What's New

The following changes have been made in HyTrust DataControl release 4.x. For a list of changes made in earlier DataControl releases, see Release Change History.

What's New in KeyControl and DataControl Version 4.3

Feature	Description	Where Documented
Automatic Data Encryption	You can now tell KeyControl that you want to automatically encrypt available devices that match a user-specified path. This option can be controlled at the Cloud VM Set level and at the individual VM level.	Automatic Data Encryption
Access Control Policies	You can now specify folder-level Access Control Rules for Windows disks.	Access Control Rule Types
KeyControl Users and Groups	You can now associate Active Directory (AD) Security groups with a Cloud Admin Group. All members of the AD Security groups can then log into KeyControl as a Cloud Admin. Domain Admin groups have been removed, but the Domain Admin account privilege remains unchanged.	Cloud Admin Groups and KeyControl User Accounts
Cloud VM Sets	You can now designate whether VMs in a Cloud VM Set can be decrypted or whether the HyTrust DataControl Policy Agent can be removed from a registered VM.	Creating a Cloud VM Set
LDAP Authentication Server Configuration	You can now specify two LDAP domain controllers to enable failover.	Specifying an LDAP/AD Authentication Server
KMIP Server	You can now generate a KMIP client certificate bundle using an externally-generated Certificate Signing Request (CSR).	Creating KMIP Client Certificate Bundles
KMIP Client	You can now specify multiple external KMIP servers for KeyControl to use for external Admin Key storage.	Configuring KeyControl as a KMIP Client

What's New in KeyControl and DataControl Version 4.2.1

Feature	Description	Where Documented
Linux Encryption	You can now encrypt any Linux system device such as `/home`, `/var`, or `/opt`.	Linux Root, Swap, and System Device Encryption
KeyControl Upgrades	Starting with version 4.2, you can now upgrade all nodes in your KeyControl cluster without having to dismantle the cluster first. KeyControl upgrades each node in the cluster individually so that there is no cluster downtime during the upgrade.	Upgrading 4.2 or Later KeyControl Nodes with the KeyControl webGUI
Vitals service	Automatic Vitals Reporting lets you automatically share information about the health of your KeyControl cluster with HyTrust Support.	Configuring Automatic Vitals Reporting
Windows Access Control Policies	Windows Access Control Policies now support Distributed File System (DFS) shares.	Access Control Requirements and Considerations

What's New in KeyControl and DataControl Version 4.2

Feature	Description	Where Documented
Extended Platform Support	Support has been added for the KVM hypervisor for both VM management and data encryption.	Supported Platforms
ReFS Disk Encryption	Support has been added for Windows ReFS disk encryption.	Windows Encryption Prerequisites
Disk Access Control Policies	You can now create Access Control Policies that control which user accounts can access the files, folders, and data blocks on encrypted data disks.	Access Control Policies
Linux Online Encryption	Linux disks can now be encrypted, rekeyed, or decrypted while mounted and accessible to users.	Linux Online Encryption Prerequisites and Considerations
SEK Support	You can now specify that a Cloud VM Set should use a Single Encryption Key (SEK) for every VM registered with the set. This allows for data deduplication across VMs in the set.	Data Deduplication with Cloud VM Sets
SNMP Traps	You can now configure SNMP traps in KeyControl.	SNMP Traps in KeyControl
RADIUS Authentication	KeyControl now supports CHAP authentication for RADIUS user accounts.	Specifying Default RADIUS Authentication Server Settings
Online Help Improvements	If you select Help from the KeyControl webGUI User menu, KeyControl now displays a help topic based on the page you are viewing in the webGUI.	KeyControl webGUI Overview

What's New in KeyControl and DataControl Version 4.1

Feature	Description	Where Documented
Extended Platform Support	Data encryption is now supported on Windows 2012 and 2016 Core Servers, as well as on VMware Cloud on AWS.	Supported Platforms
KeyControl Certificates	KeyControl now allows you to import an SSL certificate signed by the external certificate authority of your choice. This externally-signed SSL certificate replaces the default self-signed SSL certificate.	Installing a New External Certificate
KEKs for Cloud VM Sets	If you want to associate a KEK with a Cloud VM Set, KeyControl now requires access to a hardware security module (HSM) in which it can store the KEK. In addition, you can now import a KEK into a Cloud VM Set after that Cloud VM Set has been created.	KEKs with Cloud VM Sets
Dynamic Resizing for Windows Data Disks	You can now resize an encrypted Windows data disk dynamically with no downtime.	Resizing a Windows Data Disk
LDAP PKS Certificate Support	You can now upload a PKS certificate when configuring an LDAP server.	Specifying an LDAP/AD Authentication Server

What's New in KeyControl and DataControl Version 4.0

Feature	Description	Where Documented
Extended Platform Support	Data encryption is now supported on XenServer and Hyper-V hypervisors, as well as Windows 2016 and SLES operating systems. The KeyControl webGUI now supports Internet Explorer 11.	Supported Platforms and Browser Requirements.
Windows Folder Mount Encryption	You can now encrypt a Windows folder mount as well as a standard data drive.	Data Encryption.
LDAP / Active Directory Support	KeyControl user accounts can now be authenticated using an LDAP or Active Directory server.	Authentication for KeyControl User Accounts.
Two-Factor Authentication	KeyControl user accounts can now use two-factor authentication for additional security.	Enabling Two-Factor Authentication.
Automatic Renewal for VM Certificates	New Cloud VM Set properties allow to you have KeyControl automatically renew a VM certificate that is about to expire and to set the default length of time that new VM certificates will be valid.	Setting Default Cloud VM Set Properties.
KEKs for Cloud VM Sets	You can now specify a Key Encryption Key (KEK) for a Cloud VM Set. The KEK controls the key expiration and access for the VMs in the Cloud VM Set.	Creating a Cloud VM Set.
Rekey Throttle Speed	You can now configure the speed at which DataControl encrypts or decrypts a Windows disk or partition based on the number of pending I/O requests on the server. This feature is only available for Windows disks with the HyTrust DataControl Policy Agent installed.	Changing the Encryption/Decryption Speed on Windows.
HyTrust CloudControl link changes	If you want to link KeyControl with CloudControl 5.1, you can take advantage of the new AppLink feature in CloudControl. AppLink provides a more secure communication method and ensures that CloudControl account credentials are never specified in KeyControl.	Linking KeyControl with CloudControl.
Enhanced KMIP Object Support	If you link KeyControl to HyTrust CloudControl 5.1 or later, KeyControl now displays the VM name next to its associated KMIP objects.	Managing KMIP Objects.
KeyControl webGUI Enhancements	The KeyControl webGUI includes many ease of use enhancements, such as a multi-select button that lets you select multiple objects in a table.	KeyControl webGUI Overview.

Note:

The 3.4 HyTrust DataControl Installation and Administration Guide has been split into the HyTrust DataControl Installation and Upgrade Guide and the HyTrust DataControl Administration Guide.