to only a sub-compartment.
KY-59471The trusted CAs, in the existing custom interfaces, don't get replicated on a new node joining in a cluster. This leads to failure of the client (NAE, KMIP, and REST) authentication on the new node.
KY-59446When an EKM endpoint policy is updated from the API to set KAJ to false, CCKM erroneously keeps the KAJ values previously set.
KY-58241, KY-58239Problem: While generating or deleting a report for all clouds except SAP cloud, the GUI shows a generic error Unable to generate Google report for given parameters for unauthorized users.
KY-57097Problem: Users in the Read-Only Admins group are not able to download files for debug logs, web activity logs, NAE activity logs, or KMIP activity logs.
KY-56787When using GET /v1/cckm/ekm/endpoints?relative_resource_name_without_version=-1 to filter the list of EKM endpoints by unique cryptospace endpoints, the first version of each endpoint is returned. However, the expected behavior is to return the latest version of each endpoint.
KY-56786To filter the results of GET /v1/cckm/ekm/endpoints to list EKM endpoints based on the request query parameters of cryptospace_name (for cryptospace name) or gcp_relative_resource_name (for relative resource name of a GCP Cloud KMS key) using the wildcard search does not work.
KY-56181, KY-56104Scan progress and Scan Status windows are stuck at partial progress for a scan path with many folders / tables.
The scan progress gets stuck as it receives too many scan sub-paths and fails to display the updated information, but the scan keeps running and will eventually complete.
KY-56047The Protection Policy page crashes when the name of protection policy exceeds 50 characters.
KY-55676Problem: [Azure GUI]: On the certificate details page, the X.509 SHA-1 Thumbprint is displayed as base64 encoded.
KY-55467NAE FPE batch crypto request fails for rapid encryption requests. This leads to failure of all crypto requests thereafter.
KY-55166, KY-41763Details regarding the keyupdate ACL are visible in both the CCKM REST API and CLI documentation. However, this ACL should no longer be featured in the documentation as it has been superseded by the cacheonlykeyupdate ACL.
KY-55064, KY-54442CE: In case of bulk client or client GuardPoint deletion, the quorum details may not be available. However, quorum operations (such as approval, rejection) can be performed.
This issue has no impact on functionality.
KY-51135Group members cannot be imported from ldap for CTE user sets.
KY-43666Problem: After upgrade, cannot register a client if there is an existing client with same Subject DN and auth_mode as "fp".
KY-42690Problem: If you edit the default port value on the web or KMIP interface, and then join the CipherTrust Manager to a cluster, web or KMIP requests directed to the changed port value fail on other nodes. This is true even though the nodes in the cluster display the new, correct port value for these interfaces.
KY-35220When the CipherTrust Manager is upgraded, the Azure Keys page does not show any keys. "Error unescaping tags: invalid URL escape "%" 9 : NCERRInvalidParamValue" is returned.
KY-37961If you add a user only to the "CTE Admins" group and attempt to create a registration token on the UI, the operation hangs and never completes.
KY-31058The manual add version/rotation process (using Clone Existing Key Material) of Google Cloud symmetric keys using migrated AWS DSM keys does not work.

Advisory Notes

This section highlights important issues you should be aware of before deploying the CipherTrust Manager. There is also a full list of known issues associated with the release.

USB Host Logs are Not Immediately Forwarded on Upgrade

If you have an existing syslog forwarder configured for host logs, and upgrade to 2.13, the USB host logs are not immediately forwarded. You need to manually force the syslog forwarder to update completely. This can be achieved by:

  • Using the modify command.

    1. Use kscfg syslog forwarder modify --id <syslog_forwarder_id> --<another_option> <temporary_value> force the update.

    2. Use kscfg syslog forwarder modify --id <syslog_forwarder_id> --<another_option> <original_value> to reset to the original value.

  • Deleting and recreating the syslog forwarder.

    1. View the syslog forwarder's current configuration values with kscfg syslog forwarder get --id. Note down or otherwise retain these configuration values.

    2. Delete the existing the syslog forwarder with kscfg syslog forwarder delete --id <syslog forwarder_id>.

    3. Re-create the syslog forwarder with kscfg syslog forwarder add, including any options necessary to set the original configuration values. These options are documented here.

NextGen KeySecure and ProtectFile End-of-Support in 2023

NextGen KeySecure firmware and the ProtectFile connector will be End of Support in December 2023.

In most cases, you can upgrade from NextGen KeySecure to CipherTrust Manager directly. If you are running the legacy k450 or k460 hardware model, you must migrate data to the k470 or k570 model.

We strongly recommend migrating ProtectFile to CTE or CTE Userspace.

Luna Network HSM 5.x and 6.x are no longer supported as Root-of-Trust for CipherTrust Manager

As Thales has passed the end-of-support date for Luna Network HSM 5.x and 6.x, CipherTrust Manager no longer supports those versions for root of trust. CipherTrust Manager does not enforce against setting up those versions for root-of-trust, so upgrading will not disrupt existing root-of-trust connections to our knowledge. Consult the End of Sale and End of Support announcement, Luna Network HSM 7 documentation, and Data Protection on Demand and Luna Cloud HSM documentation for migration information.


Do not enable quorum on the ManagePolicyAttachment and DeletePolicy operations until all the CipherTrust Manager nodes in a cluster are upgraded to 2.10 or a higher version.

SMB Connection

The Host and Port fields must be specified together, or do not specify any of them. If Host and Portare not specified while creating an SMB connection, these fields cannot be added later.

Recommendation for Secure Initialization Vector in DESede CBC, AES CBC, and AES GCM Encryption Requests

When generating a new AES or DESede key CipherTrust Manager currently generates and stores a Default IV associated with the new key. This is mainly used to support specific legacy integrations and applications.

We strongly recommend future crypto applications use a secure, unique initialization vector (IV) for each AES CBC, AES GCM, and DESede CBC encryption request, rather than relying on a default IV provided by CipherTrust Manager for the security of your data. For example, unpredictable, unique IVs for AES CBC requests protect against oracle attack techniques such as ROBOT, DROWN, POODLE, and BEAST.

We recommend to use CipherTrust Manager's random number generation to produce secure IVs, or you can provide your own IV with each AES CBC, AES GCM or DESede CBC encryption request following the security guidelines for constructing secure IVs in NIST SP800-38A and NIST SP800-38D.

The IV value used for an encryption request is needed to decrypt the data later.

In the KMIP interface, always set the RandomIV object in the Cryptographic Parameters attribute to true or provide your own secure IV in the Request Payload as an IV/Counter/Nonce object.

In the REST and NAE interfaces, use CipherTrust Manager's random number generation to produce secure IVs for cryptographic requests, or provide your own secure IV.

Some Key States Change After Upgrade

After upgrade from 2.4 some key states are remapped as a result of harmonizing NAE-only key states. In most cases, the allowed operations for a key remain the same before and after upgrade, so key usage is not disrupted.

As you cannot upgrade directly from 2.4 to 2.13, these changes take effect when you first upgrade from 2.4 to an intermediate minor version, 2.5, 2.6, or 2.7.

  • When a key has an NAE state of Retired and the deactivation date is set in the future, the key is set to Deactivated immediately upon upgrade. No cryptographic operations are allowed.

  • When a key has an NAE state of Restricted and Protect Stop Date is set in future, the key is set to Active and the Protect Stop Date is set to the current time. Decryption, signature verification, unwrapping, and MAC verification are allowed.

  • When a key has an NAE state of Active and Activation Date is not set, the activation date is set to the current time. All cryptographic operations are allowed.

  • When a key has an NAE state of Active and Activation Date is set in the future, the key is set to a Pre-Active state and the Activation Date is retained. No cryptographic operations are allowed until the Activation Date is reached.

  • When a key has a state of Deactivated before upgrade, its state will be unchanged after upgrade. However, the allowed operations for the Deactivated state change after upgrade. The key loses its ability to decrypt, verify signatures, unwrap, and verify MACs. You can re-activate the key after upgrade and set the ProtectStop date to restore those operations.

System Upgrade and Downgrade Supported Releases

System upgrades on a single unclustered device to 2.13.1 have been tested from releases 2.10.x, 2.11.0, 2.11.1, 2.12.x, and 2.13.0. Such upgrades to 2.13.2 have been tested from release 2.13.1.


Upgrades from other versions have not been tested and may not work correctly. Upgrade from 2.11.2-2.11.6 to 2.13.x is not supported as these patches will be released after 2.13 and contain bug fixes not present in 2.13. Upgrading from these patches to 2.13 can re-introduce bugs. If you are using one of these 2.11 patches, wait for future releases to obtain the new features introduced in 2.13.

Upgrade from 2.11.1-tct is not supported.

An unclustered CipherTrust Manager can be downgraded to the previous version before upgrade. For release-specific upgrade/downgrade information, refer to the release notes for your release.


As we cannot guarantee stability, we strongly recommend using downgraded systems for test environments only. Do not use a downgraded CipherTrust Manager in a production environment.

Refer to the System Upgrade page for instructions to perform an upgrade or downgrade.

The cluster upgrade section provides instructions to perform an upgrade on a cluster of devices. Supported upgrade paths depend on the method used to upgrade the cluster.

  • Cluster remove/rebuild to 2.13.1 is supported from 2.10.x, 2.11.0, 2.11.1, 2.12.x, and 2.13.0. Cluster remove/rebuild to 2.13.2 is supported from 2.13.1.

  • In-place cluster upgrade is performed from one minor version at a time, so there is no limit on starting version. You must upgrade to 2.13.1 before you can upgrade to 2.13.2.

Restoring a backup from release 2.10.0 or later is supported; however, restoring a newer backup to an older version is never supported.

Protect the ksadmin Private SSH Key

The private SSH key for the ksadmin account is critical to system security and must be carefully protected. Failure to do so could allow an attacker to compromise the system.

TLS/SSL Must be Enabled in a Production System

As it may be useful for troubleshooting, it is possible to disable TLS/SSL for the NAE interface. This will lead to an insecure system. Therefore, TLS/SSL should always be enabled for a production system.

Key Usage Mask Selection

If you want to perform any operation (for example, Wrap/Unwrap) from the NAE/KMIP connector, set the usage mask explicitly for that operation while creating keys through UI.



  • Only one CipherTrust Manager node in the cluster can have DDC activated. To access DDC, create a new DNS entry to point to the active CipherTrust Manager node.

  • DDC functionality cannot be accessed through the CipherTrust Manager FQDN. DDC requests sent to an inactive CipherTrust Manager node fail (and return the impression that DDC fails randomly).


Overlapping licenses are not supported (except for the trial license).

Upcoming End of Support for Platforms and Features

  • Linux 2.4 Node Agents

  • Email Targets - Microsoft Exchange (EWS)

  • Microsoft 365 - Exchange Online (EWS)

  • Web Browser - Internet Explorer


This section documents known compatibility topics to be considered before deploying the CipherTrust Manager.

TLS Compatibility

This table identifies the supported TLS versions for each of the CipherTrust Manager interfaces. The default minimum value reflects the default minimum_tls_version setting. This setting controls the lowest acceptable TLS version allowed for connections to the interface.

InterfaceMinimum TLS versionMaximum TLS versionDefault Minimum TLS version
Web UITLS 1.2TLS 1.3TLS 1.2
NAETLS 1.0TLS 1.3TLS 1.2

TLS 1.0 and TLS 1.1 support will be discontinued in a future release.

By default, CipherTrust Manager accepts the following ciphersuites for TLS 1.2+ connections:

  • TLS_AES_256_GCM_SHA384 (TLSv1.3)

  • TLS_CHACHA20_POLY1305_SHA256 (TLSv1.3)

  • TLS_AES_128_GCM_SHA256 (TLSv1.3)





TLS Deprecation Notices

  • Use of TLS 1.0 and 1.1 protocols is deprecated. This support will be discontinued in a future release. Upgrade all applications connecting to CipherTrust Manager interfaces to TLS 1.2 or higher as soon as feasible.

  • Use of the following CBC-based ciphersuites is deprecated, and support will be discontinued in a future release:











Client Platforms

The following client Platforms are supported by the CipherTrust Manager.

Older versions of most client platforms (versions earlier than the minimum versions listed below) may have incompatible TLS clients. We recommend testing older versions of client platforms in a non-production environment to ensure proper functionality.

For the purpose of transitioning from SafeNet KeySecure Classic, you can temporarily connect to CipherTrust Manager with TLS/SSL disabled on the CipherTrust Manager NAE interface; however, this is recommended only in a non-production environment.

CipherTrust Application Data Protection

  • CADP for .NET Core: minimum version 8.11.0

  • CADP for C: minimum version 8.14.0

  • CADP for Java: minimum version 8.13.0

CipherTrust Application Key Management

  • CAKM for Oracle TDE: minimum version 8.10.0

  • CAKM for Microsoft SQL Server EKM: minimum version 8.5.0

CipherTrust Cloud Key Manager

Minimum version

CipherTrust Database Protection

  • CDP for Oracle: minimum version 8.12.0

  • CDP for MSSQL: minimum version 8.12.0

  • CDP for DB2: minimum version 8.12.0

  • CDP pdbctl: minimum version 1.5.1

  • Transformation Utility: minimum version 8.4.3

CipherTrust Transparent Encryption

Minimum version 7.0.0

CipherTrust Transparent Encryption UserSpace

Minimum version 10.0

CipherTrust Transparent Encryption for Kubernetes

Minimum version 1.0.0

CipherTrust Vaulted Tokenization

Minimum version 8.7.1

CipherTrust Batch Data Transformation

Minimum version

CipherTrust Vaultless Tokenization

Minimum version

CipherTrust Teradata Protection

Minimum version


Minimum version:

  • ProtectFile Windows 8.12.3

  • ProtectFile Linux 8.12.3, 8.12.4p02 (for migration to CTE)

The latest three GA versions of ProtectFile are tested with CipherTrust Manager. Older versions are expected to work, but they are not tested explicitly.

Data Discovery and Classification Agents

Linux minimum kernel version is 2.6.

There are no changes in Agent requirements if you are upgrading from CM 2.4 to 2.5.1. If you are upgrading from a version older than 2.4 please refer to Upgrading Agents.

ODBC driver for Microsoft SQL: To connect to Microsoft SQL, DDC Agent requires the ODBC drivers to be installed on the host. If DDC cannot find a suitable agent, make sure that these drivers are installed. If necessary, upgrade them to the latest available version. Thus, if your MSSQL Server is configured with TLS 1.2 only, install the ODBC Driver 17 for MSSQL Server.

TDP Version Compatibility

Data Discovery and Classification requires TDP or newer.

Known Issues

This section lists the issues known to exist in the product at the time of release.

CipherTrust Manager

KY-71979Problem: The Admin Settings > System Properties is erroneously displayed when you are logged into a child domain on the CipherTrust Manager GUI. If you attempt to edit any field, the operation fails with the error "Insufficient Permissions".
Workaround: Only adjust system properties when you are logged into the root domain.
KY-71188Problem: Users in the Key Admins group are unable to create a new key version for a key owned by another user.
Workaround: Create a custom policy for a group to be able to perform key rotations on all keys.
KY-71050Problem: If a local user has a different username and full name, the user cannot change its own password.
Workaround:A user in the Users Admin group can edit the full name value to match the username value.
KY-70904Problem:If you attempt to upgrade a Virtual CipherTrust Manager hosted on Microsoft Azure, the upgrade sometimes fails with the message Errors were encountered while processing:grub-pc present in the upgrade log.
Workaround: If you see this error, contact customer support to complete the upgrade.
KY-70603Problem: If you attempt to add an HSM-anchored domain through the CipherTrust Manager GUI, the operation times out with the error Failed to create domain kek in the debug logs.
Workaround: Set the KSCTL_TIMEOUT value to 60 (corresponding to 60 seconds), and then use the ksctl domains create command to add the HSM-anchored domain.
KY-69999Problem:You cannot add URLs with a wildcard asterisk character * to the proxy exemption list.
KY-69549Problem: If you have configured an LDAP connection to manage CipherTrust Manager users and the LDAP server is not reachable, you cannot retrieve users with "return_groups=true" on GUI, API, or CLI.
Workaround: Resolve LDAP connectivity issue so that the CipherTrust Manager can retrieve user's group details.
KY-65962Problem: OCI test connection fails when an OCI user is part of an identity domain.
KY-66135Problem: If you add an NTP server more than 1024 times and then restart all services, multiple services fail to restart correctly. The server audit records contain a message Following services have stopped after starting: followed by a list of services.
Workaround: SSH in as ksadmin and restart host daemon service using sudo systemctl restart host-daemon.
KY-67550Problem: GUI: The Features tab of the Licensing page shows active licenses as Expired.
Workaround: Check the correct status using the licensing API.
KY-66205Problem: When custom interfaces are created in a cluster, with certificate auto-generation turned off, the node on which the interface is created accepts the client connections. However, on other nodes, the connection fails.
Workaround: Update the local trusted CA on the other nodes.
KY-66851Problem: When you try to add a user to a group, a quorum error message is displayed even if the AddUserToGroup quorum is deactivated. Instead of the quorum error, an actual permission error should be displayed.
KY-66099Problem: If you register a KMIP client on the UI, and download the associated certificate for the client, the certificate has the .crt extension instead of .pem.
Workaround: Change the file extension to .pem. The file contents do not need to be reformatted.
KY-65964Problem: [OCI HYOK GUI] While creating an HYOK key, the incorrect policy cannot be edited.
Workaround: Cancel the key creation and re-create the key with the correct policy.
KY-65947Problem: If you attempt to add an alarm configuration from a specific record using the UI's Add Alarm Config from Record option, the conditions for boolean type fields are populated incorrectly. For example, the UI sets conditions such as input.success == "true,boolean" or input.success == "false,boolean" which are not in compliance with Open Policy Agent's Rego query language, and will not trigger alarms correctly.
Workaround: Edit the alarm configuration to reformat the condition as input.success == true or input.success == false. Alternatively, add new alarm configurations through the + Add Alarm Configuration button available in the Alarm Configurations tab.
KY-65935Problem: If domains are deleted without deleting the linked protectapp profiles, the NAE service will not restart after the upgrade.
Workaround: Delete the linked protectapp profiles before deleting the domain.
KY-65764Problem: If you attempt to create a duplicate KMIP client profile with the same name as an existing client profile, the operation appears to fail with the error NCERRConflict: failed due to a conflict with the current state of the target resource. However, the client profile is created and visible on the Access Management > Client Profiles page. You cannot select the duplicate when creating a new registration token.
Workaround: Disregard this duplicate KMIP client profile.
KY-65539Problem: If the client registration fails when registering the client using the certificate, then an invalid entry may be displayed in the response.
Workaround: Delete the client using the Delete /v1/client-management/clients/{id} API.
KY-65543Problem: When the external CM is in a cluster and the client is registered in a non-root domain of the CM, the test connection will fail. This happens because the client cannot fetch the cluster information from the root domain.
KY-64823, KY-61196Problem: In a CipherTrust Manager cluster, if two nodes are disconnected and you create the same user on both nodes and update them with same DN, on re-connect, duplicate users get created.
Workaround: Duplicate users cannot be authenticated as regular users, therefore, function as redundant users. It is recommended to delete these users to avoid any confusion. However, if you don't delete them, you will be allowed to log in with one user only.
KY-64767Problem: After upgrade, if a system was previously configured to send host syslog messages, USB syslog messages may not appear.
Workaround: Use the kscfg utility to delete and re-add host syslog configuration.
KY-64600Problem: If you create multiple automatic key rotation scheduled jobs, and they are scheduled to run at the same time, a key rotation intermittently fails with the message 'There is an ongoing key rotation job, cannot add another'.
Workaround: Schedule automatic key rotation jobs to run at different times from one another.
KY-64597Problem: Typing a % (percent character) into the embedded API Guide for GET operations leads to inconsistent results, and sometimes crashes the page.
Workaround: As a best practice, avoid naming resources with the % character. If you must retrieve a resource with a % in its name, use the UI or CLI to do so.
KY-64593Problem: If you create a Loki log forwarder connection with TLS configuration in connection manager and use the test connection function, the test fails with the error 400 Bad Request.
Workaround: Disregard the test results and continue with Loki log forwarder configuration. To confirm records are being forwarded, perform an operation such as creating a test key and then check the Loki server to see if the operation appears in the logs.
KY-63083Problem: Clients registered in a deleted domain are not excluded from the License usage.
1. Log on to the root shell.
2. Delete the entries of the clients registered with the deleted domain from the database.
KY-62563Problem: After auto-registering a client, the server audit record for creating a token has an incorrect value for client_id.
Workaround: Note the client_name value in the record. Run ksctl clientmgmt clients list --client-name <client_name_value> to return client details including the client ID.
KY-62550, KY-58948Problem: High memory and CPU consumption can lead to CipherTrust Manager declining user and client application requests.
Workaround: Monitor CPU and memory usage through Prometheus or Grafana and adjust load accordingly.
KY-62196Problem: CTE LDT policies which have "allow browsing" checked for the first secure rule, which is a legacy configuration from DSM version 5.x, are not migrated to CM correctly. The migration fails with the error [NCERRBadRequest: Bad HTTP request]: Invalid Params supplied. With LDT policy, first security-rule must be created with action as key_op, effect as applykey,permit, browsing(partial_match) as disabled and without any UserSet/ProcessSet/ResourceSet present.
Workaround: Please contact customer support for help migrating CTE LDT policies with this setting.
KY-61892Problem: The NAE and KMIP clients get auto-registered even if the system property, ALLOW_USER_IMPERSONATION_ACROSS_DOMAIN, is disabled and the user impersonated by the client certificate is not created in the root domain and the registration token is generated in the root domain.
KY-61722Problem: Deleting a domain that contains an NAE (ProtectApp) client returns status code 500.
KY-61299, KY-61402Problem: The emptyMaterial parameter is set to false for a destroyed key. As the key material is deleted, emptyMaterial should be set to true.
KY-61292Problem:In a configuration with multiple Luna Network HSMs acting as root-of-trust in high availability mode, when the HSM in use becomes unavailable, the CipherTrust Manager occasionally does not failover to the remaining HSMs, and CipherTrust Manager becomes unavailable.
Workaround:Reboot the CipherTrust Manager instance to reconnect to remaining HSMs.
KY-61056Problem: After first restart/reboot of CipherTrust Manager for cluster certificate renewal, cluster nodes statuses still display as down.
Workaround: Restart all CipherTrust Manager nodes one at a time once again.
KY-61054Problem: While migrating from KeySecure Classic to CipherTrust Manager, if the local CA is signed by an external CA, the migration will fail for the local CA even if the external CA is added to the known CA list.
Workaround: If an externally imported CA and its certificates are used on the NAE/KMIP interface of KeySecure Classic, the CA will be migrated as an external CA, but the certificates will not be migrated to the CipherTrust Manager.
Therefore, to use the same certificate for the NAE/KMIP interface on the CipherTrust Manager, select the migrated external CA and upload its certificate manually by editing the NAE interface on the CipherTrust Manager.
Similarly, if a local CA and its certificates are used on the NAE/KMIP interface of KeySecure Classic, use auto-generation or issue a new certificate and upload the certificate to the interface.
KY-61373Problem: The support for ProtectV is removed from the CipherTrust Manager, but the ProtectV license still shows up after the upgrade to 2.12 or higher versions.
KY-60595Problem: If you attempt to create a domain with an existing name, the domain creation fails as expected. However, you can no longer delete the user specified as the domain administrator.
Workaround: Contact customer support to delete the user.
KY-59819Problem: Occasionally when a second nShield Connect HSM is added as root of trust, the error [NCERRInvalidParamValue]: Failed to add member displays.
Workaround: Restart services or reboot the CipherTrust Manager, and reattempt adding the nShield HSM.
KY-59705Problem: UI always shows server/client records disabled and logs ReadProperties authorization error for users in the Audit Admins group.
KY-59377Problem: When you create a new password policy without providing the failed_logins_lockout_thresholds value, the internal server error occurs.
Workaround: Provide default value for failed_logins_lockout_thresholds or create a password policy through GUI.
KY-58939Problem: Displayed Domain Level Usage for KMIP Clients on Licensing page shows total client usage for all domains instead of just the current domain.
KY-56426Problem: Deleted groups still show up in the key details information on the CipherTrust Manager.
KY-56213Problem: If you attempt to create a Luna Network HSM STC partition in connection manager and upload a partition identity file, the upload fails with the error Code 14: NCERRInternalServerError: unexpected error. This is because CipherTrust Manager doesn't recognize the format of the partition identity file downloaded from Luna Network HSM.
Workaround: Use the Linux command base64 -wo on the partition identity file to convert it to base64 format, and then re-attempt the STC partition creation.
KY-55987Problem: If you have a scheduled job set to run on a particular cluster node, remove the node from cluster, and then rejoin it, the scheduled job runs on all cluster nodes instead.
Workaround: After making any changes to cluster membership, update the scheduled job run_on parameter to reflect the current cluster node ID.
KY-55416Problem: Alarms table does not support retention policy. Record based alarms will fill up the table.
Workaround: Contact customer support.
KY-54039, KY-55544Problem: Syslog message redirection from child domains to parent domains stops when 30 or more child domains enable this feature.
KY-53681Problem: You cannot delete the default backup key if it is uploaded from another domain.
Workaround: Contact customer support.
KY-53100Acknowledging or clearing an alarm changes the alarm's source and source_id to the cluster member node which updated the alarm.
KY-52137Problem: If you rotate the root of trust key for an HSM and then reboot the appliance, services fail to start up and the reboot does not complete. This can happen when the HSM contains two root of trust keys with the same name, and the wrong HSM key is loaded.
Workaround: If you are stuck in services startup, access the HSM with another client, and re-label one of the duplicate keys.
KY-51664Problem: When nShield Connect HSM is configured as root of trust, there are intermittent connectivity issues. The nShield HSM occasionally returns a ServerAccessDenied error, and CipherTrust Manager raises the HSM is offline system alarm.
Workaround: Wait for connectivity issues to resolve after a few automatic reconnection attempts.
KY-49289Problem: If a Luna Network HSM partition is configured as root of trust, and CipherTrust Manager's client access is revoked with the LunaSH commandclient revokePartition, connectivity remains intact until CipherTrust Manager is restarted.
Workaround: As a best practice, after running client revokePartition, restart the CipherTrust Manager or restart all CipherTrust Manager services.
KY-49082Problem: If you set a CipherTrust Manager to use a non-default port for the web interface, other than 443, you cannot join the CipherTrust Manager to a cluster. The join operation hangs and never completes.
Workaround: Enter the IP address and port in the Public address of the new node field, disable the Cluster address is the same as the Public address checkbox, and then enter the IP address without the port in the Cluster network address of the new node field.
KY-49126Problem: After the external CA is uploaded on the CipherTrust Manager, the GN and DC fields are not displayed as part of the record.
KY-48284Problem: Domain backups with local users cannot be restored into another domain in the same cluster.
Workaround: Restore the backup to a CipherTrust Manager in a new cluster, or to a different CipherTrust Manager instance which isn't clustered.
KY-39354Problem: Scheduled Partial Domain Backups and Domain Backups fail when there is an SCP connection. The backup file is created on CipherTrust Manager, but it is not forwarded through SCP, and the file is invalid.
Workaround: If scheduled backup through SCP is needed, create a System Backup.
KY-39235If a user fails to log in to a domain, an audit record is created in the root domain instead of the intended domain.
KY-27450Local Certificate Authorities (CAs) do not allow commas , in any of the fields.
Workaround: Configure an External CA instead. Use a backslash \ in the Distinguished Name (DN) while creating a user if you are using certificate based login. For example, C=IN,ST=UP,L=Noida,O=Thales\,INC,OU=ENC,CN=test is an accepted value.
All other printable characters are allowed, as per RFC 5280 definition of PrintableString. @ and & are also allowed, beyond the definitions of the RFC.
KY-25152You cannot pass in a custom SSH key via cloud init on Oracle Cloud instances for initial launch. You also cannot use cloud-init to auto-generate an initial password for the admin user on Oracle Cloud instances.
Workaround: Login to the GUI to enter the SSH public key on initial access. You can also change the password for the admin user on this login.
KY-20310When setting up a new DPoD Luna Cloud HSM Service as root of trust, the command succeeds but sometimes returns a timeout error.
Workaround: Disregard the timeout error.
KY-17338KMIP: LDAP users cannot be set in the KMIP profile.
Workaround: To use LDAP authentication, use the KMIP auto registration.
KY-13343Uploading an existing backup results in error but is displayed in the list with status "Uploading".
Workaround: Delete the backup using the "uploadID" as backup ID.
KY-11517[ProtectApp Application] The Invalid algorithm string error occurs when signing data with SHA384withRSA/PSSPadding.
KY-7289When migrating a KMIP application from KeySecure Classic to CipherTrust Manager, for encrypt/decrypt operations, the KMIP server always uses the ECB mode regardless of the provided mode.
Workaround: For migration use cases, if Cryptographic Usage Mask is specified with the CBC mode on KeySecure Classic:
  1. Decrypt the data using KeySecure Classic.
  2. Encrypt the data with keys stored on CipherTrust Manager.
KY-7288When migrating from KeySecure Classic to CipherTrust Manager, AES-GCM encrypt/decrypt operations, AuthenticatedEncryptionTag is returned appended to CipherText.
Workaround: For migration use cases, when using AES-GCM with KeySecure Classic:
  1. Decrypt the data using KeySecure Classic.
  2. Encrypt the data with keys stored on CipherTrust Manager.
After migration to CipherTrust Manager, the AAD tag is not appended to the data. It is sent as a separate tag.
KY-7193Sub-domain System Defined Groups do not show "Domain Admins", "ProtectApp Users", and "ProtectDB Users" groups.
Workaround: Manually create missing groups in sub-domains. Policies for the groups are automatically created.
KY-2482(was NC-3480) Signing with EC keys does not work via the REST API.
KY-504Integration with CloudHSM Cluster: Fail-over is not supported between different ENI IPs within an AWS CloudHSM cluster.
NC-3573Migration: Active keys from KeySecure Classic will become Pre-Active on the CipherTrust Manager if the time zone is behind GMT.
Workaround: Change the state of the keys in Pre-Active state to active from REST API or KMIP interface.
NC-3572Migration: Keys in Pre-Active state on KeySecure Classic cannot be used for Crypto operations on the CipherTrust Manager.
Workaround: Change the state of the keys in Pre-Active state to Active using KeySecure Classic's Console (UI) or KMIP interface before taking the backup for migration.
Alternatively, after migration, change the state of the keys in Pre-Active state to Active from the CipherTrust Manager REST API or KMIP interface.
NC-2063If a user is deleted (or LDAP connection name changes), they fail to display in the keys table.

CipherTrust Application Data Protection (CADP for C)

KY-47385Problem: If you migrate a non-deletable VAE key from Data Security Manager to the CipherTrust Manager, the imported key is shown as "deletable".
Workaround: After migration, edit the key attributes on the CipherTrust Manager to make it non-deletable.
KY-47374Problem: If you migrate a non-exportable VAE key from Data Security Manager to the CipherTrust Manager, the imported key is shown as "exportable".
Workaround: After migration, edit the key attributes on the CipherTrust Manager to make it non-exportable.

CipherTrust Cloud Key Manager

KY-72210Problem: [AWS, Azure, and Luna HSM GUI]: When adding a new container or changing the connection of a container, the GUI lists only 10 connections.
Workaround: Use the API or CLI to view all connections added to the CipherTrust Manager.
KY-72067Problem: [GUI and API]: Salesforce mTLS connection doesn't work when the Salesforce connection to the CipherTrust Manager is configured using the Client Secret authentication.
Workaround: Use the Certificate authentication from the CCKM UI or API or Client Credential (My Domain) authentication from the API when creating a Salesforce connection to the CipherTrust Manager.
KY-71243Problem: [GUI]: Intermittent: If the key source has a large number of keys (say, in thousands), fetching all the keys may take a significant amount of time or the request may time out.
Workaround: Use the API or CLI to fetch the keys.
KY-71194Problem: [AWS GUI]: Intermittent: If the CipherTrust Manager has a large number of keys (in thousands), while adding an external key store, request to fetch the health check keys times out. The Health Check Key drop-down list does not display the existing keys.
Workaround: Add the external key store using the API or CLI.
KY-67568Problem: [AWS GUI] Incorrect policy behavior on switching the policy method from "Create New Policy" to "Select Saved Policy", and finally reverting to "Create New Policy". The values previously selected for the "Create New Policy" method remain selected. Either the values should be cleared or taken as input for the replica. A similar issue is observed with the Link Key operation.
KY-67474Problem: [GCP GUI] Unable to add a key version using CipherTrust (External) from the details page of the key.
Workaround: On the Google Keys page, overflow icon (Overflow Icon) corresponding to the desired key and click Add Version.
KY-66545Problem: Luna HSM: On first time refreshing a Luna HSM partition after updating the Luna HSM connection from non-HA to HA enabled, the ha_enabled flag is set to false.
Workaround: Refresh the partition again. It will update the ha_enabled flag to true.
KY-65575CipherTrust Manager as an external key source shows incorrect status in the audit records. Also, the CipherTrust Manager does not show a detailed message if a CCKM User does not have the refresh and create key ACLs.
KY-65520Problem: System might appear slow when the cloud event logs are more than 10 million.
Workaround: Contact Thales Customer Support to clean the event logs.
KY-65165Problem: SAP Data Custodian: A delete key job remains in the PENDING state for long time and fails intermittently. This issue is at the SAP end.
KY-64780SAP Cloud: CLI does not list the disabled keys.
KY-64482AWS KMS: Removing assume role and external ID values does not remove the values from the AWS KMS.
KY-59906Problem: [AWS GUI] When updating the region of a KMS created with AssumeRole, the GUI displays all the available regions. They should be separated according to the assumed role.
KY-42082SAP Data Custodian: SAP key activity report doesn't show any data. This issue is at the SAP end.
KY-39123SAP Data Custodian: When a SAP group is added again, then performing any enable, disable, update, and add new version operation on a key in the group returns the "500 Internal Server Error".
Workaround: Refresh the newly added group, add the key again, and retry operations.
KY-35220When the CipherTrust Manager is upgraded, the Azure Keys page does not show any keys. "Error unescaping tags: invalid URL escape "%" 9 : NCERRInvalidParamValue" is returned.
Workaround: Refresh all the key vaults.
KY-31186If your proxy server does not support HTTP CONNECT, the CCKM Google cloud connection cannot use the CipherTrust Manager's proxy feature with a certificate.
Workaround: Add an exception ( with no_proxy or use the proxy with username and password, and restart the services.
KY-31058The manual add version/rotation process (using Clone Existing Key Material) of Google Cloud symmetric keys using migrated AWS DSM keys does not work.
KY-17213When a CipherTrust Manager key is created using an auto rotation schedule on AWS cloud native key, its owner is set to "Global".
Workaround: A CipherTrust Manager administrator can assign the ownership of the key to a desired user in the CCKM Users group.

CipherTrust Database Protection

PDB-3293If datatype of a column changes from char family to blob after migration, the Return replacement value option for the Error Replacement feature does not work.

CipherTrust Data Discovery and Classification

KY-9098DDC cannot automatically assign an Agent for empty NFS shared folders. You cannot create an NFS type Data Store with an empty folder. When an empty folder is shared over NFS and scanned by DDC, the probe fails.
Workaround: Introduce any document in the empty folder and manually trigger the Agent selection. Click the "Find Agent" button to relaunch the Agent selection. The button is visible when you click the ellipsis (overflow) button next to the data store.
KY-9104Scan fails with “Error scanning. The target for Data Store XYZ cannot be accessed.” This happens when the Data Store is created and an Agent is selected for the Data Store but then the Agent is no longer available and there is no way to select a new Agent from the UI.
Workaround: Edit the Data Store and edit any configuration parameters so the DDC Server automatically searches for a new suitable Agent.
KY-9399The XVA file contains a data object that is was reported when it should not. The XVA file format is not correctly handled. After an XVA file is scanned and the report is generated, an additional data object in the Data Objects tab is displayed in the UI. You should ignore it.
KY-8990Scheduled scans and those launched manually via ‘run now’ only start after X hours. If an Agent and server have the wrong time set, DDC’s ability to schedule scans or to start them immediately when they are manually launched from the UI or API will be affected and the scan start may be delayed.
Workaround: Configure an NTP server for DDC and all Agent hosts.
KY-24205The Agent selection will fail if no compatible Agent is found, or if no compatible Agent can reach the Data Store, or if the credentials provided do not grant access to the Data Store.
Solution: For possible solutions, check the following:
  • Make sure a compatible Agent is properly installed. Check the compatibility table in the “Agent Configurations” section in the “DDC Deployment Guide”.
  • For a local Data Store, make sure that the Agent is installed on the same host where the Data Store is located.
  • For remote connections, make sure that the network connectivity between the Agent and the Data Store is not blocked by a network firewall.
  • Verify the configured credentials, and make sure that they have permission to connect and read the Data Store contents.
  • When you make sure that the Agent is up and with connectivity, go back to DDC and select the button "Find Agent" for the Data store with the issue.
  • Make sure that you do not have two (or more) Agents with the same hostname (for example, as a result of VMs cloning).
  • Configure the Data Store using a hostname, instead of an IP Address.
None of the clustered nodes responds to requests to DDC.
DDC is only active in one of the CipherTrust Manager nodes. Requests sent to any other nodes will return this error. This will be improved in next releases.
  • Run ksctl ddc active-node to identify the CipherTrust Manager node responsible for answering DDC requests and send the requests to the indicated IP. If this does not work, please restart the CipherTrust Manager node with that IP.
  • If the node identified by ksctl ddc active-node does not answer DDC requests correctly or is no longer active, contact Thales Customer Support.
KY-22666DDC may not scan big Data Objects for Data Stores other than local storage.
The threshold to consider is a file as big as half of the assigned scan RAM. When a DDC scan encounters a file exceeding this threshold, it may completely skip the file or scan just up to that threshold. The user has no way to identify the issue from DDC reports.
Possible Workarounds:
  • Download large files to a local storage, and run the scan on this local storage data store.
  • Increase the scan RAM as indicated in the Tuning Scan Settings section.
KY-19763OracleDB and IBM DB2: uppercase schema/table name issues.
User cannot launch Oracle/DB2 scan if schema OR table was created with lowercase and DDC is configured with lowercase.
Workaround: Set the target path in uppercase.
KY-21981Postgres tables without primary keys are not completely scanned
DDC can only scan Postgres tables if they have at least one primary key defined.
Workaround: Configure at least one primary key in the tables and run the scan again.
KY-34462In G-Drive DDC scans all the path to which the scan path is prefixed.
When scanning a specific G-Drive folder, the scan is extended onto all folder names that contain the name of the folder that you intended to scan.
KY-46340Office365: OneDrive for Business - Using wrong OneDrive domain while probing or scanning does not return an error.
Also a scan with the wrong domain and path does not return any error and it completes successfully.
KY-48874A scan with MySQL datastore (version 8.0.30) fails due to "failed status in the scanner service".
KY-49115Discrepancies in scan results of infotypes for the same file in DDC 2.10 and 2.9.
These infotypes show discrepancies:
- Australian Passport Number: 1070 (in version 2.9), 204 (in version 2.10)
- China Union Pay: 1000 (in 2.9), 921 (in 2.10)
- Discover: 1001 (in 2.9), 919 (in 2.10)
- Diners Club: 1001 (in 2.9), 1002 (in 2.10)
KY-51301For SMB Data Stores with remediation enabled, scans performed after remediation completes may not find matches in encrypted files.
Workaround: Automatic agent selection does not narrow the selection of DDC Agents to those installed on host with a CTE Agent in the Agent Group protecting the SMB Guard Point. If DDC selects any of those agents, further scans on the SMB will read the encrypted content and therefore will be unable to find any match. In order to avoid this issue, please assign use labels to force DDC to select only the right agents as follows:
- Add one dedicated label to the DDC Agents installed on the hosts with valid CTE Agent,
- Associate that same label to the SMB Data Store, in order to guide automatic agent selection algorithm.
KY-51550Office365: OneDrive for Business - Scan progress reaches more than 100%.
KY-51586A scan of a LONGBLOB file in MySQL gets stuck while scanning.
DDC should be able to scan a 20 MB table, as LONGBLOB data type supports up to 4 GB of data, yet it fails.
KY-51623Partial Scan in BLOBs of size greater than 100 MB in MSSQL.
NOTE: If a file is partially scanned, it will be considered in the inaccessible location list.
KY-52297DDC scan fails with an empty GuardPoint path for a SMB data store.
Solution: A GuardPoint for a data store must always have a path configured in CTE.
KY-51695DDC is only able to scan the initial 4 KB of any text file stored as a large binary object in database tables.
KY-52494From this DDC version on (DDC-2.10), RHEL-compatible Agents can only be installed on environments running the matching and officially supported kernel version.
KY-52532Autopause feature not working as expected in Azure Table scans.
A scan of Azure Table with the "Autopause" feature enabled has the following issues:
  • it fails to resume after autopause end time after it enters the "Autopaused" state from the "Pending" state,
  • it fails to enter the "Autopaused" state from the "Running" state.
KY-42593, KY-42491Launching a second scan with any Data Stores in common with a running scan may restart the first scan progress on the shared Data Store, or even fail it if the first scan is manually paused.
Workaround: Minimize scan concurrency on any given Data Store and use automatic pause, as automatically paused scans normally do not fail.
KY-23163A scan goes into an interrupted state for CIFS after restarting the agent.
This only happens on Windows Server agents and for the Exchange Server and Windows Local Storage.
Solution: 1) Restart the Windows agent with the scan in the "Paused" state. Then resume the scan, and it will go into the "Scheduled" state.
2)Restart the Windows agent one more time and the scan comes back to normal.
KY-55916Full DS scan on SAP HANA fails with an "Internal Error".
SAP HANA scans on specific target paths (the schema to which the user has privileges) are successful. The database can contain schemas to which the user does not have privileges. The scan on a full datastore will try to scan all schemas that are present in the database and as a result the scan will fail due to the lack of privileges on some schemas.
KY-56387The count of data stores in the Agent List section does not change for the Exchange Server data store.
The number of data stores linked to an agent on the agents page is updated once the data store is ready, except for the Exchange Server data store.
KY-53620Targeted scans of a smaller dataset in a G-Drive data store take a long time, if the overall data that is stored in G-Drive is of a larger size (for example, over 500 GB).
KY-56390Scanning of any data from an Exchange Server data store works only if the agent is installed on the same machine as the Exchange Server.
KY-60493A scan is failing with an internal error when an entire SMB share is scanned.
A scan of a full SMB datastore takes a long time and and ends with an internal error. Scanning a sub folder only gives no problem and you can generate a report.
KY-62708The 'SSH Private Key' infotype does not show any matches for scans over its respective datasets, although the matches for 'SSH Private Key' are getting covered in another infotype called 'Private Key'. Because both of these infotypes are under a single classification profile 'Secrets', in effect there will not be any incorrect match difference for scans over the 'Secrets' classification profile.
KY-66074The 'IBM COS HMAC Credentials' infotype shows fewer matches for a Mongo DB database type data store, and 'Cloudant Credentials', 'Basic Auth Secret' infotypes do not show any matches for Azure Table data store if relevant data resides inside the dataset. This results in an incorrect number of matches found for Mongo DB and Azure table datastores.
KY-66200The 'AES Key' infotype shows 1 less match than the expected matches if the dataset also contains data for other infotypes.
KY-66217The 'IBM COS HMAC Credentials' infotype from DDC shows fewer matches for EBCDIC formatted dataset. The conversion of the text dataset to EBCDIC format leads to this issue.

CipherTrust Secrets Management

KY-64835Problem: If you attempt to modify the protection key for an existing certificate-type secret in the Akeyless console, an exception stating Unexpected error is displayed.
Workaround: Delete and re-create the existing secret with the desired protection key.
KY-64751Problem: If you launch the Akeyless console from the Secrets Management tile, and the CipherTrust Manager session expires or is manually logged out, the Akeyless console session logs out as well.
Workaround: Refrain from logging out from the CipherTrust Manager UI unless you also want to log out from the Akeyless UI.
KY-63288Problem: Some internet browsers, such as Mozilla Firefox, Google Chrome, or Microsoft Edge launch the secrets management tile as a pop-up, and prompt to allow pop-ups.
Workaround: Allow pop-ups from the CM UI if prompted.
KY-63116Problem: If you restart all services, the Akeyless console and Akeyless gateway services return a 502 bad gateway error, and display the message "Oops! Something went wrong..." in the browser, instead of displaying in the "Following services are starting up:" message on the CM login page.
Workaround: Wait 40 seconds for the Akeyless services to start up and then re-attempt visiting Akeyless console or Akeyless gateway.
KY-62702Problem:Server audit records include messages about the Akeyless SSO token when the Akeyless console is not open or in use.
Workaround: Ignore these messages. They are the result of a background process.
KY-61568Problem:The POST /v1/connectionmgmt/services/akeyless/connections operation in the API playground to create a new Akeyless connection introduces unnecessary parameters "meta", "products", and "category".
Workaround: Ignore these parameters. They do not affect the functioning of the Akeyless connection.

CipherTrust Transparent Encryption

KY-67193Problem: CipherTrust Manager allows changing the key rules on active GuardPoints.
KY-62336Problem: When creating an IDT GuardPoint on ESG enabled CTE for Windows clients, IDT policies are not visible for selection.
Workaround: Use the API to apply IDT GuardPoints.
KY-62235Problem: CTE GUI: On selecting group membership, the Select Groups field lists only 300 groups.
KY-59893Problem: Signature rules are not copied to a clone policy.
Workaround: On the policy details page, manually add the missing signature rules.
KY-59066Problem: Displayed Domain Level Usage for CTE Clients on Licensing page shows client usage for all domains instead of just the current domain.
KY-55739Problem: When a CipherTrust Manager user having only CTE Admins group permissions initiates a Quorum-dependent operation, a corresponding Quorum is created. After the required Quorum approvals, the operation does not auto-trigger in the background.
Workaround: Retry the operation after the required Quorum approvals.
KY-55511, KY-55527, KY-55275, KY-55528Problem: Simultaneous composite operations (for example, update and delete) are not supported for quorums.
KY-55273Problem: If quorum is activated for client group deletion, then bulk client group deletion generates multiple quorums in pre-active state.
Workaround: Delete client groups individually.
KY-51759, KY-51754Problem: When quorum is enabled, if you perform an operation to delete clients or GuardPoints in bulk, the quorum is created in pre-active state.
Workaround: Activate the quorum using the /v1/quorum-mgmt/quorums/{id}/activate API.
KY-34329Browsing VxVM raw devices that have slash in the path names shows non-existing directory in the GuardPaths.
Workaround: Create GuardPoints by manually entering the raw device paths.

Application Data Protection

KY-65796Problem: If you attempt to create a duplicate Application Data Protection client profile with the same name as an existing client profile, the operation appears to fail with the error NCERRConflict: failed due to a conflict with the current state of the target resource. However, the client profile is created and visible on the Access Management > Client Profiles page. You cannot select the duplicate when creating a new registration token.
Workaround: Disregard this duplicate Application Data Protection client profile.
KY-64797, KY-64804Problem: If the names of Access policy and Protection policy exceed 256 characters, an error is returned.
KY-64541Problem: Unable to update encoding mode of a Character Set on UI.
Workaround: Use the patch /v1/data-protection/character-sets/{id} API to modify the encoding mode.
KY-62820Problem: Single hex-digit is allowed while creating a Character Set.
KY-56048The delete application operation fails when the number of clients reaches 300.


KSCH-16415The Host Name field on the Client Registration screen does not have validation for host availability.
Workaround: Add clients using the API.


KSCH-573Encryption rules cannot be modified to reset values for include and exclude extension parameters.
KSCH-568Encryption rules do not prevent specifying both include and exclude extension parameters simultaneously.
KSCH-567Modifying a file level encryption rule to set the “isRecursive” flag does not return error.
KSCH-564Non-encryptor clients cannot be removed from a Linux cluster while a cryptographic operation on an encryption rule is in progress.

CipherTrust Intelligent Protection

KY-56816Problem: Unencrypted report is generated for few files if user reboot the machine during remediation.

Workaround: User need to run scan with reclassify option or full scan again to generate correct report.
KY-55480Problem: Cross domain client registration is not working with CIP.
AGT-43391Problem: All files are not encrypted on performing bulk rename during remediation on Linux Local Storage with STD/LDT policy.

Workaround: All remaining files will get encrypted after a periodic CIP scan which runs after 8 hours (default).
KY-36741Problem: File becomes plain with MOVE operation of a tagged file with ACL and STD policy on Linux.
KY-65540Problem: PQS configurations are not visible on GUI after saving remediationconfig via API using the ID/UUID for the knox_connection_identifier name.


Solution 1: Use GUI to configure PQS.

Solution 2: Use the knox_connection_identifier name instead of ID/UUID via API.