Release Change History

Upgrade Path: For Entrust KeyControl, upgrade to 5.3 is allowed from version 5.2 and 5.2.1 only. For the Entrust KeyControl Policy Agent, upgrade to 5.2 is allowed from release 5.0, 5.1, 5.1.1, 5.1.2, 5.2, and 5.2.1. For details, see KeyControl Upgrade and Policy Agent Upgrades.

Changes in this release:

• Added support for Luna Cloud HSM.

  • You can now use the Luna Cloud HSM as a single HSM or in a cluster with Luna HSM.
  • You can now encrypt KMIP objects with keys stored in the Luna Cloud HSM.
• You can now add a Key Encryption Key (KEK) to an existing Cloud VM Set.

• The htadmin user can now reset the credentials for the Security Administrator (secroot) account. If you do not want to allow htadmin to reset the secroot credentials, you can disable this option.

• You can now set an expiration date for the secroot user account or set it to never expire.

Upgrade Path: For Entrust KeyControl, upgrade to 5.2 is allowed only from release 5.1.1. For the Entrust KeyControl Policy Agent, upgrade to 5.2 is allowed from release 5.0, 5.1, 5.1.1, and 5.1.2. For details, see KeyControl Upgrade and Policy Agent Upgrades.

Changes in this release:

• Security administrators can now enforce two-factor authentication for all users. Two-factor authentication is now supported for all -managed user accounts that use local, RADIUS or LDAP authentication, as well as Active Directory users who access KeyControl using their AD login.
• KeyControl clusters now use certificate-based cluster authentication to join nodes to a cluster and communicate between nodes.
• You can now use the nShield Connect HSM as a System HSM.
• You can now encrypt KMIP objects with keys stored in either IBM HPCS, the nShield Connect HSM, or the SafeNet Luna HSM.
• KeyControl now takes snapshots before you upgrade. You can delete them if you need more space in your system.
• You can now uninstall on Windows silently.
• The new secrets vault provides centralized secure storage for managing and controlling access to secrets required to access systems and resources.
• You can now deploy and run DataControl/KeyControl from the Google Cloud Platform (GCP).

Upgrade Path: For Entrust KeyControl, upgrade to 5.1.2 is allowed from release 5.0, 5.1, and 5.1.1. For the Entrust KeyControl Policy Agent, upgrade to 5.1 is allowed from release 5.0, 5.1, and 5.1.1. For details, see KeyControl Upgrade.

Changes in this release:

• Added support for Safenet Luna client version 10.2.

Upgrade Path: For Entrust KeyControl, upgrade to 5.1 is allowed from release 5.0 and 4.3.2 only. For the Entrust KeyControl Policy Agent, upgrade to 5.1 is allowed from release 5.0 and 4.3.2. For details, see KeyControl Upgrade.

Changes in this release:

• You can now use DataControl with UEFI secure boot on Linux.
• You can now connect KeyControl with multiple Safenet Luna HSM servers in a Safenet High Availability (HA) group.
• You can now use IBM Hyper Protect Crypto Services (HPCS) with DataControl for greater protection of encryption keys.

• You can now enable passphrase-based startup authentication to protect the master key for all nodes in the same cluster.

• You can now use external SSL certificates with your KMIP server.
• You can now use a proxy server for the Vitals Service and Licensing Service.

• Syslog support over TCP now supports different TLS authentication modes.

• Online API documentation is now integrated with the DataControlwebGUI.
• You can now use 4096 bit RSA keys for Policy Agent and KMIP certificate creation.
• You can now use envelope encryption with KeyIDs.

• You can now move a VM from one CVM set to a different CVM set.

• SSH access for HSM users is now supported.
• Improvements to audit log retention have been added.
• You can now use KeyIDs with either Token-Based Authentication or Certificate-Based Authentication.

Upgrade Path: For Entrust KeyControl, upgrade to 5.0 is allowed from release 10.3.2 only. For the Entrust KeyControl Policy Agent, upgrade to 5.0 is allowed from release 4.3 and higher. For details, see KeyControl Upgrade.

Changes in this release:

Version 5.0 is the first release of KeyControl on CentOS. The transition to CentOS from FreeBSD allows Entrust to improve the security of the KeyControl operating system and to add features which were not available in FreeBSD.

The main KeyControl components were ported directly to CentOS and will continue to work as they did in earlier releases. The same is true for the KeyControl APIs. While some new commands were added, the old commands will continue to work.

Some of the major changes made in version 5.0 include:

• Added support for encrypting Windows GPT boot drives, including those drives that use UEFI Secure Boot.
• All data encryption now uses AES-XTS-512 encryption by default, including Linux system device encryption.
• NTP servers are now standardized across nodes when you join a new node to an existing cluster.
• The Entrust support accounts have been redesigned and standardized with CloudControl. This includes an account that can be used in conjunction with Entrust Support to reset the administrative password on a KeyControl node in case of emergencies.
• NFS backup is now disabled by default, so the NFS ports are no longer required. You can enable NFS backup access from the KeyControl webGUI at any time.
• KMIP servers can now require that all registered clients use TLS 1.2.
• You can now specify the SNMP Agent port for your SNMP polling agents.
• Decrypting a Windows boot drive now preserves thin provisioning where applicable.
• A KeyControl Security Admin can now disable two-factor authentication (2FA) for any KeyControl-managed user account. (But only the logged in user can enable 2FA for their own account.)
• The System Console for KeyControl nodes has been re-organized and streamlined.

Upgrade Path: For Entrust KeyControl, upgrade to 4.3.2 is allowed from release 4.2, 4.2.1, 4.3, and 4.3.1 only. For the Entrust KeyControl Policy Agent, upgrade to 4.3.2 is allowed from release 4.1 and higher. For details, see KeyControl Upgrade.

Changes in this release:

Version 4.3.2 lays the groundwork for the upgrade to version 5.0, which will be the first release of KeyControl on CentOS. The transition to CentOS from FreeBSD allows Entrust to improve the security of the KeyControl operating system, but it also requires a different migration path than previous KeyControl upgrades.

Version 4.3.2 adds functionality that you will use when you upgrade to version 5.x. In addition, version 4.3.2 removes support for SafeNet KeySecure.

Upgrade Path: For Entrust KeyControl, upgrade to 4.3.1 is allowed from release 4.2, 4.2.1, and 4.3 only. For the Entrust KeyControl Policy Agent, upgrade to 4.3.1 is allowed from release 4.1 and higher. For details, see KeyControl Upgrade.

Changes in this release:

• You can now connect KeyControl with multiple Safenet Luna HSM servers in a Safenet High Availability (HA) group.

  You can also configure KeyControl to use one certificate for all nodes in the cluster or to use an individual certificate for each node in the cluster. Using individual certificates allows you to register a KeyControl cluster with Safenet LUNA HSM servers that have the ipcheck feature enabled.

• You can now configure multiple NICs on a KeyControl node in order to segregate node traffic.

• The Entrust DataControl documentation set has the following notable improvements:

  • The KeyControl webGUI online help now uses a responsive format that scales to the size of the browser.
  • The procedure for configuring High Availability in KeyControl using a KeyControl Mapping has been expanded and re-organized.
  • The procedures for expanding a Windows boot disk and data drive have been consolidated and improved.
  • The procedure for registering a cloned Linux VM with an encrypted root drive has been added.

Upgrade Path: For Entrust KeyControl, upgrade to 4.3 is allowed from release 4.2 or 4.2.1 only. For the Entrust KeyControl Policy Agent, upgrade to 4.3 is allowed from release 4.1 and higher. For details, see KeyControl Upgrade.

Changes in this release:

• You can now configure auto encryption settings for Cloud VM Sets. When enabled, any disk that matches the specified criteria will be automatically encrypted when it is registered with KeyControl. This option can also be set for individual VMs.
• Windows Access Control Policies can now include one or more folder-level access rules as well as filesystem-level and block-level access rules.
• You can now associate one or more Active Directory (AD) Security groups with a Cloud Admin Group. When you do so, all members of the AD Security group can then log into KeyControl with Cloud Admin privileges over all VMs registered with that Cloud Admin Group.
• Domain Admin groups have been removed, but the Domain Admin account privileges remain the same.
• You can now designate whether encrypted disks in the VMs registered with a Cloud VM Set can be decrypted. This option can also be set for individual VMs.
• You can now designate whether the Entrust KeyControl Policy Agent can be uninstalled from a VM registered with a Cloud VM Set. This option can also be set for individual VMs.
• You can now specify two LDAP domain controllers to enable failover.
• You can now generate a KMIP client certificate bundle using an externally-generated Certificate Signing Request (CSR).
• You can now specify multiple external KMIP servers for KeyControl to use for external Admin Key storage.

Upgrade Path: For Entrust KeyControl, upgrade to 4.2.1 is allowed from release 4.1 or 4.2 only. For the Entrust KeyControl Policy Agent, upgrade to 4.2.1 is allowed from release 3.4 and higher. For details, see KeyControl Upgrade.

Changes in this release:

• You can now encrypt any Linux system device such as /home, /var, or /opt.
• Starting with version 4.2, you can now upgrade all nodes in your KeyControl cluster without having to dismantle the cluster first. Each node in the cluster will be updated in turn. The upgrade process always ensures that keys can be delivered to the Entrust KeyControl Policy Agent or KMIP clients while the upgrade is in process.
• Automatic Vitals Reporting lets you automatically share information about the health of your KeyControl cluster with Entrust Support.
• KeyControl SNMP support has been extended to include host identification and event correlation. On event correlation, KeyControl correlates a Clearing Event or other Status Change with a previously-issued Fault.
• Windows Access Control Policies now support Distributed File System (DFS) shares.

Upgrade Path: For Entrust KeyControl, upgrade to 4.2 is allowed from release 4.1 only. For the Entrust KeyControl Policy Agent, upgrade to 4.2 is allowed from release 3.4 and higher. For details, see KeyControl Upgrade.

Changes in this release:

• Support has been added for the KVM hypervisor for both VM management and data encryption.
• You can now create Access Control Policies that control which user accounts can access the files, folders, and data blocks on encrypted data disks.
• Linux disks can now be encrypted, rekeyed, or decrypted while mounted and accessible to users.
• You can now specify that a Cloud VM Set should use a Single Encryption Key (SEK) for every VM registered with the set. This allows for data deduplication across VMs in the set.
• You can now configure SNMP traps in KeyControl.
• KeyControl now supports CHAP authentication for RADIUS user accounts.
• If you select Help from the KeyControl webGUI User menu, KeyControl now displays a help topic based on the page you are viewing in the webGUI.

Upgrade Path: For Entrust KeyControl, upgrade to 4.1 is allowed from release 4.0 only. For the Entrust KeyControl Policy Agent, upgrade to 4.1 is allowed from release 3.3 and higher. For details, see KeyControl Upgrade.

Changes in this release:

• Data encryption is now supported on Windows 2012 and 2016 Core Servers, as well as on VMware Cloud on AWS.
• KeyControl now allows you to import an SSL certificate signed by the external certificate authority of your choice. This externally-signed SSL certificate replaces the default self-signed SSL certificate.

• In release 4.0, KeyControl added the ability to specify a user-defined Key Encryption Key (KEK) for a Cloud VM Set. The KEK provides an extra layer of security by encrypting the individual data encryption keys on the VMs associated with that Cloud VM Set. Both the KEK and the individual data encryption key must be available before the information on the VM can be accessed.

  In release 4.1, KeyControl improves the security of the KEK by requiring that it be stored on an external hardware security module (HSM) associated with the KeyControl cluster. In addition, it now allows you to import a KEK into a Cloud VM Set after that Cloud VM Set has been created.

• You can now resize an encrypted Windows data disk dynamically with no downtime.
• You can now upload a PKS certificate when configuring an LDAP server.

Upgrade Path: For Entrust KeyControl, upgrade to 4.0 is allowed from release 3.4 only. For the Entrust KeyControl Policy Agent, upgrade to 4.0 is allowed from release 3.2.1 and higher.

Changes in this release:

• Data encryption is now supported on XenServer and Hyper-V hypervisors, as well as Windows 2016 and SLES operating systems.
• The KeyControl webGUI now supports Internet Explorer 11.
• You can now encrypt a Windows folder mount as well as a standard data drive.
• KeyControl user accounts can now be authenticated using an LDAP or Active Directory server.
• KeyControl user accounts can now use two-factor authentication for additional security.
• New Cloud VM Set properties allow to you have KeyControl automatically renew a VM certificate that is about to expire and to set the default length of time that new VM certificates will be valid.
• You can now specify a Key Encryption Key (KEK) for a Cloud VM Set. The KEK controls the key expiration and access for the VMs in the Cloud VM Set.
• You can now configure the speed at which DataControl encrypts or decrypts a Windows disk or partition based on the number of pending I/O requests on the server. This feature is only available for Windows disks with the Policy Agent installed.
• Support bundles no longer contain the object store from the KeyControl node.
• If you want to link KeyControl with CloudControl 5.1, you can take advantage of the new AppLink feature in CloudControl. AppLink provides a more secure communication method and ensures that CloudControl account credentials are never specified in KeyControl.
• If you link KeyControl to Entrust CloudControl 5.1 or later, KeyControl now displays the VM name next to its associated KMIP objects.
• The KeyControl webGUI includes many ease of use enhancements, such as a multi-select button that lets you select multiple objects in a table.

Upgrade Path: For Entrust KeyControl, upgrade to 3.4 is allowed from release 3.3 only. For the Entrust KeyControl Policy Agent, upgrade to 3.4 is allowed from any 3.x release.

Changes in this release:

• Support for KMIP object actions using the KeyControl webGUI.
• Fully scriptable installation of KeyControl clusters.
• Updated support for Linux Policy Agents including Ubuntu 16.04.
• Updated support for Windows Policy Agents including FIPS enabled Windows and Server Core.

Upgrade Path: For Entrust KeyControl, upgrade to 3.3 is allowed from 3.2, 3.2.1, and 3.2.1 P1. For the Entrust KeyControl Policy Agent, upgrade to 3.3 is allowed from any previous Policy Agent release.

Changes in this release:

• Entrust KeyControl support in Microsoft Azure Marketplace.
• KeyControl Master Key recovery improvements. Admin Key part is now available as download from the KeyControl webGUI.
• KeyControl download of debug logs using the webGUI.
• KeyControl backup and restore using the webGUI.
• KeyControl improved logging including KMIP server logging.
• KeyControl selection of allowed SSL protocols and ciphers.
• Preferred ordering and recovery for KeyControl Mappings.
• Cloud VM Set settings include all properties and the ability to propagate them to all VMs.
• Entrust KeyControl Policy Agent safe migration of disks.
• Policy Agent Linux configurable installation location.
• Policy Agent Linux LVM/md devices no longer require -o.
• Policy Agent Windows online resize of encrypted boot.
• hcs3 command improvements.
• Policy Agent Linux recovery key versioning for restore.
• Centralized storage/retrieval in KeyControl of Policy Agent debug console keys.

Upgrade Path: For Entrust KeyControl, upgrade to 3.2.1 is allowed from 3.1, 3.1.1, 3.1.2, and 3.2. For the Entrust KeyControl Policy Agent, upgrade to 3.2.1 is allowed from any previous Policy Agent release.

Changes in this release:

• Fix for Linux RDE issue with non-RDE devices not mounting.
• Fix for Windows RDE boot failures on non-server OS. Also boot can be attached as data disk for debugging.
• Fix for Windows Entrust KeyControl Policy Agent issue with hcld dying and not restarting.

Upgrade Path: For Entrust KeyControl, upgrade to 3.2 is allowed from 3.1, 3.1.1, and 3.1.2. For the Entrust KeyControl Policy Agent, upgrade to 3.2 is allowed from any previous Policy Agent release.

Changes in this release:

• KeyControl webGUI now features a Dashboard to track Cloud VM health and statistics.
• All disks (encrypted or unencrypted) from Entrust KeyControl Policy Agent VMs show in the KeyControl webGUI.
• Entrust KeyControl cluster scalability improvements.
• KeyControl KMIP server increased object limits to 1000 and improved clusterization.
• KeyControl now supports Safenet Network HSM (formerly Luna SA) to protect encryption keys.
• Policy Agent rekeys can now be scheduled via the KeyControl webGUI and will then run automatically.
• Policy Agent encryption tasks can now be started from the Windows Entrust Policy Agent GUI.
• Encryption of S3 objects now supported by the Windows Policy Agent.

Upgrade Path: For Entrust KeyControl, upgrade to 3.1.2 is allowed from 3.0, 3.0.1, 3.1 and 3.1.1. For the Entrust KeyControl Policy Agent, upgrade to 3.1.2 is allowed from any previous Policy Agent release.

Changes in this release:

• KeyControl improvements for transferring larger cluster data sets.
• KeyControl improvements in communication scaling.
• KeyControl upgrade no longer generates spurious "Grace period expired" alerts.
• Added RequestReadTimout to KeyControl Apache config.
• KeyControl upgraded clusters now properly handle internal CA certs.
• DataControl audit message IDs are now included in syslog and export output.
• Windows Policy Agent Early Attach is supported on Windows Azure.
• Windows Policy Agent Early Attach correctly handles Windows Updates.
• Upgrade Windows Policy Agent handles binaries that are in use during upgrade.
• Linux Policy Agent now supports scripted upgrade.
• Linux Policy Agent now supports RHEL 7.2 and CentOS 7.2.

Upgrade Path: For Entrust KeyControl, upgrade to 3.1.1 is allowed from 3.0, 3.0.1 and 3.1. For the Entrust KeyControl Policy Agent, upgrade to 3.1.1 is allowed from any previous Policy Agent release.

Changes in this release:

• Windows Policy Agent now supports Windows 8, 8.1, and 10.
• Linux Policy Agent now supports RHEL 7.1, CentOS 7.1.
• Windows Policy Agent now attaches all encrypted devices before any application starts (Early Attach).
• Windows Policy Agent now allows assignment and change of drive letters.
• Windows Policy Agent has significantly improved encryption speed.
• Linux Policy Agent supports filesystem level encryption for some Linux versions and distributions. (See the 3.1 Admin Guide.)
• Root drive encryption for both Linux and Windows Policy Agents is now supported in Azure.
• KeyControl has updated the OS version, including current security patches and improved tamper prevention.
• KeyControl includes a full KMIP server.
• KeyControl KMIP client can now use SafeNet KeySecure.
• All alert messages are now fully numbered, detailed, and include suggested severity and resolution.
• Fixed issue with upgrade of secondary KeyControl nodes.

Upgrade Path: For Entrust KeyControl, upgrade to 3.0.1 is allowed from 2.7, 2.7.1, and 3.0. For the Entrust KeyControl Policy Agent, upgrade to 3.0.1 is allowed from any previous Policy Agent release.

Changes in this release:

• Multiple DNS servers are now supported for the Policy Agent.
• Fix for small potential corruption when using the Linux Policy Agent.
• Linux Policy Agent now cleans initrd/grub changes on uninstall.
• Linux Policy Agent better handles a system update that includes kernel change.
• Linux Policy Agent EPEL install improvements.
• Linux Policy Agent correctly handles LVM device mapper changes.
• Linux Policy Agent warns of attempted use of absolute path names for devices.
• Linux Policy Agent now support RHEL 6.7 and CentOS 6.7.
• Windows Policy AgentBootloader handles multiple NICs.
• Windows Policy Agent performs check for space for Bootloader prior to install.
• KeyControl Apache logs now correctly rolled and compressed.

Upgrade Path: For Entrust KeyControl, upgrade to 3.0 is allowed from 2.7 and 2.7.1. For the Entrust KeyControl Policy Agent, upgrade to 3.0 is allowed from any previous Policy Agent release.

Changes in this release:

• Windows Policy Agent fully supports Windows 7 including boot drive encryption.
• Windows Policy Agent supports GPT disks for data encryption only.
• Windows Policy Agent supports a scripted installation.
• KeyControl can use an external KMIP server to protect encryption keys and provide entropy.
• KeyControl has a new, modern, scalable webGUI.
• KeyControl scalability improvements including separation of internal KeyControl traffic and tunable cluster timeout.

Upgrade Path: For Entrust KeyControl, upgrade to 2.7.1 is allowed from 2.6 and 2.7. For the Entrust KeyControl Policy Agent, upgrade to 2.7.1 is allowed from any previous Policy Agent release.

Changes in this release:

• Support for Windows 2012R1, including boot drive encryption.
• Windows Policy Agent now automatically installs Bootloader for boot drive encryption.
• Windows Policy Agent now automatically creates a System Reserved Partition for boot drive encryption if one does not exist.
• Fixed Windows Policy Agent issue of spurious grace period violations that occurred every reboot of an encrypted boot drive.
• Fixed Policy Agent issue where configuration changes done on KeyControl were not being properly propagated to the Policy Agent.
• AWS linux is now supported for Linux Policy Agent root drive encryption
• Linux Policy Agent now properly supports both PV and HVM systems for root drive encryption.

Upgrade Path: For Entrust KeyControl, upgrade to 2.7 is allowed from 2.5, 2.5.1 and 2.6 . For the Entrust KeyControl Policy Agent, upgrade to 2.7 is allowed from any previous Policy Agent release.

Changes in this release:

• Windows boot drive encryption for Windows 2012. Boot drive can be MBR only, no GPT/EFI.
• Windows Policy Agent now has support for XTS cipher mode.
• KeyControl network mappings.

Upgrade Path: For Entrust KeyControl, upgrade to 2.6 is allowed from 2.5 and 2.5.1 . For the Entrust KeyControl Policy Agent, upgrade to 2.6 is allowed from any previous Policy Agent release.

Changes in this release:

• KeyControl now supported in Amazon Web Services.
• Windows boot drive encryption for Windows 2008 R2. Boot drive can be MBR only, no GPT/EFI.
• Policy Agent support for Windows 2012.
• Linux Policy Agent now has support for XTS cipher mode.
• Product is now available in .iso, .ova, and AMI formats.

HyTrust DataControl Virtual Storage Edition (HTDC VSE) has reached End-of-Sales and this version of the DataControl product will no longer be for sale after the DataControl 2.5 release.

HyTrust DataControl Virtual Machine Edition (HTDC DCPA) is not affected by this change and will continue as our standard DataControl offering. Please contact Entrust support for any further questions.

Upgrade Path: For Entrust KeyControl, upgrade to 2.5.1 is allowed from 2.4, 2.4.1, and 2.5 . For the Entrust KeyControl Policy Agent, upgrade to 2.5.1 is allowed from any previous Policy Agent release.

Changes in this release:

• Downgrade of DataControl Policy Agent client from 2.5.1 is NOT supported.
• Windows Policy Agent will now properly handle device that are reordered by the OS.
• Windows Policy Agent encryption now completes properly.
• Windows Policy Agent now handles drive letter mapping and unmapping in a more robust manner.

Changes in this release:

• Scalability issues with the KeyControl GUI and API have been addressed. Previous releases would suffer small performance degradations when many users or many DataControl Policy Agent clients were simultaneously accessing KeyControl.
• Linux Policy Agent client supports root/swap disk encryption.
• Linux Policy Agent simplified registration.
• Windows Policy Agent online encryption/decryption/rekey.
• Windows Policy Agent compatibility with VSS and MS applications.
• KeyControl RADIUS authentication support.
• Full KeyControl REST API.
• KeyControl support for static routes.
• KeyControl configurable password strength and complexity.
• KeyControl support for environments without internet or email access.

Changes in this release:

• Scalability issues with KeyControl GUI and API have been addressed. Previous releases would suffer small performance degradations when many users or many Policy Agent clients were simultaneously accessing KeyControl.
• Windows toggle between GPT and MBR partition types does not remove evidence of the prior partition type. client has been updated to recognize the current designation of partition type despite this lack of cleanup.
• A second add of Policy Agent device with portable GUID was not correctly recognizing the device as already registered. client has been updated to correctly detect.
• Windows popen call can and does fail randomly. client has been updated to retry popen calls until call is successful.
• Windows Policy Agent client contains libraries that do not interpret non-ASCII character sets. Use of these non-ASCII character sets has been limited to avoid the library issues. Future releases will expand on I18N support.

Rebranding. Following from the acquisition of HighCloud Security by HyTrust in 2013, we have rebranded the products to include Entrust logos and company information.

There have been some name changes to the components as follows:

With the exception of rebranding and name changes, all capabilities of the product are the same as they were in the 2.3 release.

Changes in this release:

• Encrypted device mobility and sharing: Encrypted devices can now be moved between servers and also shared among servers authenticated by the same KPS.
• Support for Windows failover clusters: Windows failover cluster environments with shd storage protected by HighCloud encryption using the Data Security Module (DSM) are now fully supported.
• Windows GUI: Windows clients running HighCloud Data Security Module (DSM) now support GUI based administration.

• Support for file encryption (beta): Individual files can now be encrypted using the HighCloud Data Security Module. These encrypted files can only be decrypted on servers that have been authenticated with the same KPS and belong to the same Cloud VMSet on that KPS.

  Note: This feature is marked "beta" in the 2.3 release in order to provide early access to some customers and collect feedback. It will be released for production use in a subsequent release.

• Support for Amazon S3 encryption (beta): Amazon S3 objects can now be encrypted using the HighCloud Data Security Module. These encrypted objects can only be decrypted on servers that have been authenticated with the same KPS and belong to the same Cloud VMSet on that KPS.

  Note: This feature is marked "beta" in the 2.3 release in order to provide early access to some customers and collect feedback. It will be released for production use in a subsequent release.

• Support for device resize on Windows and Linux: Encrypted devices can now be resized on both Windows and Linux platforms
• System diagnostics and logs via GUI: System logs and other system diagnostics can be sent to HighCloud support directly from the GUI.
• Simplified 'hcl' command set: The 'hcl' command, used to administer clients running the HighCloud Data Security Module has been greatly simplified for ease of use.
• Several performance and stability fixes.

Changes in this release:

• Support for encapsulating devices on Windows clients: On Windows VMs, devices with existing data can now be protected with HighCloud encryption without the need to copy data out of and then back into these devices. Prior to 2.2, this capability only existed for Linux VMs.
• Support for cloning and replicating VMs of devices under HighCloud Encryption.
• Support for upgrading KPS, VMV nodes from version 2.1 to version 2.2.
• Support for upgrading Linux and Windows VMs running version 2.1 of the DSM to version 2.2.
• VMs running Debian 6.0.7 can now be protected using HighCloud encryption.
• Support for VMs running in Azure cloud.
• Several stability and performance fixes.

Changes in this release:

• Significantly reduced set of prerequisites for installing the in-guest DSM on Virtual Machines to be protected.
• Support for Rest based API for administering the product.
• Support for upgrading KPS, VMV nodes from version 2.0 to version 2.1.
• Support for upgrading Linux VMs running version 2.0 of the DSM to version 2.1.
• Several stability and performance fixes.

Changes in this release:

• The ability to encrypt devices within individual Virtual Machines wherever they reside. Device encryption works independently of the type of the hypervisor platform (Type 1, Type 2, etc.) as well as the hypervisor vendor (VMware, Microsoft, Citrix, Red Hat, etc.) and Cloud environment (Amazon AWS, Savvis, etc.). Both Linux and Windows platforms are supported - see Data Sheet for details of supported platforms and recommended configurations.
• Support for product deployment from an OVF template (in addition to the support for installation from ISO image).
• Support for upgrading KPS and VMV nodes from version 1.1.7 to version 2.0.
• Support for browser time zones.
• Several stability and performance fixes.

Changes in this release:

• Support for upgrading KPS and VMV nodes from version 1.1.6 to version 1.1.7.
• Support for selecting filestore record size and optimizing filestore log behavior for throughput vs latency.
• More accurate reporting of free space on VM Sets.
• Enhanced troubleshooting and support infrastructure.
• Several performance and stability fixes.

Changes in this release:

• Support for upgrading KPS and VMV nodes from version 1.1.5 to version 1.1.6.
• Support for iSCSI VMSets.
• Several performance and stability fixes.

Changes in this release:

• Support for upgrading KPS and VMV nodes from version 1.1.4 to version 1.1.5.
• Support for Installing OVF (Open Virtual Machine) format VMs on top of datastores exported by the VMV.
• Support for changing n/w interfaces on the VMV.
• Performance fixes.
• Some stability related fixes.

Changes in this release:

• Support for upgrading KPS and VMV nodes from version 1.1.3 to version 1.1.4.
• Support for changing the IP address of a KPS or a VMV node via the console men.
• Admin key is now auto generated and distributed to security admins on first login and also on any change to the list of security administrators.
• Several stability related fixes.

Changes in this release:

• Automatic support for AES-NI in Intel and AMD processors.
• Support for VMtools, in particular the management tools and support for the vmxnet2 adapter.
• Support for multi-node KPS clusters. We have tested 2 nodes but the actual number of nodes is not limited.
• Support for external log servers via syslog.