Release Change History

The following changes were made in past Cryptographic Security Platform Vault releases. For details about the current Cryptographic Security Platform Vault release and previous releases, visit our Customer Portal at https://trustedcare.entrust.com/. If you do not have a login for TrustedCare, please contact trustedcaresupport@entrust.com.

Changes in Release 10.4.5

Upgrade Path: For Entrust Cryptographic Security Platform Vault, upgrade to 10.4.5 is allowed from version 10.4.1, 10.4.1.1, and 10.4.3. For the Entrust Policy Agent, upgrade to 10.4.5 is allowed from versions 10.3.1, 10.3.3, 10.4.1, 10.4.1.1, and 10.4.3. For details, see Cryptographic Security Platform Vault Upgrade and Policy Agent Upgrades.

Changes in this release:

  • KeyControl and KeyControl Compliance Manager have changed names.

    • KeyControl is now known as Cryptographic Security Platform Vault.

    • KeyControl Compliance Manager is now known as Cryptographic Security Platform Compliance Manager.

    • The KeyControl Vault for Application Security is now known as the Cryptographic Security Platform Vault for Cryptographic APIs.

  • If the cloud status of a CloudKey is not available, it can be immediately removed using the Force Purge command.

  • You can now use certificate-based authentication with Azure BYOK.

  • You can now use BYOK and cache-only keys (HYOK) with Salesforce.

  • You can set up an automatic synchronization schedule to import all CloudKeys in a Key Set.

  • You can now cache your keys in the Cryptographic Security Platform Vault for Cryptographic APIs.

  • The Cryptographic Security Platform Vault for Secrets now supports Terraform secrets.

  • Cryptographic Security Platform Vault for Databases now supports column-level encryption for PostgreSQL .

  • You can now use mTLS authentication in the Cryptographic Security Platform Vault for Cryptographic APIs.

Changes in Release 10.4.3

Upgrade Path: For KeyControl, upgrade to 10.4.3 is allowed from version 10.3.1, 10.3.3,10.4.1, and 10.4.1.1. For the Policy Agent , upgrade to 10.4.1 is allowed from versions 10.3.1, 10.3.3,10.4.1, and 10.4.1.1.

Changes in this release:

  • You can now use BYOK with Oracle Cloud Infrastructure (OCI).

  • You can now assign API users the role of BACKUP_USER which allows them to manage backups, but does not grant any other admin privileges.

Changes in Release 10.4.1.1

Release 10.4.1.1 is a cumulative release containing bug fixes and all new features from 10.4.1.

Upgrade Path: For KeyControl, upgrade to 10.4.1.1 is allowed from version 10.3.1, 10.3.3, and 10.4.1. For the Policy Agent, upgrade to 10.4.1.1 is allowed from versions 10.3.1, 10.3.3, and 10.4.1.

Changes in Release 10.4.1

Version 10.4.1 is the first release of KeyControl on Oracle Linux. The transition to Oracle Linux from CentOS allows Entrust to improve the security of the KeyControl operating system.

The main KeyControl components were ported directly to Oracle Linux and will continue to work as they did in earlier releases. The same is true for the KeyControl APIs.

Upgrade Path: For KeyControl, upgrade to 10.4.1 is allowed only from version 10.3.1. For the Policy Agent, upgrade to 10.4.1 is allowed from versions 10.3.1.

Changes in this release:

  • Entrust KeyControl now runs on the Entrust-hardened version of Oracle Linux.

  • You can now use OpenID Connect (OIDC) Authentication with Active Directory in the KeyControl Vault Management appliance.

  • You can now use OpenID Connect (OIDC) Authentication without configuring Active Directory in the KeyControl Vault Management appliance.

  • AWS multi-Region keys are AWS KMS keys in different AWS Regions that can be used interchangeably. The KeyControl Vault for Cloud Keys now supports using AWS multi-region keys in BYOK.

  • The KeyControl Vault for Cloud Keys now supports the Azure role-based access control (Azure RBAC) as well as the access policy model authorization system.

  • You can now use secondary approval with the KeyControl Vault for Secrets.

  • You can now use Personal Access tokens in your KeyControl Vaults that are using OIDC for authentication to use as a password for API and CLI commands.

  • Added support for TLS 1.3 and Extended Master Secret (TLS). TLS 1.3 is the default for all new KeyControl installations.

  • You can now set KeyControl to use self-signed certificates for all nodes in a cluster.

  • The KeyControl appliance AMI now only supports Instance Metadata Service (IMDS) version 2 for AWS Cloud.

Changes in Release 10.3.1

Version 10.3.1 lays the groundwork for the upgrade to version 10.4.1, which will be the first release of Cryptographic Security Platform Vault on Oracle Linux. The transition to Oracle Linux from CentOS allows Entrust to improve the security of the Cryptographic Security Platform Vault operating system, but it also requires a different migration path than previous Cryptographic Security Platform Vault upgrades.

Upgrade Path: For Entrust Cryptographic Security Platform Vault, upgrade to 10.3.1 is allowed from version 10.2. For the Entrust Policy Agent, upgrade to 10.3.1 is allowed from versions 10.2, 10.1.1, and 10.1. For details, see Cryptographic Security Platform Vault Upgrade and Policy Agent Upgrades.

Changes in this release:

  • You can now use OpenID Connect (OIDC) Authentication without configuring Active Directory in your individual KeyControl vaults.

  • You can now use Active Directory (AD) or OpenLDAP for authentication in the KeyControl Vault Management appliance.

    • AD users are supported, but not AD groups.

    • Two-factor authentication is supported for local users only.

Changes in Release 10.2

Upgrade Path: For Entrust Cryptographic Security Platform Vault, upgrade to 10.2 is allowed from versions 10.1 and 10.1.1. For the Entrust Policy Agent, upgrade to 10.2 is allowed from versions 10.1 and 10.1.1. For details, see Cryptographic Security Platform Vault Upgrade and Policy Agent Upgrades.

Changes in this release:

  • You can now use hardware security modules with the Cryptographic Security Platform Vault for Secrets.

  • You can now use BYOK with GCP in the Cryptographic Security Platform Vault for Cloud Keys.

  • You can now use MariaDB with TDE in the Cryptographic Security Platform Vault for Databases.

  • The HTTPS proxy server can now be used with BYOK for AWS and Azure.

  • Support for Double Key Encryption for Microsoft 365 in the Cryptographic Security Platform Vault for Cloud Keys.

  • Two-Factor Authentication is now offered with each Cryptographic Security Platform Vault.

Changes in Release 10.1.1

Upgrade Path:  For Entrust Cryptographic Security Platform Vault, upgrade to 10.1 is allowed from versions 10.0 and 10.1. For the Entrust Policy Agent, upgrade to 10.1 is allowed from versions 10.0 and 10.1. For details, see Cryptographic Security Platform Vault Upgrade and Policy Agent Upgrades.

Changes in this release:

  • You can now upgrade KeyControl version 10.0 to KeyControl Vault 10.1.1.

  • It is no longer necessary to enable (SMTP) in the Appliance Manager UI when adding KeyControl Vaults. This restriction in the 10.1 release has been removed.

  • KeyControl Vault PASM vaults now support Ansible. For more detail, see https://github.com/EntrustCorporation/PASM-Vault-Ansible-Plugin.

Changes in Release 10.1

Upgrade Path: You can only deploy Entrust Cryptographic Security Platform Vault 10.1 as a new installation. Upgrade from previous versions of Entrust Cryptographic Security Platform Vault is not supported.

Changes in this release:

  • New Entrust Cryptographic Security Platform Vault Architecture. The Entrust Cryptographic Security Platform Vault family of products has been divided into two components:

    • Cryptographic Security Platform Compliance Manager—This application handles all global requirements for your vaults, such as licensing and authorization.

    • Entrust Cryptographic Security Platform Vault—All of the Entrust Cryptographic Security Platform Vault applications have been separated and moved into individual vaults.

  • You manage licensing for all Entrust Cryptographic Security Platform Vaults using Cryptographic Security Platform Compliance Manager.

  • You can now use Cryptographic Security Platform Vault as an external key manager (EKM) provider for Oracle Server.

  • You can now use Cryptographic Security Platform Vault as an AWS KMS External Key Store (XKS).

  • You can now use the new Tokenization Vault and APIs for tokenization, masking, and encryption of data.

  • You can now use Cryptographic Security Platform Vault with Azure-managed HSMs.

  • You can now configure Syslog Server to use Arcsight Comment Event Format (CEF) for logging.

  • Cryptographic Security Platform Vault now supports Remote Administration Ready Smartcards for nShield HSMs.

  • Cryptographic Security Platform Vault now includes the Luna HSM library v10.5.1-174

Changes in Release 10.0

Upgrade Path: For Entrust Cryptographic Security Platform Vault, upgrade to 10.0 is allowed from versions 5.5 and 5.5.1. For the Entrust Policy Agent, upgrade to 10.0 is allowed from versions 5.3, 5.4, 5.5, and 5.5.1. For details, see Cryptographic Security Platform Vault Upgrade and Policy Agent Upgrades.

Changes in this release:

  • You can now use Cryptographic Security Platform Vault as an EKM provider for Microsoft SQL.

  • You can now use Cryptographic Security Platform Vault to manage your SSH keys.

  • You can now use Bring Your Own Key (BYOK) with Google Cloud Platform.

  • You can now use Cryptographic Security Platform Vault with nShield HSMs that are enrolled in FIPS 140 Level 3 Security Worlds.