Your suggested change has been received. Thank you.


Suggest A Change….


Release Notes


Please Note:

Release Notes

Product Description

CipherTrust Manager is the center of the CipherTrust Data Security Platform. It serves as the central point for managing configuration, policy and key material for data discovery, encryption, on-premise and cloud based use cases. It is the successor to both the Thales eSecurity (formerly Vormetric) DSM and the Gemalto (formerly SafeNet) KeySecure platforms.

Product Abbreviations

CipherTrust Batch Data TransformationBDT
CipherTrust ManagerCM
CipherTrust Application Data ProtectionCADP
CipherTrust Cloud Key ManagerCCKM
CipherTrust Data Protection GatewayDPG
CipherTrust Database Protection (formerly known as ProtectDB)CDP
CipherTrust Transparent EncryptionCTE
CipherTrust Transparent Encryption UserSpace (formerly known as ProtectFile FUSE)CTE UserSpace
CipherTrust Teradata ProtectionCTP
CipherTrust Intelligent ProtectionCIP
CipherTrust Data Discovery and ClassificationDDC
Data Protection on DemandDPoD
CipherTrust TokenizationCT
CipherTrust Vaulted TokenizationCT-V
CipherTrust Vaultless TokenizationCT-VL

Release Description

This release is available on the Customer Support Portal in the following formats:

  • An upgrade file for physical k570, k470 and k160 CipherTrust Manager devices, and existing k170v Virtual CipherTrust Manager instances.

  • An OVA image file for deploying a new Virtual CipherTrust Manager on VMWare vSphere or Nutanix AHV.

  • A VHDX image file for deploying a new Virtual CipherTrust Manager on Microsoft Hyper-V.

  • A QCOW2 image file for deploying a new Virtual CipherTrust Manager on OpenStack.

In addition, 2.10.x Virtual CipherTrust Manager is available on the following public clouds:

  • Amazon Web Services: SafeNet Cloud Provisioning System

  • Google Cloud

  • Microsoft Azure: Available as a BYOL image in the Microsoft Azure Marketplace

  • Oracle Cloud

  • IBM Cloud

    • An OVA image file for deploying a new Virtual CipherTrust Manager on IBM Cloud VMWare.

    • A QCOW2 image file for deploying a new Virtual CipherTrust Manager IBM Cloud Virtual Private Cloud Gen2.

2.10.x contains a number of new features and enhancements. For the list of known issues, refer to Known Issues.

Features and Enhancements

Release 2.10.1

The 2.10.1 release includes bug fixes described in Resolved Issues. This release is available as an upgrade file. The upgrade can be applied directly on CipherTrust Manager version 2.10.0.

Release 2.10.0


  • Released the Quorum feature for general availability.

  • Added connection management support for LDAP.

    • In 2.10, CTE agents are supported for this LDAP connection.

    • This connection is separate and additional to the existing LDAP connection available through Access Management.

  • Added capability to browse LDAP users and groups using connections created in the LDAP connection manager.

  • Added ability to verify whether the time is in sync between the CipherTrust Manager and AWS when testing AWS connections.

  • Added capability to get the list of KMIP registration tokens using ksctl.

  • Extended support for Secure Trusted Channel (STC) mode to Luna network HSM connections in connection manager using the API.

  • Added capability to control allowed authentication methods for users.

  • Added support for preventing deletion of in-use SMB connections.

  • Added ability to create system policies to control login based on groups and interfaces.

  • Added support for granular access (based on clients, users, groups) to group of keys.

  • Added option to filter keys by effective permissions.

  • Made the SSH interface port configurable.

  • Enhanced the nodes API to specify additional cluster information.

  • Added cluster information metrics for Prometheus log monitoring system.

  • Added support for external certificates for Azure and Salesforce connections.

  • Added capability to use certificates on multiple interfaces of same type.

  • GUI enhancement: Made consistent use of the term username.

  • Added support for nShield Connect HSM as root of trust.

  • Enhancement to OIDC connection for CipherTrust Manager user authentication. CipherTrust Manager now checks and refreshes the signing keys from the identity provider on each authentication, to keep up with key rotation.

  • Small user-friendly enhancements to the upgrade script.

  • Due to design stability, the Prometheus metrics endpoint is now fully supported and no longer technical preview.


  • To fetch all keys, it is recommended to use KeyNamesRequest instead of KeyQueryRequest. The KeyQueryRequest response time is proportional to the number of keys on the CipherTrust Manager, hence may lead to a timeout exception on the client side.

  • Currently, the log forwarders are not configured to use the system's proxy configuration. If proxy is configured, the log forwarders bypass the proxy servers.

  • The backup and restore of users and groups in a domain only works among the domains of different CipherTrust Managers. This feature does not support backup and restore among different domains of the same CipherTrust Manager.

  • During client renewal, if another client (which has Auth mode set to DN) already exists in the system with a matching subject DN, the client renewal may fail. This applies to external or local CA clients. For external CA certificates, delete the client to be renewed and register a new client with a new certificate and different subject DN.
    However, for local CAs, it is not required to delete the client to be renewed, rather set the do_not_modify_subject_dn field to false. Refer to Renewing Local CA Clients for details.

Deprecated Feature(s)

The CipherTrust Manager version 2.9 onward:

  • The 'global' user doesn't get generated on restart.

  • The 'global' user cannot be created.

    While upgrading to CipherTrust Manager 2.9, the 'global' user gets deleted.

    In CipherTrust Manager 2.8 and 2.9 mixed cluster environment, if a 'global' user exists, you cannot login as a 'global' user.

    While upgrading to CipherTrust Manager 2.9 or in mixed cluster environment, if a 'global' user is deleted, the keys owned by the 'global' user will be accessible to the 'Key admin' or 'admin' groups. The NAE/KMIP users can also access these keys.

Application Data Protection

  • Added support for access policies that allow you to select how to display data in a RESTful API call during the reveal operation based on the user. The data can be revealed as:

    • Plaintext

    • CipherText

    • Masked Value

    • Error/Replacement Value

  • Added licensing enforcement for DPG.


  • Added integration of CipherTrust Manager and Luna Network HSM with AWS External Key Store (XKS). External custom key stores allow you to select keys held in CipherTrust Manager or Luna Network HSMs and allow AWS KMS to use the keys for cryptographic operations on demand. The external custom key store (either CipherTrust Manager or Luna Network HSM) contains Hold Your Own Keys (HYOKs) and executes the cryptographic operations.

  • Added support for GCP key purpose "MAC" for signing and verification for symmetric keys using the API.

  • Added capability to automatically rotate keys after a specific number of days of the last key rotation.

  • Added support for dynamically pushing policy updates to the associated AWS keys using the API.

  • Added support for Technical Users for connecting to the SAP Data Custodian.

  • Added capability to schedule key rotation at the key vault level using the API.

  • Added capability to add schedules while creating AWS cloud keys.

  • Added capability to select and modify policy and policy templates using the GUI.

  • Added capability to include roles in AWS key policies. Now, key administrators and key users access can be granted to IAM roles.

  • Added support for the Azure Key Vault Managed HSM cloud service using the GUI. Azure Managed HSM vaults support RSA-HSM and EC-HSM keys only. Other functionalities are the same as regular Azure vaults.

  • Enabled support for Microsoft Confidential Computing for Luna Network HSM as a key source with Azure Managed HSMs or Premium Azure Key Vaults. For this, an exportable flag has been introduced for keys in Azure Key Vaults.

  • GWS Workspace CSE: Added capability to attach multiple identity providers (IdP) to individual endpoints.

  • GWS Workspace CSE: Added support for client side encryption of Gmail messages.

  • Google EKM: Support for a new Key Access Justification Reason, MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION.

  • Added support to manage AWS CloudHSM Custom Key Stores.

  • Officially documented instructions to prevent CCKM users from exporting source key material.

  • Added capability to add a policy template at the time of AWS key creation.


  • Added support for CipherTrust Manager's quorum control for CTE operations and resources. A CipherTrust Manager administrator can configure a quorum policy to have multiple approvers for supported operations.

  • Added support for signature sets for CTE for Kubernetes clients.

  • Added support for COS policies for Wasabi cloud storage.

  • Enhanced the CTE clients GUI to display different client types - FS (CTE), CSI (CTE for Kubernetes), and CTE-U (CTE UserSpace).

  • Enhanced CTE reports to filter reports based on client type - FS (CTE), CSI (CTE for Kubernetes), and CTE-U (CTE UserSpace).

CTE resources of Efficient Storage and Container policies on the DSM cannot be migrated to the CipherTrust Manager 2.10 using the backup/restore method. The Container policies are supported only on the DSM. However, Efficient Storage resources can be manually created on the CipherTrust Manager. Migration of Efficient Storage resources will be supported in a future release.

CTE UserSpace

CTE UserSpace is a new kernel-independent file encryption product based on CTE and CTE UserSpace (rebranded ProtectFile FUSE). The CTE UserSpace version compatible with CipherTrust Manager 2.10 will be 10.0 (instead of 9.5).

  • The resources of CTE UserSpace clients running 9.5 and higher Agent versions are managed by the Transparent Encryption application on the CipherTrust Manager. These clients can't be managed by the ProtectFile & Transparent Encryption UserSpace application.

    This release does not support the following features:

    • Kernel Compatibility Matrix

    • Agent and System locks

    • CBC and XTS keys

    • COS, ESG, IDT, and LDT policies and GuardPoints

    To manage the clients running the previous versions of the CTE UserSpace Agent, use the ProtectFile & Transparent Encryption UserSpace application only. Alternatively, upgrade those clients to CTE UserSpace 9.5 or a higher version.

  • Added support for CipherTrust Manager's quorum control for CTE operations and resources. A CipherTrust Manager administrator can configure a quorum policy to have multiple approvers for supported operations.

  • Enhanced the CTE clients GUI to display different client types - FS (CTE), CSI (CTE for Kubernetes), and CTE-U (CTE UserSpace).

  • Enhanced CTE reports to filter reports based on client type - FS (CTE), CSI (CTE for Kubernetes), and CTE-U (CTE UserSpace).


  • Added support for NFS and SMB/CIFS DataStores

  • Added capability to scan SMB/CIFS DataStores

  • Added capability to generate reports for NFS/SMB/CIFS DataStores

  • Extended policy support to NFS and SMB/CIFS GuardPoints


  • Support for RHEL 8 Agents

  • Support for SCRAM-SHA-256 authentication in PostgreSQL

  • OneDrive for Business data store support

  • BLOB support for Oracle, Microsoft SQL, PostgreSQL, MySQL, Teradata, and IBM DB2

  • Collecting Agent logs for troubleshooting purposes

  • Enhanced scan progress status allows you to see if a scan with a blocked percentage is stuck or is progressing


ProtectV will be End of Life based on the announcement shared in the past. CipherTrust Manager 2.11 onwards, registering ProtectV clients will no longer be supported and changes will be made to deprecate the ProtectV management API and UI.

End-of-Sale and End-of-Life Announcement SafeNet ProtectV

Resolved Issues

This table lists the issues resolved in 2.10.1.

KY-53679Problem: AWS: Policy of a replica key is overwritten by the default AWS policy after the primary key is rotated.
KY-53641Problem: AWS: Pasting the content of a raw policy into the CCKM GUI does not work while adding a key.
KY-53610Problem: AWS: Pasting the content of a raw policy into the CCKM GUI does not work while creating a policy.
KY-53594Problem: When using CipherTrust Manager as key source within AWS XKS, data encrypted using older versions of a key cannot be decrypted. Refer to Advisory Notes for more information about this issue.
KY-53514Problem: XKS Audit events are not scoped to domain.
KY-53668Problem: In the Add AWS Key UI wizard, the Help Me Decide URL was pointing to a wrong URL.

This table lists the issues resolved in 2.10.0.

CM-7Thales Trusted Cyber Technologies (TCT) k570 model does not support FIPS backup.
KY-51909CCKM: AWS report generation does not complete. The overall_status of AWS reports remain stuck at in_progress regardless of the report duration.
KY-51563CCKM UI missing GOOGLE_INITIATED_REVIEW Key Access Justification for Google EKM.
KY-51318Adding a proxy host using the web console GUI results in the URL displaying incorrectly with a trailing slash (/), and the proxy setting is not applied.
KY-51283DDC: While adding a DDC license string to the CipherTrust Manager, the web UI returns the error: User not authorized to add a license.
KY-49080Running ksctl login without KSCTL_NOSSLVERIFY in config.yaml file gives the error panic: runtime error: invalid memory address or nil pointer dereference.
KY-48665Oracle Cloud: When you upload a key to an Oracle vault, the Origin column under KEY VERSIONS shows External as the key material origin for both software and HSM protection modes.
KY-48358The users and groups backup fails if an invalid group name is provided in the resource query filter during partial domain backup.
KY-48357Wild card support is not present for partial domain backup of user.
KY-48263Automatic rotation of Salesforce tenant secrets using Luna HSM as a key source does not work.
KY-48261The SAP Keys created by search filter in the CipherTrust Manager web console UI does not take effect. Results are not filtered.
KY-48256The Admin > Services page has Restart buttons for every listed service, but only nae-kmip and web services can successfully restart. All other services fail with 15: NCERRBadRequest: Bad HTTP request.
Resolution: Restart buttons removed for inapplicable services.
KY-48228When creating a data transformation enabled policy, if you keep on selecting the same action, its duplicate entries are added.
KY-48085The Reset option to restore default columns doesn't work in some tables in the CipherTrust Manager UI.
KY-48070When a HDFS folder /user/XXX does not exist, a misleading message is displayed.
When you configure HDFS without a folder /user/XXXX, the DDC should display an error "HDFS folder /user/XXX" does not exist". Instead, it displays "Invalid HDFS folder: the folder does not exist"
KY-48050[CipherTrust Manager UI]: If you attempt to renew a KMIP client certificate without providing a CSR/CSR parameters, you do not receive the private key associated with the new certificate.
KY-47789User login to the CipherTrust Manager UI with an external certificate sometimes hangs and does not complete.
KY-46653If you add a syslog host on connection manager with IPv6 format, testing the connection fails with the message too many colons in address. This error occurs despite the connection working properly.
KY-31116, KY-31114If an admin enables a quorum policy on any domain, and a key admin of that domain logs into the web console GUI and views the quorum settings, the quorum policy is displayed as disabled and the error NCERRResourceNotFound: Resource not found is displayed.
KY-30705You cannot migrate an RSA public key without a corresponding private key from KeySecure Classic. Migration attempts fail with the error "Server error [417/NCERRInvalidOrMissingKeyData: Could not decode key from key material]: Invalid private key format. HTTP code:422".

Advisory Notes

This section highlights important issues you should be aware of before deploying the CipherTrust Manager. There is also a full list of known issues associated with the release.

In CCKM with AWS XKS, Issue with Rotation of AWS HYOKs when CipherTrust Manager 2.10.0 is Used as Key Source

When using CipherTrust Manager version 2.10 as a key source within AWS XKS, do not rotate AWS HYOK keys. As documented in the known issue of KY-53594, data encrypted using older versions of a key cannot be decrypted. Release 2.10.1 addresses this issue.

HSM-anchored Domains Unavailable in 2.10

HSM anchored domains are unavailable for this release while we continuously improve their quality and add new features. HSM-anchored domains are available in CipherTrust Manager version 2.9 as a technical preview, and will be returning in a future release.

The following recommendations apply to any CipherTrust Manager which has created an HSM-anchored domain in version 2.9:

  • Reset the CipherTrust Manager before deploying it into production.

  • Do not restore any backups from this CipherTrust Manager.

Contact customer support if you require assistance with previously created HSM-anchored domains.

Luna Network HSM 5.x and 6.x are no longer supported as Root-of-Trust for CipherTrust Manager

As Thales has passed the end-of-support date for Luna Network HSM 5.x and 6.x, CipherTrust Manager no longer supports those versions for root of trust. CipherTrust Manager does not enforce against setting up those versions for root-of-trust, so upgrading will not disrupt existing root-of-trust connections to our knowledge. Consult the End of Sale and End of Support announcement, Luna Network HSM 7 documentation, and Data Protection on Demand and Luna Cloud HSM documentation for migration information.


Do not enable quorum on the ManagePolicyAttachment and DeletePolicy operations until all the CipherTrust Manager nodes in a cluster are upgraded to 2.10 or a higher version.

KeySecure Classic Hardware No Longer Supported

CipherTrust Manager firmware version 2.8 or above is not supported on KeySecure Classic k450 and k460 hardware. Refer to Migrate from KeySecure Classic for information on migrating KeySecure Classic data to CipherTrust Manager hardware.

SMB Connection

The Host and Port fields must be specified together, or do not specify any of them. If Host and Portare not specified while creating an SMB connection, these fields cannot be added later.

Recommendation for Secure Initialization Vector in DESede CBC, AES CBC, and AES GCM Encryption Requests

When generating a new AES or DESede key CipherTrust Manager currently generates and stores a Default IV associated with the new key. This is mainly used to support specific legacy integrations and applications.

We strongly recommend future crypto applications use a secure, unique initialization vector (IV) for each AES CBC, AES GCM, and DESede CBC encryption request, rather than relying on a default IV provided by CipherTrust Manager for the security of your data. For example, unpredictable, unique IVs for AES CBC requests protect against oracle attack techniques such as ROBOT, DROWN, POODLE, and BEAST.

We recommend to use CipherTrust Manager's random number generation to produce secure IVs, or you can provide your own IV with each AES CBC, AES GCM or DESede CBC encryption request following the security guidelines for constructing secure IVs in NIST SP800-38A and NIST SP800-38D.

The IV value used for an encryption request is needed to decrypt the data later.

In the KMIP interface, always set the RandomIV object in the Cryptographic Parameters attribute to true or provide your own secure IV in the Request Payload as an IV/Counter/Nonce object.

In the REST and NAE interfaces, use CipherTrust Manager's random number generation to produce secure IVs for cryptographic requests, or provide your own secure IV.

Some Key States Change After Upgrade

After upgrade from 2.4 some key states are remapped as a result of harmonizing NAE-only key states. In most cases, the allowed operations for a key remain the same before and after upgrade, so key usage is not disrupted.

As you cannot upgrade directly from 2.4 to 2.10, these changes take effect when you first upgrade from 2.4 to an intermediate minor version, 2.5, 2.6, or 2.7.

  • When a key has an NAE state of Retired and the deactivation date is set in the future, the key is set to Deactivated immediately upon upgrade. No cryptographic operations are allowed.

  • When a key has an NAE state of Restricted and Protect Stop Date is set in future, the key is set to Active and the Protect Stop Date is set to the current time. Decryption, signature verification, unwrapping, and MAC verification are allowed.

  • When a key has an NAE state of Active and Activation Date is not set, the activation date is set to the current time. All cryptographic operations are allowed.

  • When a key has an NAE state of Active and Activation Date is set in the future, the key is set to a Pre-Active state and the Activation Date is retained. No cryptographic operations are allowed until the Activation Date is reached.

  • When a key has a state of Deactivated before upgrade, its state will be unchanged after upgrade. However, the allowed operations for the Deactivated state change for 2.5. The key loses its ability to decrypt, verify signatures, unwrap, and verify MACs. You can re-activate the key after upgrade and set the ProtectStop date to restore those operations.

System Upgrade and Downgrade Supported Releases

System upgrades have been tested from releases 2.7, 2.8, and 2.9.

Upgrades from other versions have not been tested and may not work correctly.

CipherTrust Manager 2.10 can be downgraded to 2.9. For release-specific upgrade/downgrade information, refer to the release notes for your release.

Refer to the System Upgrade page for instructions to perform an upgrade or downgrade on a single device.

Refer to the Cluster Upgrade section for instructions to perform an upgrade on a cluster of devices.

Restoring a backup from release 1.5.0 or later is supported; however, restoring a newer backup to an older version is never supported.

Clusters with a Large Number of Transactions

Clusters that support a large number of transactions should have audit logging disabled and only syslog should be used for capturing audit logs. This significantly reduces cluster wide traffic and disk usage. This is a cluster wide setting and needs to be set on only one node in the cluster. Use the ksctl properties command to disable audit logging.

To disable local audit logging

Set the property ENABLE_RECORDS_DB_STORE to false using the ksctl command:

$ ksctl properties modify -n ENABLE_RECORDS_DB_STORE -p false

If configured, Audit logs will be still be sent to a syslog server.

Protect the ksadmin Private SSH Key

The private SSH key for the ksadmin account is critical to system security and must be carefully protected. Failure to do so could allow an attacker to compromise the system.

TLS/SSL Must be Enabled in a Production System

As it may be useful for troubleshooting, it is possible to disable TLS/SSL for the NAE interface. This will lead to an insecure system. Therefore, TLS/SSL should always be enabled for a production system.

Key Usage Mask Selection

If you want to perform any operation (for example, Wrap/Unwrap) from the NAE/KMIP connector, set the usage mask explicitly for that operation while creating keys through UI.


Sharepoint Connection

Sharepoint connection settings have changed. Instead of username and password, it is now re required to provide Client ID, Client Secret Key, and Tenant ID. Existing Sharepoint data stores in any upgraded CM instances will need to be modified with the new connection details.


  • Only one CipherTrust Manager node in the cluster can have DDC activated. To access DDC, create a new DNS entry to point to the active CipherTrust Manager node.

  • DDC functionality cannot be accessed through the CipherTrust Manager FQDN. DDC requests sent to an inactive CipherTrust Manager node fail (and return the impression that DDC fails randomly).


Overlapping licenses are not supported (except for the trial license).

Sharepoint Online Data Store

The Sharepoint Online datastore configured before the CM 2.10.0 release will no longer be accessible after upgrading to CM 2.10.0, if the authentication credentials are not changed. The user will see the "Internal Error" error while running any scan on a Sharepoint Online data store.


This section documents known compatibility topics to be considered before deploying the CipherTrust Manager.

TLS Compatibility

This table identifies the supported TLS versions for each of the CipherTrust Manager interfaces. The default minimum value reflects the default minimum_tls_version setting. This setting controls the lowest acceptable TLS version allowed for connections to the interface.

InterfaceMinimum TLS versionMaximum TLS versionDefault Minimum TLS version
Web UITLS 1.2TLS 1.3TLS 1.2
NAETLS 1.0TLS 1.3TLS 1.2

TLS 1.0 and TLS 1.1 support will be discontinued in a future release.

By default, CipherTrust Manager accepts the following ciphersuites for TLS 1.2+ connections:

  • TLS_AES_256_GCM_SHA384 (TLSv1.3)

  • TLS_CHACHA20_POLY1305_SHA256 (TLSv1.3)

  • TLS_AES_128_GCM_SHA256 (TLSv1.3)





TLS Deprecation Notices

  • Use of TLS 1.0 and 1.1 protocols is deprecated. This support will be discontinued in a future release. Upgrade all applications connecting to CipherTrust Manager interfaces to TLS 1.2 or higher as soon as feasible.

  • Use of the following CBC-based ciphersuites is deprecated, and support will be discontinued in a future release:











Client Platforms

The following client Platforms are supported by the CipherTrust Manager.

Older versions of most client platforms (versions earlier than the minimum versions listed below) may have incompatible TLS clients. We recommend testing older versions of client platforms in a non-production environment to ensure proper functionality.

For the purpose of transitioning from SafeNet KeySecure Classic, you can temporarily connect to CipherTrust Manager with TLS/SSL disabled on the CipherTrust Manager NAE interface; however, this is recommended only in a non-production environment.

CipherTrust Application Data Protection

  • ProtectApp JCE: minimum version 8.6.1

  • ProtectApp .NET: minimum version 8.11.0

  • ProtectApp ICAPI: minimum version 8.10.0

  • ProtectApp Oracle TDE: minimum version 8.9.0

  • ProtectApp SQL EKM: minimum version 8.3.2

CipherTrust Cloud Key Manager

Minimum version

CipherTrust Database Protection

  • ProtectDB Oracle: minimum version 8.8.0

  • ProtectDB SQL: minimum version 8.9.0

  • ProtectDB DB2: minimum version 8.7.0

  • Transformation Utility: minimum version 8.4.3

CipherTrust Transparent Encryption

Minimum version 7.0.0

CipherTrust Transparent Encryption UserSpace

Minimum version 10.0

CipherTrust Vaulted Tokenization

  • Tokenization Manager: minimum version 8.7.1

  • Vaultless Tokenization Manager: minimum version 8.8.0

CipherTrust Batch Data Transformation

Minimum version

CipherTrust Vaultless Tokenization

Minimum version

CipherTrust Teradata Protection

Minimum version


Minimum version:

  • ProtectFile Windows 8.12.3

  • ProtectFile Linux 8.12.3, 8.12.4p02 (for migration to CTE)

The latest three GA versions of ProtectFile are tested with CipherTrust Manager. Older versions are expected to work, but they are not tested explicitly.


Minimum version 4.7.3

Data Discovery and Classification Agents

Linux minimum kernel version is 2.6.

There are no changes in Agent requirements if you are upgrading from CM 2.4 to 2.5.1. If you are upgrading from a version older than 2.4 please refer to Upgrading Agents.

ODBC driver for Microsoft SQL: To connect to Microsoft SQL, DDC Agent requires the ODBC drivers to be installed on the host. If DDC cannot find a suitable agent, make sure that these drivers are installed. If necessary, upgrade them to the latest available version. Thus, if your MSSQL Server is configured with TLS 1.2 only, install the ODBC Driver 17 for MSSQL Server.

TDP Version Compatibility

Data Discovery and Classification requires TDP or newer.

Known Issues

This section lists the issues known to exist in the product at the time of release.

CipherTrust Manager

KY-56071Problem: The Ciphertrust Manager GUI cannot list keys when the number of keys on which the key policies are applied increases.
Workaround: Do not apply key policies to a large number of keys.
KY-52933Only the ten most recent alarm configurations generate alarms for server or client audit records. For example, if you add an 11th alarm configuration, the 1st alarm configuration is no longer used for generating alarms.
KY-52237The state of a pending CA changes to expired after the restart. This breaks the connection/integration of any KMIP or VSAN Client.
CM-17Thales Trusted Cyber Technologies (TCT) k570 model does not support key rotation for HSM root key.
CM-18Thales TCT k570 model does not support HSM Firmware Upgrade (in field).
CM-19Thales TCT k570 does not support external JWT rotation.
KY-52289Problem: If you have multiple nShield Connect HSMs configured as root of trust, you cannot delete the HSM in the CipherTrust Manager web console GUI.
Workaround: Use DELETE /v1/system/hsm/servers/{id} in the REST API or ksctl hsm servers delete in the CLI.
KY-52290Problem: You cannot add an additional nShield Connect HSM as a root of trust through the CipherTrust Manager web console UI, to operate in high availability with an existing nShield Connect HSM.
Workaround: Use POST /v1/system/hsm/servers in the REST API or ksctl hsm servers add in the CLI.
KY-52213Problem: If you restore a backup and attempt to create a backup shortly afterwards, the backup stays in progress for a long time and eventually fails.
Workaround: Retry the backup or add a key filter to reduce the size of the backup.
KY-52172Problem: If you deselect a region for a custom key store, resources from that region are still visible.
Workaround: Disregard these resources.
KY-52137Problem: If you rotate the root of trust key for an HSM and then reboot the appliance, services fail to start up and the reboot does not complete. This can happen when the HSM contains two root of trust keys with the same name, and the wrong HSM key is loaded.
Workaround: If you are stuck in services startup, access the HSM with another client, and re-label one of the duplicate keys.
KY-52075Problem: You are not prevented from restoring a backup from an HSM-anchored domain to a target domain without the correct domain KEK. The domain contents are inaccessible after restore.
Workaround: Use GET /v1/domains/{id} in the REST API or ksctl domains get in the CLI to check the hsm_kek_label and hsm_kek_id match in the source and target domain.
KY-51664Problem: When nShield Connect HSM is configured as root of trust, there are intermittent connectivity issues. The nShield HSM occasionally returns a ServerAccessDenied error, and CipherTrust Manager raises the HSM is offline system alarm.
Workaround: Wait for connectivity issues to resolve after a few automatic reconnection attempts.
KY-49289Problem: If a Luna Network HSM partition is configured as root of trust, and CipherTrust Manager's client access is revoked with the LunaSH command client revokePartition, connectivity remains intact until CipherTrust Manager is restarted.
Workaround: As a best practice, after running client revokePartition, restart the CipherTrust Manager or restart all CipherTrust Manager services.
KY-49126Problem: After the external CA is uploaded on the CipherTrust Manager, the GN and DC fields are not displayed as part of the record.
KY-48284Problem: Domain backups with local users cannot be restored into another domain in the same cluster.
Workaround: Restore the backup to a CipherTrust Manager in a new cluster, or to a different CipherTrust Manager instance which isn't clustered.
KY-42690Problem: If you edit the default port value on the web or KMIP interface, and then join the CipherTrust Manager to a cluster, web or KMIP requests directed to the changed port value fail on other nodes. This is true even though the nodes in the cluster display the new, correct port value for these interfaces.
Workaround: On CipherTrust Manager nodes with failing requests, change the interface port number to a temporary value, and then change the interface port number again to the desired value.
KY-39235If a user fails to log in to a domain, an audit record is created in the root domain instead of the intended domain.
KY-27897SaltLength with zero (0) value is not supported for Sign/SignV operations using RSA PSS padding.
KY-27450Local Certificate Authorities (CAs) do not allow commas , in any of the fields.
Workaround: Configure an External CA instead. Use a backslash \ in the Distinguished Name (DN) while creating a user if you are using certificate based login. For example, C=IN,ST=UP,L=Noida,O=Thales\,INC,OU=ENC,CN=test is an accepted value.
All other printable characters are allowed, as per RFC 5280 definition of PrintableString. @ and & are also allowed, beyond the definitions of the RFC.
KY-25152You cannot pass in a custom SSH key via cloud init on Oracle Cloud instances for initial launch. You also cannot use cloud-init to auto-generate an initial password for the admin user on Oracle Cloud instances.
Workaround: Login to the GUI to enter the SSH public key on initial access. You can also change the password for the admin user on this login.
KY-20310When setting up a new DPoD HSM on Demand Service as root of trust, the command succeeds but sometimes returns a timeout error.
Workaround: Disregard the timeout error.
KY-17662In-place cluster upgrade does not enforce upgrading only one version.
KY-17338KMIP: LDAP users cannot be set in the KMIP profile.
Workaround: To use LDAP authentication, use the KMIP auto registration.
KY-13617Domain scoped backup fails to restore on another domain when a key with the same name and version already exists.
Workaround: To handle this issue, try either of the following:
  • Retain both keys.
    1. Take the backup without the conflicting key with filters.
    2. Export/import the key material and import it separately.
  • Retain only the backup key.
    1. Delete the key with duplicate name on the restore system.
    2. Restore the domain scoped backup.
KY-13343Uploading an existing backup results in error but is displayed in the list with status "Uploading".
Workaround: Delete the backup using the "uploadID" as backup ID.
KY-11517[ProtectApp Application] The Invalid algorithm string error occurs when signing data with SHA384withRSA/PSSPadding.
KY-11498When a CipherTrust Manager has a large number (for example, more than 10K) of local users, an ldap user cannot log on to it.
KY-7289When migrating a KMIP application from KeySecure Classic to CipherTrust Manager, for encrypt/decrypt operations, the KMIP server always uses the ECB mode regardless of the provided mode.
Workaround: For migration use cases, if Cryptographic Usage Mask is specified with the CBC mode on KeySecure Classic:
  1. Decrypt the data using KeySecure Classic.
  2. Encrypt the data with keys stored on CipherTrust Manager.
KY-7288When migrating from KeySecure Classic to CipherTrust Manager, AES-GCM encrypt/decrypt operations, AuthenticatedEncryptionTag is returned appended to CipherText.
Workaround: For migration use cases, when using AES-GCM with KeySecure Classic:
  1. Decrypt the data using KeySecure Classic.
  2. Encrypt the data with keys stored on CipherTrust Manager.
After migration to CipherTrust Manager, the AAD tag is not appended to the data. It is sent as a separate tag.
KY-7193Sub-domain System Defined Groups do not show "Domain Admins", "ProtectApp Users", and "ProtectDB Users" groups.
Workaround: Manually create missing groups in sub-domains. Policies for the groups are automatically created.
KY-6383Users with a pipe in their user names (for example, user1|something) cannot log on using NAE/KMIP.
KY-3670Cluster join operation can fail, but rarely, leaving joining node in a bad state.
Workaround: If a cluster join fails, verify that you can still log in to the joining node. If you cannot, restart the node before reattempting the join.
If you still cannot log on to the node:
  1. ssh in as the ksadmin user.
  2. Reset the node by running the ksctl reset command.
KY-2482(was NC-3480) Signing with EC keys does not work via the REST API.
KY-2423(was NC-2318) KMIP: Result Reason may not be accurate or have enough detail.
KY-2418(was NC-1780) NAE: Users cannot do a UserInfoRequest about themselves.
KY-1397(was NC-2253) Last Login and Logins count are not updated for global user.
KY-1396(was NC-2256) Group membership change for yourself does not take effect until after re-login.
KY-1394(was NC-2260) Trying to mark a shared key deletable or exportable by non-admin user returns: NotFound error. The error should be: insufficient permissions.
KY-1373(was NC-2391) Encrypt operation only generates a GetKey record. There's no indication the key was used.
KY-1166(was NC-4098) NAE/KMIP multiport iptables rules are not replicated.
Workaround: Perform NAE restart on each node.
KY-504Integration with CloudHSM Cluster: Fail-over is not supported between different ENI IPs within an AWS CloudHSM cluster.
NC-3573Migration: Active keys from KeySecure Classic will become Pre-Active on the CipherTrust Manager if the time zone is behind GMT.
Workaround: Change the state of the keys in Pre-Active state to active from REST API or KMIP interface.
NC-3572Migration: Keys in Pre-Active state on KeySecure Classic cannot be used for Crypto operations on the CipherTrust Manager.
Workaround: Change the state of the keys in Pre-Active state to Active using KeySecure Classic's Console (UI) or KMIP interface before taking the backup for migration.
Alternatively, after migration, change the state of the keys in Pre-Active state to Active from the CipherTrust Manager REST API or KMIP interface.
NC-2063If a user is deleted (or LDAP connection name changes), they fail to display in the keys table.

CipherTrust Application Data Protection

KY-47385Problem: If you migrate a non-deletable VAE key from Data Security Manager to the CipherTrust Manager, the imported key is shown as "deletable".
Workaround: After migration, edit the key attributes on the CipherTrust Manager to make it non-deletable.
KY-47374Problem: If you migrate a non-exportable VAE key from Data Security Manager to the CipherTrust Manager, the imported key is shown as "exportable".
Workaround: After migration, edit the key attributes on the CipherTrust Manager to make it non-exportable.

CipherTrust Cloud Key Manager

KY-52134XKS Performance impact due to validations of account and region.
Note: With the recent fine tuning of CipherTrust Manager and CCKM code due this known issue, the XKS performance numbers for both the CipherTrust Manager and Luna HSM (as key sources) have improved for the upcoming 2.11.0 release.
KY-52172AWS custom key store not greyed out after KMS region deselected.
In managed AWS resources, such as a custom key store, resources still display as "manageable" even after the corresponding regions in the associated KMS account (in CipherTrust Manager) are deselected.
KY-53513Problem: AWS External Key stores cannot be deleted within CCKM even when all of the keys in the key store are in a deleted state.
Workaround: Delete the External Key Store from AWS. Alternatively, use CCKM API to delete the XKS keys from CCKM records and then delete the key store from CCKM.
KY-51707Problem: GUI displays options for key rotation for Google EKM keys, including applying a rotation schedule. These options are inapplicable for Google EKM keys.
Workaround: Disregard these operations. They do not complete if attempted.
KY-49086The POLICIES section of the AWS Keys details page does not show the roles associated with the key in the basic policy view.
Workaround: View the associated roles in the raw policy view.
KY-46776GUI shows EC and RSA key types when adding keys to Azure-managed HSM vaults.
These key types will be removed in a future release.
Workaround: Use the EC-HSM and RSA-HSM options to add keys to the Azure-managed HSM key vaults.
KY-44547GUI: The "requested by" search functionality does not work for Google Workspace CSE records (Records > Google Workspace CSE).
KY-39123SAP Data Custodian: When a SAP group is added again, then performing any enable, disable, update, and add new version operation on a key in the group returns the "500 Internal Server Error".
Workaround: Refresh the newly added group, add the key again, and retry operations.
KY-35220When the CipherTrust Manager is upgraded, the Azure Keys page does not show any keys. "Error unescaping tags: invalid URL escape "%" 9 : NCERRInvalidParamValue" is returned.
Workaround: Refresh all the key vaults.
KY-31186If your proxy server does not support HTTP CONNECT, the CCKM Google cloud connection cannot use the CipherTrust Manager's proxy feature with a certificate.
Workaround: Add an exception ( with no_proxy or use the proxy with username and password, and restart the services.
KY-31058The manual add version/rotation process (using Clone Existing Key Material) of Google Cloud symmetric keys using migrated AWS DSM keys does not work.
KY-27583CCKM Scheduler: A key rotation or key refresh process remains stuck, and all new scheduled processes go into the scheduled state.
This happens when the scheduler expires due to some network issues or reboot of the CipherTrust Manager. The scheduled job remains in the running state.
Workaround: Delete the running and scheduled jobs from the API playground, and retry.
KY-17213When a CipherTrust Manager key is created using an auto rotation schedule on AWS cloud native key, its owner is set to "Global".
Workaround: A CipherTrust Manager administrator can assign the ownership of the key to a desired user in the CCKM Users group.

CipherTrust Database Protection

PDB-3293If datatype of a column changes from char family to blob after migration, the Return replacement value option for the Error Replacement feature does not work.

CipherTrust Data Discovery and Classification

KY-9098DDC cannot automatically assign an Agent for empty NFS shared folders. You cannot create an NFS type Data Store with an empty folder. When an empty folder is shared over NFS and scanned by DDC, the probe fails.
Workaround: Introduce any document in the empty folder and manually trigger the Agent selection. Click the "Find Agent" button to relaunch the Agent selection. The button is visible when you click the ellipsis (overflow) button next to the data store.
KY-9104Scan fails with “Error scanning. The target for Data Store XYZ cannot be accessed.” This happens when the Data Store is created and an Agent is selected for the Data Store but then the Agent is no longer available and there is no way to select a new Agent from the UI.
Workaround: Edit the Data Store and edit any configuration parameters so the DDC Server automatically searches for a new suitable Agent.
KY-9399The XVA file contains a data object that is was reported when it should not. The XVA file format is not correctly handled. After an XVA file is scanned and the report is generated, an additional data object in the Data Objects tab is displayed in the UI. You should ignore it.
KY-8990Scheduled scans and those launched manually via ‘run now’ only start after X hours. If an Agent and server have the wrong time set, DDC’s ability to schedule scans or to start them immediately when they are manually launched from the UI or API will be affected and the scan start may be delayed.
Workaround: Configure an NTP server for DDC and all Agent hosts.
KY-24205The Agent selection will fail if no compatible Agent is found, or if no compatible Agent can reach the Data Store, or if the credentials provided do not grant access to the Data Store.
Solution: For possible solutions, check the following:
  • Make sure a compatible Agent is properly installed. Check the compatibility table in the “Agent Configurations” section in the “DDC Deployment Guide”.
  • For a local Data Store, make sure that the Agent is installed on the same host where the Data Store is located.
  • For remote connections, make sure that the network connectivity between the Agent and the Data Store is not blocked by a network firewall.
  • Verify the configured credentials, and make sure that they have permission to connect and read the Data Store contents.
  • When you make sure that the Agent is up and with connectivity, go back to DDC and select the button "Find Agent" for the Data store with the issue.
  • Make sure that you do not have two (or more) Agents with the same hostname (for example, as a result of VMs cloning).
  • Configure the Data Store using a hostname, instead of an IP Address.
None of the clustered nodes responds to requests to DDC.
DDC is only active in one of the CipherTrust Manager nodes. Requests sent to any other nodes will return this error. This will be improved in next releases.
  • Run ksctl ddc active-node to identify the CipherTrust Manager node responsible for answering DDC requests and send the requests to the indicated IP. If this does not work, please restart the CipherTrust Manager node with that IP.
  • If the node identified by ksctl ddc active-node does not answer DDC requests correctly or is no longer active, contact Thales Customer Support.
KY-22666DDC may not scan big Data Objects for Data Stores other than local storage.
The threshold to consider is a file as big as half of the assigned scan RAM. When a DDC scan encounters a file exceeding this threshold, it may completely skip the file or scan just up to that threshold. The user has no way to identify the issue from DDC reports.
Possible Workarounds:
  • Download large files to a local storage, and run the scan on this local storage data store.
  • Increase the scan RAM as indicated in the Tuning Scan Settings section.
KY-13618Sometimes, a scan cannot be resumed after the CipherTrust Manager is restarted.
When a scan is paused before restarting the CipherTrust Manager, sometimes, the scan is shown as RUNNING after the restart, when in fact, it is stalled.
Workaround: Restart the scan execution after restarting the CipherTrust Manager. Note that the progress of the previous scan will be lost.
KY-19763OracleDB and IBM DB2: uppercase schema/table name issues.
User cannot launch Oracle/DB2 scan if schema OR table was created with lowercase and DDC is configured with lowercase.
Workaround: Set the target path in uppercase.
KY-21981Postgres tables without primary keys are not completely scanned
DDC can only scan Postgres tables if they have at least one primary key defined.
Workaround: Configure at least one primary key in the tables and run the scan again.
KY-27095The PostgreSQL Agent selection fails as if there were no compatible Agent, or as if no compatible Agent could reach the Data Store. DDC does not support the scram-sha-256 authentication method.
Workaround: Create the user with 'md5' password encryption by specifying the hash of the password at user creation, as in CREATE USER <user name> PASSWORD 'md5<password hash>';
For example, to create a user named 'u0' with the password 'foobar' (md5('foobar') = ac4bbe016b808c3c0b816981f240dcae) use the following command: CREATE USER u0 PASSWORD 'md5ac4bbe016b808c3c0b816981f240dcae';
KY-27855"Something went wrong" message when generating a report with many scans.Report with many scans cannot be generated due to timeout in the requests between CM and the TDP servers.
  • Verify the TDP health.
  • Verify the network speed and latency between CM and TDP.
KY-27102Reports created before upgrading to CM 2.4 do not show Last run and Duration. The upgrade to CM 2.4 resets the Last run and Duration fields for the existing reports.
KY-30138MongoDB reports will only contain information for the first 1M documents even when more than 1M documents are scanned.
Workaround: Run scans with less than 1M documents.
KY-46340Office365: OneDrive for Business - Using wrong OneDrive domain while probing or scanning does not return an error.
Also a scan with the wrong domain and path does not return any error and it completes successfully.
KY-48874A scan with MySQL datastore (version 8.0.30) fails due to "failed status in the scanner service".
KY-49115Discrepancies in scan results of infotypes for the same file in DDC 2.10 and 2.9.
These infotypes show discrepancies:
- Australian Passport Number: 1070 (in version 2.9), 204 (in version 2.10)
- China Union Pay: 1000 (in 2.9), 921 (in 2.10)
- Discover: 1001 (in 2.9), 919 (in 2.10)
- Diners Club: 1001 (in 2.9), 1002 (in 2.10)
KY-51301For SMB Data Stores with remediation enabled, scans performed after remediation completes may not find matches in encrypted files.
Workaround: Automatic agent selection does not narrow the selection of DDC Agents to those installed on host with a CTE Agent in the Agent Group protecting the SMB Guard Point. If DDC selects any of those agents, further scans on the SMB will read the encrypted content and therefore will be unable to find any match. In order to avoid this issue, please assign use labels to force DDC to select only the right agents as follows:
- Add one dedicated label to the DDC Agents installed on the hosts with valid CTE Agent,
- Associate that same label to the SMB Data Store, in order to guide automatic agent selection algorithm.
KY-51306DDC Agent version 2.6 fails to configure for SMB datastore using hostname or IP.
Workaround: If the hostname or IP do not work as credentials, instead try only the username.
KY-51550Office365: OneDrive for Business - Scan progress reaches more than 100%.
KY-51586A scan of a LONGBLOB file in MySQL gets stuck while scanning.
DDC should be able to scan a 20MB table, as LONGBLOB data type supports upto 4 GB of data, yet it fails.
KY-51623Partial Scan in BLOBs of size greater than 100 MB in MSSQL.
NOTE: If a file is partially scanned, it will be considered in the inaccessible location list.
KY-52297DDC scan fails when the SMB scan path does not have any file to scan.
Solution: Do not scan empty SMB paths.
KY-51695DDC is only able to scan the initial 4KB of any text file stored as a large binary object in database tables.
KY-52494From this DDC version on (DDC-2.10), RHEL-compatible Agents can only be installed on environments running the matching and officially supported kernel version.
KY-52532Autopause feature not working as expected in Azure Table scans.
A scan of Azure Table with the "Autopause" feature enabled has the following issues:
  • it fails to resume after autopause end time after it enters the "Autopaused" state from the "Pending" state,
  • it fails to enter the "Autopaused" state from the "Running" state.

CipherTrust Transparent Encryption

KY-52498Problem: CTE for Windows Clients: Directories under drives on clients are invisible and cannot be browsed when creating GuardPoints on client groups.
Workaround: Manually type the directory path under the target drive, for example, c:\protect\.
KY-52180Problem: The Re-sign Settings toggle on the Client Settings tab remains enabled after settings are pushed to the CTE agent.
Workaround: Manually reset the Re-sign Settings toggle.
KY-51759, KY-51754Problem: When quorum is enabled, if you perform an operation to delete clients or GuardPoints in bulk, the quorum is created in pre-active state.
Workaround: Activate the quorum using the /v1/quorum-mgmt/quorums/{id}/activate API.
KY-51135Problem: Group members cannot be imported from ldap for user sets.
KY-40214Problem: After migrating ProtectFile clients to CTE, rules set to DISABLE are not applied to the clients.
Workaround: For Windows clients, in the client registry, delete the activeRules string from key HKEY_LOCAL_MACHINE\SOFTWARE\SafeNet\ProtectFile, and delete the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Sfntpffd\RulePaths. Then, reboot the host machine.
For Linux clients, in the /etc/safenet/config/PF/safenet_pf file, delete the activeRules parameter entry and reboot the host machine.
KY-34329Browsing VxVM raw devices that have slash in the path names shows non-existing directory in the GuardPaths.
Workaround: Create GuardPoints by manually entering the raw device paths.


KSCH-16415The Host Name field on the Client Registration screen does not have validation for host availability.
Workaround: Add clients using the API.


KSCH-573Encryption rules cannot be modified to reset values for include and exclude extension parameters.
KSCH-568Encryption rules do not prevent specifying both include and exclude extension parameters simultaneously.
KSCH-567Modifying a file level encryption rule to set the “isRecursive” flag does not return error.
KSCH-564Non-encryptor clients cannot be removed from a Linux cluster while a cryptographic operation on an encryption rule is in progress.