What's New

The following changes have been made in HyTrust DataControl release 5.1. For a list of changes made in earlier DataControl releases, see Release Change History.

What's New in KeyControl and DataControl Version 5.1

Feature

Description

Where Documented

UEFI Secure Boot

Added support for UEFI secure boot on Linux.

Configuring UEFI Secure Boot

HSM Client Account

Added support for connecting KeyControl with multiple Safenet Luna HSM servers in a Safenet High Availability (HA) group.

 Hardware Security Modules with KeyControl
IBM HPCS Support You can now use IBM Hyper Protect Crypto Services (HPCS) with DataControl for greater protection of encryption keys. KEKs with Cloud VM Sets
Startup Authentication Support You can now enable passphrase-based startup authentication to protect the master key for all nodes in the same cluster. Startup Authentication
Proxy Server Support You can now use a proxy server for the Vitals Service and Licensing Service. Enabling a Proxy Server for the Vitals Service and Licensing Service

Custom KMIP Certificate

You can now use external SSL certificates with your KMIP server.

Configuring a KeyControl KMIP Server

Move VMs between CVM Sets

You can now move a VM from one CVM set to a different CVM set.

Moving Disks Between VMs

Version 5.0 is the first release of KeyControl on CentOS. The transition to CentOS from FreeBSD allows HyTrust to improve the security of the KeyControl operating system and to add features which were not available in FreeBSD.

The main KeyControl components were ported directly to CentOS and will continue to work as they did in earlier releases. The same is true for the KeyControl APIs. While some new commands were added, the old commands will continue to work. All changes are described in the online help and the HyTrust DataControl Administration Guide.

Some of the major changes made in version 5.0 include:

  • Added support for encrypting Windows GPT boot drives, including those drives that use UEFI Secure Boot.
  • All data encryption now uses AES-XTS-512 encryption by default, including Linux system device encryption.
  • The HyTrust support accounts have been redesigned and standardized with CloudControl. This includes an account that can be used in conjunction with HyTrust Support to reset the administrative password on a KeyControl node in case of emergencies.
  • NFS backup is now disabled by default, so the NFS ports are no longer required. You can enable NFS backup access from the KeyControl webGUI at any time.
  • KMIP servers can now require that all registered clients use TLS 1.2.
  • You can now specify the SNMP Agent port for your SNMP polling agents.
  • Decrypting a Windows boot drive now preserves thin provisioning where applicable.
  • A KeyControl Security Admin can now disable two-factor authentication (2FA) for any KeyControl-managed user account. (But only the logged in user can enable 2FA for their own account.)
  • The System Console for KeyControl nodes has been re-organized and streamlined.

Behavioral Changes in Release 5.0

The basic KeyControl functionality, including the KeyControl webGUI, the hcl interface, and the API commands, has not changed in version 5.0. However, there are some behavioral changes between versions 4.3.x and 5.0.

Version 4.3.x Behavior

Version 5.0/5.1 Behavior

Administrators log into the KeyControl VM console as root or, in Azure and AWS, as sysmenus.

Administrators log into the KeyControl VM console as htadmin on all platforms.

In addition, the HyTrust KeyControl System Console has been reorganized and the workflow for some menu options has changed.

For more information, see Using the KeyControl HyTrust KeyControl System Console.

Administrators can only use the HyTrust DataControl Policy Agent to encrypt Windows MBR boot drives. GPT boot drives are not supported.

Administrators can encrypt both Windows MBR and GPT boot drives, including GPT boot drives that use UEFI Secure Boot.

Starting in 4.3.1, administrators can specify up to three NICs for each KeyControl node so they can segregate node traffic.

Version 5.0 only supports a single NIC on each KeyControl node, and all traffic must use that NIC. Multiple NICs are supported beginning with version 5.1.2.

Starting in 4.3.1, administrators can configure KeyControl to use a Safenet HA group when saving information to an HSM server.

Version 5.0 only supports a connection to a single HSM server. Connections to a Safenet HA group are supported beginning with version 5.1.2.

Users can navigate to the KeyControl webGUIwithout specifying https:// in the URL.

Users must explicitly specify https:// as part of the URL when they log into the KeyControl webGUI for security purposes.

When you join a new node with an existing cluster, the NTP server settings on the new node are retained even if the NTP server list differs from the one used by the node to which they are being joined.

When you join a new node with an existing cluster, the NTP settings for the new node are overwritten to match the node with which they are being joined. This ensures that the system clock for all nodes is using the same base time. (The NTP server list can be changed for an individual node after it has joined the cluster.)

Administrators can change the node's IP address and hostname as long as the node is not part of a cluster.

Administrators cannot change the node's hostname or IP address after the node has been initially deployed. For more information, see Changing the IP Address for a Node.

Restricted support logins require port TCP/6666 while full support logins require port TCP/22.

Both restricted support and full support logins use port TCP/22. KeyControl no longer uses port TCP/6666.

Backup via NFS is always available through the backup hosts specified for the cluster.

Backup via NFS is disabled by default, and must be manually enabled if you want to use it. For more information, see Backing Up KeyControl Through the webGUI.

In the 4.3.2 dashboard, the percentage of “System Disks Encrypted" is calculated based only on the number of encrypted Linux root devices and Windows boot drives. The percentage does not include any other Linux system devices such as /home, swap, or /boot.

In the 5.0 dashboard, this percentage includes all Linux system devices like root, swap, /home, /var, etc. Therefore the percentage may change after you upgrade to version 5.0.

You can only create a log bundle on a KeyControl node using the restricted support login.

In addition, the default System Console timeout is 1,800 seconds.

The HyTrust KeyControl System Console includes added functionality such as the ability to generate a log bundle from the main menu.

In addition, the default System Console timeout has been reduced to 900 seconds for added security.

For details, see Using the KeyControl HyTrust KeyControl System Console.

If you enter a hostname in mixed case, the case is preserved when the node is deployed or upgraded.

All hostnames are converted to lowercase when the node is deployed or upgraded from version 4.3.2.

Administrators can create Filesystem IDs (FSIDs) for older version of Linux so that encryption keys can be shared across NFS clients. This feature is only available for those distributions of Linux that support both directory-level encryption and NFS.

Support for FSIDs has been removed due to the fact eCryptfs and NFS are only supported in RHEL and CentOS versions 5.x and earlier.