Release Note for CTE v7.7.0 for Linux

Release Note VersionDate
v7.7.0.872024-12-17

This release of CipherTrust Transparent Encryption (CTE) for Linux adds new features, fixes known defects and addresses known vulnerabilities.

Exciting Updates for the Linux CipherTrust Transparent Encryption (CTE) Agent!
Version 7.7.0 for Linux
The latest CTE release takes Linux security and performance to the next level with powerful new features:

  • New to Linux!
    • Ransomware Protection: Advanced tools to detect and block ransomware on Linux servers.
    • Confidential Computing: Comprehensive data protection for Confidential Virtual Machines (CVMs).
  • Enhanced Features
    • Improved LDT Management: Designate primary nodes and enjoy faster rekeying operations for NFS environments.
    • Expanded Platform Support: Now fully compatible with Ubuntu 22.04 and 24.04.

This release also includes critical bug fixes and resolves known issues, ensuring secure and efficient data encryption for your Linux systems.
Discover all the latest features and enhancements today!

New Features and Enhancements

Ransomware Protection Support

CTE Linux agent now supports Ransomware Detection and Protection. CTE Agent now monitors GuardPoints and detects Ransomware on Linux systems. It protects all of your data from a Ransomware attack inside a CTE GuardPoint. 

Confidential Computing Support

Confidential Computing is a cloud computing technology that can isolate and protect data on Confidential Virtual Machines (CVMs), or Trusted Domains (TDs), while it is being processed by the application, to protect it from a broad range of software attacks. Confidential computing ensures that all data operations are executed within a Trusted Execution Environment. 

CipherTrust Transparent Encryption and CipherTrust Manager manage the attestation process to provision confidential computing on VMs running on CTE agents to provide end-to-end Data Protection. The role for CTE in this confidential computing model is to gather the evidence and provide that to CipherTrust Manager to have it attested for by Intel® Tiber™ Trust Services. If attestation fails, CTE prevents access to the encrypted data that it guards.

CAUTION

This feature is a technical preview for evaluation in non-production environments. Details and functionality are subject to change.

Support for Designated Primary Set in an LDT GuardPoint Group

You can now manually designate a preferred primary node in an LDT Communication Group.

CipherTrust Data Security Platform Services (CDSPaaS) Support

Support added for CipherTrust Data Security Platform Services (CDSPaaS) as a key manager. 

Specify directory-process combinations in Trusted Process Exception list

Starting from CTE 7.7.0, Users can now exclude specific directory-process combinations from Ransomware detection and protection. The Process set now also allows for inclusion of Signature sets so that the processes can be exempted from Ransomware Protection. 

Users can create a combination of trusted processes-directory combination, include signature sets, and exclude these directories and processes from Ransomware protection monitoring. 

Loss of LDT Primary Host NAS Connection

Loss of NAS connection requires failover of the primary client to another client in the LDT GuardPoint Group. An LDT GuardPoint Groups that only contains one primary client cannot failover to another client when the primary client is the only member of the LDT GuardPoint Group. In this release, CTE Agent does not perform a failover within an LDT GuardPoint Group in which the primary client in the sole member of the group. In the event of loss of the NAS connection, LDT operations are blocked until a NAS connection is restored, depending on hard or soft options enforced for mounting a NAS share. 

Enhancement of Dynamic Resource Sets on LDT Local GuardPoints with no_key_rule status

When using Dynamic Resource Sets with LDT in CTE 7.7, when registering with CipherTrust Manager v2.17 or a subsequent version, the CTE Agent sets the rekey status of the files not associated with a key rule as rekey_no_keyrule. Previously, such files were set to rekey_excluded. The new key rule allows LDT to launch and rekey the files associated with the resource set. Before inclusion of the key rule, the files associated with the resource set were in clear-text. 

New Platform Support

The following platforms are supported starting with CipherTrust Transparent Encryption 7.7.0:

Ubuntu

  • Ubuntu 22.04 (6.5 Azure kernels)
  • Ubuntu 24.04 (6.8 generic and Azure kernels)

Resolved Issues

  • AGT-59437 [CS1551737]: LDT over NFS, slow rekeyLDT inner messaging process for NFS GuardPoints was improved. This improvement makes rekey operations significantly faster.
  • AGT-59512: [CS1558298] Server is hanging due secfs2 filesystemResolved a potential cause of system hang under low, or fragmented memory conditions, which might cause soft lockups for tasks running on all CPUs.

Known Issues

  • AGT-46320: Backup file with exclusion clear_key on LDT NFS GuardPoint does not contain ldt xattrThis issue occurs because the resource was not defined in the key rule. 
  • AGT-61568: Renaming /dir1 with LDT encrypted data to /dir2 with implicit exclude, results in the wrong sum valueMoving directories between LDT encrypted directories with an exclusion key rule, and an implicit exclude with a dynamic resource policy, does not work properly.
  • AGT-61687: Renaming directories crossing conflicting key rules corrupts files affected by the renameWork-aroundRename the key rule with a unique key rule name.