Release Note for CTE v7.8.0 for Linux

This release of CipherTrust Transparent Encryption (CTE) for Linux adds new features, fixes known defects and addresses known vulnerabilities.

New Features and Enhancements

New Platform Supported

• RHEL 9.6

Automount Support on LDT

Auto Mount is supported with LDT policies, with CBC/CBS-CS1 keys, on both NFS and local file systems. It is an option provided for guarding a GuardPoint. When selected, it enables automatic guarding of the GuardPoint when accessed, rather than immediately after policy deployment.

• See Using Auto Mount with LDT Policies for more information.

Integrating Imperva FAM with CTE

File Activity Monitoring (FAM) catalogs, monitors, and secures unstructured data (files). Unstructured data refers to any data that is not stored in databases. You can find these files locally, on the network, or in the cloud. FAM provides insights into data location, ownership, access history, permissions, protection, sharing, and sensitivity, enabling informed decisions about data protection.

• See Integrating Imperva File Activity Monitoring (FAM) with CTE Linux for more information.

Confidential Computing

Confidential Computing has been expanded for CTE and is no longer a technical preview. Confidential Computing is a cloud computing technology that can isolate and protect data on Confidential Virtual Machines (CVMs), or Trusted Domains (TDs), while it is being processed by the application, to protect it from a broad range of software attacks. Confidential Computing ensures that all data operations are executed within a Trusted Execution Environment.

• See Integrating with Intel® Tiber™ Trust Services and Intel TDX, NVidia H100 or AMD SEV-SNP for Confidential Computing

Using CTE and Imperva Database Activity Monitoring (DAM)

Security administrators can protect execution of processes/binaries on CTE agents from a ptrace attachment. This prevents process injection attacks through ptrace system call. Thales CipherTrust Transparent Encryption and Imperva Database Activity Monitoring (DAM) can operate simultaneously on the same system if the ptrace attachment is not blocked on the system.

• See Using CTE and Imperva Database Activity Monitoring (DAM) Simultaneously for more information.

RWP Protection report on CipherTrust Manager when RWP detects suspicious behavior

The Ransomware Protection solution sends its findings to CipherTrust Manager. Alerts are generated by CipherTrust Manager whenever there is Ransomware activity observed by the agent. You can see the details of the findings on the GuardPoint Health status page.

• See Understanding Ransomware Protection Reports for more information.

LDT NFS Scalability

• LDT now supports scaling to 200 nodes.

Documentation Improvement: Minimum System Requirements added

Minimum System Requirements added to the System Requirements page.

• See System Requirements for more information.

Resolved Issues

• AGT-66305: Cloud Object Storage support is not enabled after upgrading agent version

  When CTE COS is enabled, and the CTE version is 7.7.0.108 to 7.7.0.134, when upgrading CTE to 7.8.0, you must:

  1. Open the cloud.cfg file in a text editor and modify the CTE_CLOUD_FLAG variable as follows.

     vi /opt/vormetric/DataSecurityExpert/agent/squid/etc/cloud.cfg 
     ...
     VTE_CLOUD_FLAG=1
     

  2. Restart squidproxy service. Type:

     systemctl restart squidproxy.service
     

Known Issues

• AGT-28604: Linux GlusterFS Trash Translate does not work if .trashcan directory is outside of GuardPoint

  CTE has an issue with subdirectories in Gluster FS. If a file deleted from a GuardPoint is moved to a subdirectory that is outside of the GuardPoint, then it shows only the garbage values because it is encrypted.

  Currently, CipherTrust Transparent Encryption does not support the GlusterFS Trash Translator.

• AGT-61372: Dynamic ResourceSet|Data Corruption Happening On Initial Rekey When Rename Operation Done on Directory followed by long running read operation initiated on Secondary Hosts

  During initial rekey, avoid renaming a directory that is not associated with a key rule, to a new name that makes the new directory name associated with an encryption key rule. The files under the renamed directory may not be transformed to the key rule, resulting in invalid data read from such files.

• AGT-62836: The command to get the vm process logs dumped the logs into vorvmd during the first association of a FAM policy with CTE

  These logs are generated when a FAM policy is pushed for the first time. They do not affect the functioning of FAM, or any other feature, and can be ignored.

• AGT-65002: LDT-AutoFS: Not Removing Shadow directory after auto unmount of NAS mount point

  Unmounting automount directories, configured as a CTE AutoGuard GuardPoint under an LDT policy protection, does not remove the mount point subdirectories that are dynamically created when mount points are auto-mounted.

• AGT-65138: Files corrupted after restored from backup version key into exclude clear key then rotate key

  Avoid restoring encrypted files, from a backup, into a directory which contains an LDT Exclusion key rule with clear_key. Although there is no issue with accessing such files after they are restored from a backup, those files will not be transformed to clear_key at the time of next rekey process across the GuardPoint. Consequently, the files appear to have been corrupted.

• AGT-65402: LDT with automount guard fails when autofs is configured with a direct mount

  Support for an automount GuardPoint under an LDT policy is restricted to indirect mount paths for auto mounting. Direct mount paths are not supported.

• AGT-65631: COS | Internal server error observed if awscli is higher 2.23.0

  Starting with AWS CLI v2.23.0 and continuing with subsequent versions, AWS implemented enhanced and more efficient checksum algorithms. Therefore, customers needs to utilize an earlier version of the AWS CLI to accommodate this change. Use a version of awscli that is a previous version to v2.23.0.

• AGT-66185: Misleading error message when a secondary node attempts to access the automount GuardPoint during a single file rekey

  Guarding an LDT AutoMount GuardPoint over NFS, from a client, fails while the primary client of the GuardPoint is transforming file(s) as part of lazy rekey process. The failed guard operation sets the GuardPoint to "Failed to setup LDT over NFS GuardPoint" as reflected in secfsd -status guard command on the client. This is a misleading status. The guard operation succeeds when it's retired, which occurs when the primary client is no longer processing the lazy rekey operations.

• AGT-66295: Directory within an autofs mount point fails to guard with "Ignored, AUTOF, but type is not automount"

  Attempts to automatically or manually guard a directory within an autofs mount point failed. This has been fixed.

• AGT-66297: No error message reported when accessing auto mount GuardPoint that's in "needs LDT recovery" state

  ** Work-around**

  Use secfsd -status guard to check the state of the GuardPoint prior to using it. An error message will be added in a future version.

• AGT-66365: Files marked for lazy_rekey, during the initial rekey, change to rekey_error during the next key rotation

  For files that are set to clear key with lazy_rekey and rekey-status=none, these files does not show attributes after unguarding the GuardPoint which means that the attributes were all internal for these files.

• AGT-66367: Secondary host does not trigger a single file rekey when clear_key files marked with lazy_rekey

  After renaming files consecutively, during the initial rekey, to generate clear_key files with lazy_rekey, single file rekey is not triggered when secondary host accesses these files.

• AGT-66424: The setfacl operation not supported for GuardPoint in RHEL 9.6

  The setfacl operation, which is used in Linux to modify the access control lists (ACLs) of files and directories, is not supported for a GuardPoint in RHEL 9.6**.

End of Life

Due to the end of life status of DSM, CTE no longer ships with VMSSC.