Your suggested change has been received. Thank you.


Suggest A Change….


Release Notes


Please Note:

Release Notes

Product Description

CipherTrust Manager is the center of the CipherTrust Data Security Platform. It serves as the central point for managing configuration, policy and key material for data discovery, encryption, on-premise and cloud based use cases. It is the successor to both the Thales eSecurity (formerly Vormetric) DSM and the Gemalto (formerly SafeNet) KeySecure platforms.

Product Abbreviations

CipherTrust Batch Data TransformationBDT
CipherTrust ManagerCM
CipherTrust Application Data ProtectionCADP
CipherTrust Cloud Key ManagerCCKM
CipherTrust Database Protection (formerly known as ProtectDB)CDP
CipherTrust Transparent EncryptionCTE
CipherTrust Transparent Encryption UserSpace (formerly known as ProtectFile FUSE)CTE UserSpace
CipherTrust Teradata ProtectionCTP
CipherTrust Data Discovery and ClassificationDDC
Data Protection on DemandDPoD
CipherTrust TokenizationCT
CipherTrust Vaulted TokenizationCT-V
CipherTrust Vaultless TokenizationCT-VL

Release Description

This release is available on the Customer Support Portal in the following formats:

  • An upgrade file for physical k570 and k470 CipherTrust Manager devices, and existing k170v Virtual CipherTrust Manager instances.

  • An upgrade file for KeySecure Classic k450 and k460 devices.

  • An OVA image file for deploying a new Virtual CipherTrust Manager on VMWare vSphere or Nutanix AHV.

  • A VHDX image file for deploying a new Virtual CipherTrust Manager on Microsoft Hyper-V.

  • A QCOW2 image file for deploying a new Virtual CipherTrust Manager on OpenStack.

In addition, 2.5.x Virtual CipherTrust Manager is available on the following public clouds:

  • Amazon Web Services: SafeNet Cloud Provisioning System

  • Google Cloud

  • Microsoft Azure: Available as a BYOL image in the Microsoft Azure Marketplace

  • Oracle Cloud

  • IBM Cloud

    • An OVA image file for deploying a new Virtual CipherTrust Manager on IBM Cloud VMWare.

    • A QCOW2 image file for deploying a new Virtual CipherTrust Manager IBM Cloud Virtual Private Cloud Gen2.

2.5.x contains a number of new features and enhancements. Refer to Features and Enhancements for details. For the list of known issues, refer to Known Issues.

Features and Enhancements

Release 2.5.2

This release contains a critical security vulnerability fix, and KMIP interface bug fixes listed in Resolved Issues.

The release is available as a new virtual instance or an upgrade file on physical devices. The upgrade can be applied directly on CipherTrust Manager versions 2.5.x, 2.4.x, 2.3.x, and 2.2.x.

Security Vulnerability Fix

On upgrade to 2.5.1, some existing keys are incorrectly tagged as "global" keys. This allows the "global" user and users who belong to the Key Users group to potentially affect the integrity, confidentiality, and availability of those keys. If you are running release 2.5.1, we strongly recommend upgrading to 2.5.2 immediately. See security bulletin 20211015 for further details on the security vulnerability.

Upgrading from 2.5.1 to 2.5.2 disables access to all global keys. If you are starting from 2.5.1 and you make use of global keys, contact Thales customer support for assistance to plan the upgrade to minimize downtime.

KMIP Change

We removed the KMIP client certificate renewal feature to improve its quality. We will reintroduce this feature in a future release. KMIP clients that configured the feature in 2.5.1 will retain communication with CipherTrust Manager after upgrade, without interruption.

Release 2.5.1

On upgrade to 2.5.1, some existing keys are incorrectly tagged as "global" keys. This allows "global" user and users who belong to the Key Users group to potentially affect the integrity, confidentiality, and availability of those keys. If you are running release 2.5.1, we strongly recommend upgrading to 2.5.2 immediately. If you currently use global keys, please contact Thales customer support to plan an upgrade from 2.5.1 to 2.5.2. See security bulletin 20211015 for further details on the security vulnerability.


  • Support for Microsoft Edge 91.0.864.37 or later

  • Security review and enhancement of the shell access for the ksadmin user

  • Support for Quorums for the DeleteKey operation

  • Support for revocation of certificates signed by Local CA using Certificate Revocation List (CRL)

  • Support for trusting proxy server's certificate for outgoing connections

  • Secure transfer of system backups from the CipherTrust Manager to the external servers over SCP

  • Migration of ProtectDB resources (database connections and error replacement values) from KeySecure Classic

  • Support for Subject Alternative Name (SAN) field in the local CA and server certificate in the cloud-init configuration file

  • Harmonization of key states across all interfaces.

    • The state field now defines state in all interfaces.

    • The naeState field in the meta attribute for a key in the REST API, GUI, and CLI is no longer valid and is not used to set an independent NAE-XML state. Only the NAE-XML interface can be used to update the NAE-specific states using the <KeyVersionState> element. All NAE-XML values for <KeyVersionState> map to an equivalent key state and no longer operate independently. Changing a <KeyVersionState> also changes the key state in all other interfaces, and changing a key state in any other interface also changes the <KeyVersionState> in NAE-XML.

    • After upgrade, some states are altered to reflect the new harmonization. In most cases, allowed operations remain the same before and after upgrade, so key usage is not disrupted. See the advisory note for details on the state remapping related to upgrade.

    • You can now reactivate a deactivated key through REST API, or CLI. This provides an equivalent functionality to the previous NAE state transition of moving a key from a Retired state to an operational Active state. KMIP does not allow this state transition, so you cannot reactivate a key through the KMIP interface.


  • Ability to create LDT GuardPoints on CIFS/SMB paths on a single node using CSV

  • Ability to upload and replace signed Compatibility Matrix files to the CipherTrust Manager

  • Migration of IDT resources from a DSM backup file

CTE resources of LDT, Efficient Storage, and Container policies on the DSM cannot be migrated to the CipherTrust Manager 2.5 using the backup/restore method. The Container policies are supported only on the DSM. Migration of LDT and Efficient Storage resources will be supported in a future release. However, the LDT resources can be manually created on the CipherTrust Manager.


  • Full support for Google Cloud Customer-Managed Encryption Keys (CMEK) and Google Cloud External Key Manager (EKM) services.

    • Designation changed from "technical preview" to "fully supported", meaning that these services are now suitable to integrate into production environments.

    • CLI support for EKM commands

    • Ability to rotate the Key Encryption Key associated with an endpoint

    • Licensing associated with Google Cloud Project. You can add a Google Project ID to CipherTrust Manager. When Google EKM service makes wrap and unwrap requests to CipherTrust Manager, CipherTrust Manager checks that the project ID in the request matches one of the project IDs registered with the appliance. One Google Cloud project consumes one CCKM license cloud unit.

  • Support for Terraform automation

  • Support for functional module enabled Luna Network HSMs

  • Ability to append rotation date to AWS key alias (manual and automated schedules)

  • Enhancements in AWS policy management


  • Custom Infotypes: Support for adding advanced expressions and ability to edit them in the Expert View.

  • Removal option for Datastores, Classification Profile and Reports - DDC basic functionality (CRUD) completeness.

  • New Data Store Types:

    • MySQL

    • Teradata

    • MongoDB

    • Azure Tables

Resolved Issues

This table lists the issues resolved in 2.5.2.

KY-34975Problem: Physical appliance k470 and k570 only: Downgrading a CM 2.5.0 or 2.5.1 then upgrading back to the same version, or upgrading from 2.5.0 to 2.5.1, will fail to boot after reboot, resulting in a unusable appliance.
Resolution: Upgrade to and downgrade from 2.5.2 or higher does not result in failure to boot. If you are at 2.5.0, 2.4.x, 2.3.x, or 2.2.x, it is recommended to upgrade directly to 2.5.2 and skip 2.5.1.
KY-34684After upgrade to 2.5.1, some existing keys are incorrectly tagged as "global" keys. This allows the "global" user and users who belong to the Key Users group to potentially affect the integrity, confidentiality, and availability of those keys.
KY-33943For the CipherTrust Manager integration of Nutanix over KMIP, you cannot upload client certificates onto the Nutanix cluster.
KY-32926After upgrade to 2.5.1, NAE and KMIP interfaces do not come up if KMIP clients are registered in domains other than root domain.

This table lists the issues resolved in 2.5.1.

KY-30293If you upgrade from version 2.2 to version 2.3 or 2.4, CipherTrust Manager sets the DNS based on the local DHCP server, even if a static IP is defined for eth0.
KY-30178If you create a Local CA signed by an External CA, and attempt to install the signed CA certificate via the CipherTrust Manager web console GUI, the installation fails with the error NCERRInvalidParamValue.
KY-29408SNMPv1/v2c trap/inform sent to the SNMP management stations includes double-quotes to the configured community name. For example, if the management-station's community name is mycommunity, then the trap/inform is sent with the community name as "mycommunity".
KY-29059If you have configured a proxy host with a password, and you make any change to any setting in the web console GUI section Admin Settings > Proxy, the existing password is overwritten.
KY-28934Problem: Upgrading from 2.1 or earlier causes existing LDAP group maps to no longer apply due to a change in how the user_dn_field is interpreted. Users lose membership in groups that are LDAP mapped.
Resolution: You can upgrade to 2.5.1 from 2.2, 2.3, or 2.4. From version 2.2 forward, CipherTrust Manager uses the user_dn_field property to test for user equality, so there is no change to LDAP group maps upon upgrade. We recommend to leave the user_dn_field property empty, or set to dn.
KY-28226Problem: A system with multiple network interfaces may swap device names and MAC addresses between boots. For example, eth0 has MAC address a8:a1:59:0a:f5:01 and eth1 has MAC address a8:a1:59:0a:f5:02. On the next boot, eth0 has MAC address a8:a1:59:0a:f5:02 and eth1 has MAC address a8:a1:59:0a:f5:01.
Resolution: Solved in new installations of 2.5. Upgrades from 2.4 sometimes still exhibit this problem.
KY-28221If CipherTrust Manager loses connection to its root of trust HSM, no alarms are raised and nothing is recorded on the syslog. The loss of connection means that if you reboot the CipherTrust Manager or restart its services, all CipherTrust Manager services become unavailable.
KY-27889If you upgrade an error is displayed: Job for ssh.service failed because a timeout was exceeded.
KY-26914External CAs do not allow you to use a comma , in the Distinguished Name (DN).
Resolution: You can now use a backslash \ to escape a comma in the DN. For example, C=IN,ST=UP,L=Noida,O=Thales\,INC,OU=ENC,CN=test is an accepted value.
KY-26761Upgrade to CipherTrust Manager 2.2.0 can sometimes cause login to fail for LDAP-authenticated users with the error "Ambiguous result, multiple users found using search filter." when group mapping is configured.
KY-25517If you attempt to delete a certificate in the GUI, you are erroneously presented with a confirmation to delete the Certificate Authority (CA). Deleting a certificate and deleting a CA are two different operations.
Note: Confirm deletion of the CA to proceed with deleting the certificate. This action does not actually delete a CA.
KY-25395NTP servers configured through DHCP overwrite local CipherTrust Manager NTP server configuration.
KY-24503CTE UserSpace license does not renew expired ProtectFile licenses.
KY-24292Performance of crypto operations through the NAE-XML interface degrades over a long, continuous run (upwards of 6 hours).
KY-24102Client can authenticate with expired password if the CipherTrust Manager is not restarted.
KY-23791UI: All the Azure Key Vaults are not displayed while updating the scheduler for Azure.
KY-23790UI: All the AWS KMS Accounts are not displayed while updating the scheduler for AWS.
KY-23732CCKM Users cannot delete backup even if they are granted the "Delete Key Backup" permission on the Azure key vaults.
KY-23664If you join a node into a cluster and then restart the joining node, you cannot list or access any backup keys on that node. Attempting to upload an existing backup key in this state results in NCERRResourceAlreadyExists: Resource already exists. Restoring a backup with a backup key in this state results in the error aesgcm open error: cipher: message authentication failed.
KY-23623If you restore a previous version and then attempt to create a new cluster on the local node using the cluster new operation, the creation fails.
KY-23289Luna HSM Connection Manager: Downloaded client certificate file is named incorrectly as, <cm-ip-address>.pem.
KY-23056HSM UI: Recently created Luna HSM keys are not visible.
KY-22641NAE: State changes of a key are not updated on the NAE tab.
KY-22639NAE: State of an Active key is displayed as N/A on the NAE tab.
KY-22633When certificate authorities are migrated from KeySecure Classic, the revoked certificate fields do not update.
KY-26650Missing fields - Sensitivity Level and Location -in the Data Store tab of reports.
KY-26837All the Data Objects coming from an Exchange Online datastore are cataloged as "Other" in the extensions charts in the Scan tab.
KY-28125Scans with more than 400K Sensitive Data Objects may fail with "Internal Error".
KY-16274 / KY-16598A scan with one or more custom infotypes fails with "Internal Error".
KY-22908All new scan executions fail with 'internal error' when we run a scan after the data allowance exhausted.

Advisory Notes

This section highlights important issues you should be aware of before deploying the CipherTrust Manager. There is also a full list of known issues associated with the release.

2.5.1 only: NAE and KMIP Interfaces Unavailable After Upgrade for Some KMIP Client Configurations

If KMIP clients are registered in domains other than the root domain, upgrading to 2.5.1 results in the NAE and KMIP interfaces becoming unavailable. If you have KMIP clients registered in non-root domains, upgrade directly to 2.5.2, skipping 2.5.1.

Some Key States Change After Upgrade

After upgrade to 2.5.x from 2.4, 2.3, or 2.2, some key states are remapped as a result of harmonizing NAE-only key states. In most cases, the allowed operations for a key remain the same before and after upgrade, so key usage is not disrupted.

  • When a key has an NAE state of Retired and the deactivation date is set in the future, the key is set to Deactivated immediately upon upgrade. No cryptographic operations are allowed.

  • When a key has an NAE state of Restricted and Protect Stop Date is set in future, the key is set to Active and the Protect Stop Date is set to the current time. Decryption, signature verification, unwrapping, and MAC verification are allowed.

  • When a key has an NAE state of Active and Activation Date is not set, the activation date is set to the current time. All cryptographic operations are allowed.

  • When a key has an NAE state of Active and Activation Date is set in the future, the key is set to a Pre-Active state and the Activation Date is retained. No cryptographic operations are allowed until the Activation Date is reached.

  • When a key has a state of Deactivated before upgrade, its state will be unchanged after upgrade. However, the allowed operations for the Deactivated state change for 2.5.x. The key loses its ability to decrypt, verify signatures, unwrap, and verify MACs. You can re-activate the key after upgrade and set the ProtectStop date to restore those operations.

ECIES Decryption Can Fail After Upgrade in Rare Cases

If you encrypted data with ECIES at version 2.2 or 2.3, you might not be able to decrypt the data with the same EC key after upgrade to 2.5.x. This is because, in very rare cases, the ECIES function of the NAE interface derived an encryption and authentication key due to incorrect padding. Release 2.4.x and 2.5.x fix this rare incorrect key derivation, which means that the derived key can be different from previous releases, and decryption operations can fail. If you have trouble decrypting with an EC key after upgrade, decrypt the data with an older version of CipherTrust Manager and re-encrypt it with CipherTrust Manager version 2.5.x.

System Upgrade and Downgrade Supported Releases

Direct system upgrades on a single device have been tested from releases from 2.2.x, 2.3.x, 2.4.x, and 2.5.x.

Upgrades from other versions have not been tested and may not work correctly.

CipherTrust Manager 2.5.x can be downgraded to 2.4.0. For release-specific upgrade/downgrade information, refer to the release notes for your release.

Refer to the System Upgrade page for instructions to perform an upgrade or downgrade on a single device.

Refer to the Cluster Upgrade section for instructions to perform an upgrade on a cluster of devices.

Restoring a backup from release 1.5.0 or later is supported; however, restoring a newer backup to an older version is never supported.

SSH Key Fingerprint Change After Upgrade

Upgrading to 2.5.x from version 2.2 introduces a new SSH server key, using the stronger ED25519 algorithm in comparison to the existing RSA key. If you upgrade the CipherTrust Manager and then SSH to the appliance as ksadmin, you can be presented with a warning the fingerprint has changed. This warning is expected and can be safely disregarded.

If you want to verify the presented SSH key fingerprint, you can also log into the console through a serial cable (for physical appliances) or your virtual platform's console access tools. The console displays all of the SSH key fingerprints.

Default TLS Setting Can Cause Loss of KMIP/NAE/Web Connection After Upgrade

As compared to release 2.2, the 2.5.x release introduces changes to the TLS ciphersuites associated with the KMIP, NAE, and web interfaces. When you upgrade, the existing TLS ciphersuites for these connections might not be included in the 2.5.x default TLS ciphersuites, which results in a loss of connection to the interface. CBC-based ciphersuites, for example, are disabled upon upgrade from 2.2 to 2.5.x.

For security reasons, we recommend that you ensure clients to your KMIP, NAE, and web interfaces use one of the 2.5.x default TLS ciphersuites before upgrade.

If you cannot change the TLS ciphersuites for your clients, plan for some downtime for the interface(s) after upgrade. After upgrade, you can manually enable the previous ciphersuites to restore the connection.

Clusters with a Large Number of Transactions

Clusters that support a large number of transactions should have audit logging disabled and only syslog should be used for capturing audit logs. This significantly reduces cluster wide traffic and disk usage. This is a cluster wide setting and needs to be set on only one node in the cluster. Use the ksctl properties command to disable audit logging.

To disable local audit logging

Set the property ENABLE_RECORDS_DB_STORE to false using the ksctl command:

$ ksctl properties modify -n ENABLE_RECORDS_DB_STORE -p false

If configured, Audit logs will be still be sent to a syslog server.

Cluster Synchronization

Correct cluster synchronization relies on all nodes in a cluster having the same time. It is strongly advised to use NTP to set the time in a new node before it joins a cluster. NTP settings are not copied between nodes - they must be set individually for each CipherTrust Manager server.

Protect the ksadmin Private SSH Key

The private SSH key for the ksadmin account is critical to system security and must be carefully protected. Failure to do so could allow an attacker to compromise the system.

TLS/SSL Must be Enabled in a Production System

As it may be useful for troubleshooting, it is possible to disable TLS/SSL for the NAE interface. This will lead to an insecure system. Therefore, TLS/SSL should always be enabled for a production system.

Clusters with DDC

  • Only one CipherTrust Manager node in the cluster can have DDC activated. To access DDC, create a new DNS entry to point to the active CipherTrust Manager node.

  • DDC functionality cannot be accessed through the CipherTrust Manager FQDN. DDC requests sent to an inactive CipherTrust Manager node fail (and return the impression that DDC fails randomly).

DDC Licensing

Overlapping licenses are not supported (except for the trial license).

DDC Scalable Reports Processing

Previous DDC versions needed PQS and HDFS Hadoop services, but starting from version 2.4 DDC requires HDFS and Livy. Refer to the latest Thales Data Platform Deployment Guide for information on how to install Spark, Livy and Tez and DDC Deployment Guide for configuring them in CipherTrust Manager.

It is mandatory to have TDP version or later prior to upgrade DDC.

As DDC no longer uses PQS to store new data, it is no longer possible to modify its configuration through the UI. Please use the API if you need to update the Knox hostname, credentials or TLS certificate. The upgrade will not delete any data stored in PQS. Please consider deleting it when you no longer need access to legacy reports.

The Hadoop settings (HDFS and Livy) must be added as if it was a fresh deployment. The HDFS settings that the user could had up to now are not kept, but the PQS settings are automatically stored to make sure the information stored for scans and reports is not lost. For the HDFS connection, it is recommended to configure a different HDFS folder.

The scans created in the DDC Scans section are stored but the executions can not be used for new reports. The user will have to run the scans to make new reports for these scans. It is not possible to create new reports for the scan executions that were completed with a previous DDC version. The reports that were generated using a previous DDC version are accessible and will be marked with an "L" icon, which means that it is a legacy report and can not be updated any more. For the reports generation, the user will need to run new executions of the scans, since the legacy scan executions cannot be used. The user will notice that after an upgrade, when trying to generate new reports, scan executions completed with previous DDC version are not displayed in the reports wizard.


This section documents known compatibility topics to be considered before deploying the CipherTrust Manager.

TLS Compatibility

This table identifies the supported TLS versions for each of the CipherTrust Manager interfaces. The default minimum value reflects the default minimum_tls_version setting. This setting controls the lowest acceptable TLS version allowed for connections to the interface.

InterfaceMinimum TLS versionMaximum TLS versionDefault Minimum TLS version
Web UITLS 1.2TLS 1.3TLS 1.2
NAETLS 1.0TLS 1.3TLS 1.2

TLS 1.0 and TLS 1.1 support will be discontinued in a future release.

By default, CipherTrust Manager accepts the following ciphersuites for TLS 1.2+ connections:

  • TLS_AES_256_GCM_SHA384 (TLSv1.3)

  • TLS_CHACHA20_POLY1305_SHA256 (TLSv1.3)

  • TLS_AES_128_GCM_SHA256 (TLSv1.3)





TLS Deprecation Notices

  • Use of TLS 1.0 and 1.1 protocols is deprecated. This support will be discontinued in a future release. Upgrade all applications connecting to CipherTrust Manager interfaces to TLS 1.2 or higher as soon as feasible.

  • Use of the following CBC-based ciphersuites is deprecated, and support will be discontinued in a future release:











Client Platforms

The following client Platforms are supported by the CipherTrust Manager.

Older versions of most client platforms (versions earlier than the minimum versions listed below) may have incompatible TLS clients. We recommend testing older versions of client platforms in a non-production environment to ensure proper functionality.

For the purpose of transitioning from SafeNet KeySecure Classic, you can temporarily connect to CipherTrust Manager with TLS/SSL disabled on the CipherTrust Manager NAE interface; however, this is recommended only in a non-production environment.

CipherTrust Application Data Protection

  • ProtectApp JCE: minimum version 8.6.1

  • ProtectApp .NET: minimum version 8.11.0

  • ProtectApp ICAPI: minimum version 8.10.0

  • ProtectApp Oracle TDE: minimum version 8.9.0

  • ProtectApp SQL EKM: minimum version 8.3.2

CipherTrust Cloud Key Manager

Minimum version

CipherTrust Database Protection

  • ProtectDB Oracle: minimum version 8.8.0

  • ProtectDB SQL: minimum version 8.9.0

  • ProtectDB DB2: minimum version 8.7.0

  • Transformation Utility: minimum version 8.4.3

CipherTrust Transparent Encryption

Minimum version 7.0.0

CipherTrust Transparent Encryption UserSpace

Minimum version 9.0.0

CipherTrust Vaulted Tokenization

  • Tokenization Manager: minimum version 8.7.1

  • Vaultless Tokenization Manager: minimum version 8.8.0

CipherTrust Batch Data Transformation

Minimum version

CipherTrust Vaultless Tokenization

Minimum version

CipherTrust Teradata Protection

Minimum version


Minimum version 8.10.11


Minimum version 4.7.3

Data Discovery and Classification Agents

Linux minimum kernel version is 2.6.

There are no changes in Agent requirements if you are upgrading from CM 2.4 to 2.5.x. If you are upgrading from a version older than 2.4 please refer to Upgrading Agents.

ODBC driver for Microsoft SQL: To connect to Microsoft SQL, DDC Agent requires the ODBC drivers to be installed on the host. If DDC cannot find a suitable agent, make sure that these drivers are installed. If necessary, upgrade them to the latest available version. Thus, if your MSSQL Server is configured with TLS 1.2 only, install the ODBC Driver 17 for MSSQL Server.

TDP Version Compatibility

Data Discovery and Classification requires TDP or newer.

Known Issues

This section lists the issues known to exist in the product at the time of release.

CipherTrust Manager

KY-40418Problem: After migrating local CAs from KeySecure to CipherTrust Manager, the connection between KMIP client and CipherTrust Manager could not be established. The same issue also occurs when there is serial number conflict in external CAs.
Workaround: Add the migrated local CA as an external CA on the CipherTrust Manager.
KY-39821Problem: If a KeySecure Classic backup contains certificates that have been revoked and then resumed, the CipherTrust Manager shows them as revoked certificates after migration.
KY-38690Problem: Migration of data from KeySecure Classic to CipherTrust Manager fails and throws an error if any certificate has been revoked or resumed on a single digit date on the KeySecure Classic before taking backup. For example, 2 Feb 2022.
Workaround: Identify the certificate that has been revoked or resumed on the single digit date on the KeySecure Classic, exclude the corresponding CA that has signed that certificate from the backup.
KY-39818Problem: The links of the keys (XTS/RSA) get deleted from the source domain when the key backup is restored on the destination domain of the same CipherTrust Manager.
KY-39268Problem: For the auto-registered KMIP clients created before 2.0 release, the KMIP services do not start after upgrading them to 2.5 or later releases.
Workaround: Delete that auto-registered client created before 2.0 release and again perform auto-registration using the same certificate and key.
KY-19730The CipherTrust Manager registers duplicate clients with KMIP auto registration enabled.
KY-38321Problem: When a database connection is migrated from KeySecure Classic to the CipherTrust Manager, the Service Name field does not migrate, which leads to the database connection failure.
Workaround: On the CipherTrust Manager:
1. Manually edit the database connection.
2. Select Service Name instead of SID.
KY-34975Problem: Physical appliance k470 and k570 version 2.5.0 and 2.5.1 only: Downgrading a CM 2.5.0 or 2.5.1 then upgrading back to the same version, or upgrading from 2.5.0 to 2.5.1, will fail to boot after reboot, resulting in a unusable appliance.
Workaround: Upgrade to 2.5.2 or later.
KY-34965Problem: The kscfg system factory-reset command fails with the error /bin/sh: permission denied.
Workaround: Use sudo /opt/keysecure/ to execute the command instead.
KY-31908Problem: Creating a domain-scoped backup with a user in the Domain Backup Admins group does not include all the domain keys in the backup.
Workaround: Add the user performing a domain-scoped backup to the Read Only Admins group.
KY-31887Problem: If you do not change the default SSH key upon installing a Trusted Cyber Technologies (TCT) CipherTrust Manager k570 appliance or upgrading a KeySecure k460 or k560 with a 2.5.x ISO file, you are prompted for the ksadmin password on every reboot.
Workaround: Change the ksadmin password, reboot, and then replace the default SSH key.
KY-31961Proxy setting: Test connection returns error without a server certificate for https_proxy.
Workaround: None. Configure proxy without proxy test (using CLI/API), and then verify whether the CipherTrust Manager features work as expected.
KY-31171If you add a new SCP connection through the web console GUI, and try the Test connection button, CipherTrust Manager displays the error NCERRResourceNotFound: Resource not found.
Workaround: Use ksctl connectionmgmt scp test --id <connection-name-or-id> to test the new connection.
KY-31122Problem: If you perform a kscfg system reset on a k570 device and then attempt to upload a backup key, the operation fails with the error that the backup key already exists, even if no backup keys are displayed in the web console GUI.
Workaround: Use ksctl backupkeys delete --id <duplicate_backup_key> to delete the duplicate backup key and then re-attempt to upload the backup key.
KY-31116, KY-31114Problem: If an admin enables a quorum policy on any domain, and a key admin of that domain logs into the web console GUI and views the quorum settings, the quorum policy is displayed as disabled and the error NCERRResourceNotFound: Resource not found is displayed.
Workaround: While the quorum feature is considered a technical preview, only admin level users have permissions to access and configure quorums. Log in as a user with admin permissions to try any quorum functionality.
KY-31024Problem: In the web console, there is an option to take an SCP backup for domain-scoped backups. SCP backups are only supported for system backups this release.
Workaround: Check the scope of a backup before attempting to use SCP backups. Do not rely on the SCP backup feature for domain-scoped backups.
KY-27984The PQS Services page does not fetch resource information on the CipherTrust Manager GUI.
The PQS service will be available with DDC in a future release.
KY-27897SaltLength with zero (0) value is not supported for Sign/SignV operations using RSA PSS padding.
KY-27805, KY-28689Problem: SNMPv3 requests fail with the error security service 3 error parsing ScopedPDU for users configured with AES-192 or AES-256 privacy protocol. This error is seen with SNMP applications, including SolarWinds Network Performance Manager, which use the nonstandard Cisco AES key extension implementation for 192 and 256 bit key length. CipherTrust Manager 2.7 and below only supports the Blumenthal implementation for these key lengths.
Workaround: Set SNMP users to AES-128 privacy protocol instead. In CipherTrust Manager CLI and API, this value is called AES.CipherTrust Manager 2.8 will support Cisco implementation privacy protocols AES-192-C and AES-256-C.
KY-27450Local Certificate Authorities (CAs) do not allow commas , in any of the fields.
Workaround: Configure an External CA instead. Use a backslash \ in the Distinguished Name (DN) while creating a user if you are using certificate based login. For example, C=IN,ST=UP,L=Noida,O=Thales\,INC,OU=ENC,CN=test is an accepted value.
All other printable characters are allowed, as per RFC 5280 definition of PrintableString. @ and & are also allowed, beyond the definitions of the RFC.
KY-26867User password over NAE-XML does not accept the ampersand character, &.
KY-25152You cannot pass in a custom SSH key via cloud init on Oracle Cloud instances for initial launch. You also cannot use cloud-init to auto-generate an initial password for the admin user on Oracle Cloud instances.
Workaround: Login to the GUI to enter the SSH public key on initial access. You can also change the password for the admin user on this login.
KY-27450Local Certificate Authorities (CAs) do not allow commas , in any of the fields.
Workaround: Configure an External CA instead. Use a backslash \ in the Distinguished Name (DN) while creating a user if you are using certificate based login. For example, C=IN,ST=UP,L=Noida,O=Thales\,INC,OU=ENC,CN=test is an accepted value.
All other printable characters are allowed, as per RFC 5280 definition of PrintableString. @ and & are also allowed, beyond the definitions of the RFC.
KY-20310When setting up a new DPoD Luna Cloud HSM Service as root of trust, the command succeeds but sometimes returns a timeout error.
Workaround: Disregard the timeout error.
KY-17662In-place cluster upgrade does not enforce upgrading only one version.
KY-17338KMIP: LDAP users cannot be set in the KMIP profile.
Workaround: To use LDAP authentication, use the KMIP auto registration.
KY-13617Domain scoped backup fails to restore on another domain when a key with the same name and version already exists.
Workaround: To handle this issue, try either of the following:
  • Retain both keys.
    1. Take the backup without the conflicting key with filters.
    2. Export/import the key material and import it separately.
  • Retain only the backup key.
    1. Delete the key with duplicate name on the restore system.
    2. Restore the domain scoped backup.
KY-13343Uploading an existing backup results in error but is displayed in the list with status "Uploading".
Workaround: Delete the backup using the "uploadID" as backup ID.
KY-12602Manual page refresh is required to show the Pending CAs list.
KY-11517[ProtectApp Application] The Invalid algorithm string error occurs when signing data with SHA384withRSA/PSSPadding.
KY-11498When a CipherTrust Manager has a large number (for example, more than 10K) of local users, an ldap user cannot log on to it.
KY-7289When migrating a KMIP application from KeySecure Classic to CipherTrust Manager, for encrypt/decrypt operations, the KMIP server always uses the ECB mode regardless of the provided mode.
Workaround: For migration use cases, if Cryptographic Usage Mask is specified with the CBC mode on KeySecure Classic:
  1. Decrypt the data using KeySecure Classic.
  2. Encrypt the data with keys stored on CipherTrust Manager.
KY-7288When migrating from KeySecure Classic to CipherTrust Manager, AES-GCM encrypt/decrypt operations, AuthenticatedEncryptionTag is returned appended to CipherText.
Workaround: For migration use cases, when using AES-GCM with KeySecure Classic:
  1. Decrypt the data using KeySecure Classic.
  2. Encrypt the data with keys stored on CipherTrust Manager.
After migration to CipherTrust Manager, the AAD tag is not appended to the data. It is sent as a separate tag.
KY-7258NAE and KMIP might not be connectable after cluster join.
Workaround: Restart the newly joined node or at a minimum restart the KeySecure service. Restart the service either from the UI or by running ksctl services restart.
KY-7193Sub-domain System Defined Groups do not show "Domain Admins", "ProtectApp Users", and "ProtectDB Users" groups.
Workaround: Manually create missing groups in sub-domains. Policies for the groups are automatically created.
KY-6383Users with a pipe in their user names (for example, user1|something) cannot log on using NAE/KMIP.
KY-3670Cluster join operation can fail, but rarely, leaving joining node in a bad state.
Workaround: If a cluster join fails, verify that you can still log in to the joining node. If you cannot, restart the node before reattempting the join.
If you still cannot log on to the node:
  1. ssh in as the ksadmin user.
  2. Reset the node by running the ksctl reset command.
KY-2482(was NC-3480) Signing with EC keys does not work via the REST API.
KY-2423(was NC-2318) KMIP: Result Reason may not be accurate or have enough detail.
KY-2418(was NC-1780) NAE: Users cannot do a UserInfoRequest about themselves.
KY-1397(was NC-2253) Last Login and Logins count are not updated for global user.
KY-1396(was NC-2256) Group membership change for yourself does not take effect until after re-login.
KY-1394(was NC-2260) Trying to mark a shared key deletable or exportable by non-admin user returns: NotFound error. The error should be: insufficient permissions.
KY-1373(was NC-2391) Encrypt operation only generates a GetKey record. There's no indication the key was used.
KY-1270(was NC-3567) User Admin should not have authority to manage system groups.
KY-1199(was NC-3904) Trimming of audit table (at 10 million records) takes significant time and causes temporary performance issues
Workaround: Disable audit table logging for a very active cluster.
KY-1166(was NC-4098) NAE/KMIP multiport iptables rules are not replicated.
Workaround: Perform NAE restart on each node.
KY-504Integration with CloudHSM Cluster: Fail-over is not supported between different ENI IPs within an AWS CloudHSM cluster.
NC-3573Migration: Active keys from KeySecure Classic will become Pre-Active on the CipherTrust Manager if the time zone is behind GMT.
Workaround: Change the state of the keys in Pre-Active state to active from REST API or KMIP interface.
NC-3572Migration: Keys in Pre-Active state on KeySecure Classic cannot be used for Crypto operations on the CipherTrust Manager.
Workaround: Change the state of the keys in Pre-Active state to Active using KeySecure Classic's Console (UI) or KMIP interface before taking the backup for migration.
Alternatively, after migration, change the state of the keys in Pre-Active state to Active from the CipherTrust Manager REST API or KMIP interface.
NC-2063If a user is deleted (or LDAP connection name changes), they fail to display in the keys table.

CipherTrust Cloud Key Manager

KY-31186Problem: If your proxy server does not support HTTP CONNECT, the CCKM Google cloud connection cannot use the CipherTrust Manager's proxy feature with a certificate.
Workaround: Add an exception ( with no_proxy or use the proxy with username and password, and restart the services.
KY-31117If you log into the CipherTrust Manager web console as a user with Key Admin level permissions, and click on the Cloud Key Manager tile, the errors unable to get sync status on AWS KMS and Unable to retrieve AWS account list. are displayed. By design, Key Admins do not have permission to configure AWS connections, but the AWS connection data should still update.
Workaround: Log in as a root admin to view AWS connection data.
KY-31058The manual add version/rotation process (using Clone Existing Key Material) of Google Cloud symmetric keys using migrated AWS DSM keys does not work.
KY-31027Problem: If you add a proxy exemption before any proxy hosts, and attempt to delete the exception, the operation fails.
Workaround: Add a proxy host before adding proxy exceptions.
KY-27583CCKM Scheduler: A key rotation or key refresh process remains stuck, and all new scheduled processes go into the scheduled state.
This happens when the scheduler expires due to some network issues or reboot of the CipherTrust Manager. The scheduled job remains in the running state.
Workaround: Delete the running and scheduled jobs from the API playground, and retry.
KY-27499If you update the hostname for a Google Cloud EKM endpoint, the URI format is invalid, and Google KMS cannot use the URI to perform wrap or unwrap operations.
Workaround: Manually update the URI in Google Cloud KMS to the following format: https://<updated_host_name>/api/v1/cckm/ekm/endpoints/<endpoint-id>
KY-17446When rotating a key using the GUI, a new version of an existing CipherTrust Manager key cannot be created. The key can only be rotated to an existing version.
Workaround: Manually create a new version of the key and rotate the key. To do so:
  • Open the Keys & Access Management application.
  • Create a new version of the key.
  • Rotate the key.
KY-17213When a CipherTrust Manager key is created using an auto rotation schedule on AWS cloud native key, its owner is set to "Global".
Workaround: A CipherTrust Manager administrator can assign the ownership of the key to a desired user in the CCKM Users group.
KY-42033Unable to use the key version created through CCKM for Azure SQL EKM.
This issue will be resolved in CipherTrust Manager v2.8.0.

CipherTrust Database Protection

PDB-3293If datatype of a column changes from char family to blob after migration, the Return replacement value option for the Error Replacement feature does not work.

CipherTrust Data Discovery and Classification

KY-9098DDC cannot automatically assign an Agent for empty NFS shared folders. You cannot create an NFS type Data Store with an empty folder. When an empty folder is shared over NFS and scanned by DDC, the probe fails.
Workaround: Introduce any document in the empty folder and manually trigger the Agent selection. Click the "Find Agent" button to relaunch the Agent selection. The button is visible when you click the ellipsis (overflow) button next to the data store.
KY-9104Scan fails with “Error scanning. The target for Data Store XYZ cannot be accessed.” This happens when the Data Store is created and an Agent is selected for the Data Store but then the Agent is no longer available and there is no way to select a new Agent from the UI.
Workaround: Edit the Data Store and edit any configuration parameters so the DDC Server automatically searches for a new suitable Agent.
KY-9399The XVA file contains a data object that is was reported when it should not. The XVA file format is not correctly handled. After an XVA file is scanned and the report is generated, an additional data object in the Data Objects tab is displayed in the UI. You should ignore it.
KY-8990Scheduled scans and those launched manually via ‘run now’ only start after X hours. If an Agent and server have the wrong time set, DDC’s ability to schedule scans or to start them immediately when they are manually launched from the UI or API will be affected and the scan start may be delayed.
Workaround: Configure an NTP server for DDC and all Agent hosts.
KY-24205The Agent selection will fail if no compatible Agent is found, or if no compatible Agent can reach the Data Store, or if the credentials provided do not grant access to the Data Store.
Solution: For possible solutions, check the following:
  • Make sure a compatible Agent is properly installed. Check the compatibility table in the “Agent Configurations” section in the “DDC Deployment Guide”.
  • For a local Data Store, make sure that the Agent is installed on the same host where the Data Store is located.
  • For remote connections, make sure that the network connectivity between the Agent and the Data Store is not blocked by a network firewall.
  • Verify the configured credentials, and make sure that they have permission to connect and read the Data Store contents.
  • When you make sure that the Agent is up and with connectivity, go back to DDC and select the button "Find Agent" for the Data store with the issue.
  • Make sure that you do not have two (or more) Agents with the same hostname (for example, as a result of VMs cloning).
  • Configure the Data Store using a hostname, instead of an IP Address.
None of the clustered nodes responds to requests to DDC.
DDC is only active in one of the CipherTrust Manager nodes. Requests sent to any other nodes will return this error. This will be improved in next releases.
  • Run ksctl ddc active-node to identify the CipherTrust Manager node responsible for answering DDC requests and send the requests to the indicated IP. If this does not work, please restart the CipherTrust Manager node with that IP.
  • If the node identified by ksctl ddc active-node does not answer DDC requests correctly or is no longer active, contact Thales Customer Support.
KY-22666DDC cannot scan files that are bigger than 512MB for AWS S3 and Azure Blob Data Stores
Scanning large files (larger than 512 MB) on "remote (cloud)" Data Stores fails with an "error processing scan" error. Those file are marked as 'inaccessible' on the report or the scan fails with an "error processing scan". The user has no way to identify the issue from DDC.
Possible Workarounds:
  • Download large files to a local storage, and run the scan on this local storage data store.
  • Contact Thales Customer Support for other possible solutions.
KY-13618Sometimes, a scan cannot be resumed after the CipherTrust Manager is restarted.
When a scan is paused before restarting the CipherTrust Manager, sometimes, the scan is shown as RUNNING after the restart, when in fact, it is stalled.
Workaround: Restart the scan execution after restarting the CipherTrust Manager. Note that the progress of the previous scan will be lost.
KY-19763OracleDB and IBM DB2: uppercase schema/table name issues.
User cannot launch Oracle/DB2 scan if schema OR table was created with lowercase and DDC is configured with lowercase.
Workaround: Set the target path in uppercase.
KY-21981Postgres tables without primary keys are not completely scanned
DDC can only scan Postgres tables if they have at least one primary key defined.
Workaround: Configure at least one primary key in the tables and run the scan again.
KY-30756A scan with one or more custom infotype fails with "Internal Error" when it contains Custom Infotype from CM 2.4.
This may happen when a custom infotype, created in CM 2.4, contains an expression with a format too complex to interpret.
Workaround: Edit the Custom Infotype to verify if the expression is valid.
KY-27095The PostgreSQL Agent selection fails as if there were no compatible Agent, or as if no compatible Agent could reach the Data Store. DDC does not support the scram-sha-256 authentication method.
Workaround: Create the user with 'md5' password encryption by specifying the hash of the password at user creation, as in CREATE USER <user name> PASSWORD 'md5<password hash>';
For example, to create a user named 'u0' with the password 'foobar' (md5('foobar') = ac4bbe016b808c3c0b816981f240dcae) use the following command: CREATE USER u0 PASSWORD 'md5ac4bbe016b808c3c0b816981f240dcae';
KY-27855"Something went wrong" message when generating a report with many scans.Report with many scans cannot be generated due to timeout in the requests between CM and the TDP servers.
  • Verify the TDP health.
  • Verify the network speed and latency between CM and TDP.
KY-27102Reports created before upgrading to CM 2.4 do not show Last run and Duration. The upgrade to CM 2.4 resets the Last run and Duration fields for the existing reports.
KY-30760In Legacy Reports, Data objects may not be listed in Local Storage reports with a large number of matches.
NCERRInternalServerError: unexpected error is displayed on the DataObjects report tab.
This means that the Hadoop cluster has taken too long (more than 30 seconds) to retrieve the list of data objects in the report.
Workaround: Re-run the scan and generate a new (non-Legacy) report.
KY-28063No matches found when scanning some Teradata versions.
DDC may finish without matches when scanning certain Teradata versions:
- version 16.20 and higher
- Teradata Developer Tier Preconfigured Edition configured with spoolmode
- For Teradata Developer Tier Preconfigured Edition change the spoolmode to nospoolonly in the Teradata configuration
- For other versions please contact Support
KY-30138MongoDB reports will only contain information for the first 1M documents even when more than 1M documents are scanned.
Workaround: Run scans with less than 1M documents.

CipherTrust Transparent Encryption

KY-41556CTE: LDAP users/groups cannot be browsed without the Search filter.
Use the Search filter to search and browse LDAP users/groups.


KSCH-573Encryption rules cannot be modified to reset values for include and exclude extension parameters.
KSCH-568Encryption rules do not prevent specifying both include and exclude extension parameters simultaneously.
KSCH-567Modifying a file level encryption rule to set the “isRecursive” flag does not return error.
KSCH-564Non-encryptor clients cannot be removed from a Linux cluster while a cryptographic operation on an encryption rule is in progress.