CipherTrust Manager offers the industry leading enterprise key management solution enabling organizations to centrally manage encryption keys, provide granular access control and configure security policies. CipherTrust Manager is the central management point for the CipherTrust Data Security Platform. It manages key lifecycle tasks including generation, rotation, destruction, import and export, provides role-based access control to keys and policies, supports robust auditing and reporting, and offers developer friendly REST API.
CipherTrust Manager is available in both virtual and physical form-factors that integrate with FIPS 140-2 validated Thales TCT Luna T-Series and third-party Hardware Security Modules (HSMs) for securely storing master keys with highest root of trust. These appliances can be deployed on-premises in physical or virtualized infrastructures and in public cloud environments to efficiently address compliance requirements, regulatory mandates and industry best practices for data security. With a unified management console, it makes it easy to set policies, discover and classify data, and protect sensitive data wherever it resides using the CipherTrust Data Security Platform products.
- Centralized key management for multiple on-premises data stores and cloud infrastructures
- Reduced risk with unified data discovery, classification and sensitive data protection
- Simplified management with self-service licensing portal and visibility into licenses in use
- Cloud friendly deployment options with support for AWS, Azure, Google Cloud, VMware, Oracle Cloud Infrastructure and more
- Support for superior key control with Thales TCT’s T-Series HSM
- Unparalleled partner ecosystem of integrations with leading enterprise storage, server, database, application and SaaS vendors
FULL KEY LIFECYCLE MANAGEMENT AND AUTOMATED OPERATIONS:
Simplifies management of encryption keys across their entire lifecycle, including secure key generation, backup/restore, clustering, deactivation, and deletion. It makes automated, policy-driven operations easy to perform, and generates alarms for events of interest.
UNIFIED MANAGEMENT CONSOLE
Provides a unified console for discovering and classifying sensitive data integrated with a comprehensive set of CipherTrust Data Protection Connectors to encrypt or tokenize data to reduce risk and satisfy compliance regulations
CENTRALIZED ADMINISTRATION AND ACCESS CONTROL
Unifies key management operations with role-based access controls and provides full audit log review. Authenticates and authorizes administrators and key users using existing AD and LDAP credentials.
MULTI-TENANCY SUPPORT
Provides capabilities required to create multiple domains with separation of duties to support large organizations with distributed locations.
DEVELOPER FRIENDLY REST APIS
Offers new REST interfaces in addition to KMIP and NAE-XML APIs, for developers to simplify deployment of applications integrated with key management capabilities and automate testing and development of administrative operations.
ROBUST AUDITING AND REPORTING
Includes tracking of all key state changes, administrator access, and policy changes in multiple log formats (RFC-5424, CEF, LEEF) for easy integration with SIEM tools.
ROOT OF TRUST
CipherTrust Manager can use Thales TCT’s Luna T- Series HSMs as root of trust. Meeting government mandates for U.S. Supply Chain, the high-assurance, tamper-resistant Luna T-Series HSMs are designed, developed, manufactured, sold, and supported in the United States. CipherTrust k160 uses a removable FIPS 140-2 certified token or high assurance token as a root of trust.
Features
Virtual Appliances | Physical Appliances | |||
Features | k170v | k470v | k160 | k570* |
Administrative Interfaces | Management Console, REST API, kscfg (system configuration), (ksctl (Command Line Interface) | |||
Network Management | SNMP v1, v2c, v3, NTP, Syslog-TCP | |||
Monitoring | Prometheus, Splunk | |||
API Support | REST, NAE-XML, KMIP, PKCS#11, JCE, .NET, MCCAPI, MS CNG | |||
Security Authentication | Local User , AD, LDAPS, Certificate based authentication, Supports Open ID Connect (OIDC) | |||
System Formats | RFC-5424, CEF, LEEF | |||
Supported HSMs for Root of Trust | Luna Network HSM, Luna T-Series Network HSM, Luna as a ServiceHSM , Luna Cloud HSM, AWS Cloud HSM, Azure Dedicated HSM, IBM Cloud HSM, IBM Cloud Hyper Protect Crypto Services Cloud HSM | Removable token HSM using either a FIPS 140 Certified Token or High Assurance Token | Embedded FIPS 140 level 3 & CNSS approved Luna T-series HSM or Luna as a Service HSM | |
Maximum Number of Keys | Tested up to 1M Keys (more possible with appropriately sized virtual environments) | Tested up to 1M Keys (more possible with appropriately sized virtual environments) | Maximum capacity of 10,000 symmetric keys. Maximum of 100 keys using concurrent connections. | 1 Million Keys |
Maximum Domains (multi-tenancy) | 100 | 1000 | 100 | 1000 |
FIPS Support | FIPS 140-2 L1 | |||
Integrates with an external FIPS Certified Physical or Cloud HSM as Secure Root of Trust | FIPS 140 Certified Token HSM | Embedded Luna T-Series PCIe FIPS 140 Level 3 certified – password and multi-factor (PED) | ||
Appliance Specifications
Physical Appliances | k160 | k570 |
Dimensions | 6.5” x 4.0” x 1.5” (165.1mm x 101.6mm x 38.1mm) | 19” x 21” x 1.725” (482.6mm x 533.4mm x 43.815mm) |
Hard Drive | 1x 128GB mSATA SSD SE | 1x 2TB SATA SE (Spinning Disk) |
CPU | Atom E3845 Processor SoC | Xeon E3-1275v6 Processor |
RAM | 8GB | 16GB |
NIC Support | 1x 1GB | 4x1GB or 2x10Gb/2x1Gb (NIC Bonding capable) |
Rack Mount | Standard 1U shelf mount can be optionally purchased (can house up to two k160s) | Standard 1U rack mountable |
Power | External power supply included, locking DC connector | Dual hot swappable power supplies |
Safety & Compliance | FCC, CE | CSA C-US, FCC, CE, VCCI, C-TICK, KC Mark, BIS |
Mean Time Between Failure | 170,869 hours | 153,583 hours |
Virtual Appliances | k170V | k470v |
System Requirements |
|
|
Clouds/Hypervisors Supported |
| |
*Thales TCT can also offer CipherTrust k470 physical appliance. CipherTrust k470 offers the same features and specifications as CipherTrust k570 but does not include an embedded HSM. CipherTrust k470 utilizes an external FIPS Certified Physical or Cloud HSM as secure root of trust.
