SecureDoc v7.28 Release Notes

SD-21870

SD Linux: Reducing drivers dependency on kernel patch versions

Issues: When SD Linux released a major or minor version we are looking for a way to support installation and resolve current heavy dependency of patch versions of Linux with our product.

Enhancement: We have developed a utility to modify the binary driver file on fly if only the patch version has changed. The drivers build needs to upload to an Amazon S3 bucket (Link: https://s3.amazonaws.com/CloudVM/Linux/drivers/7.28.000)  automatically so our product or scripts can download and update the client from this location. The driver will be automatically downloaded from our server during installation or user can downloaded it manually (e.g. Kernel 4.4.0-63).

• Download from: https://s3.amazonaws.com/CloudVM/Linux/drivers/7.28.000/SDLinuxDrv-4.4.0-63.ko
• Rename the file to SDLinuxDrv.ko
• Make a new dir in installation folder under drivers/4.4.0-63 and copy the driver file there and run command "sudo ./install "
  

List of supported Linux versions and kernels:

• RHEL/Centos : 3.10.0-327 and 3.10.0-514
• Ubuntu v14 : 3.19.0-25 3.19.0-75
• Ubuntu v16.04 : 4.4.0-21 , 4.4.0-31 ,4.4.0-53 , 4.4.0-59 , 4.4.0-62 , 4.4.0-63 , 4.4.0-64, 4.4.0-79 , 4.4.0-83
• Ubuntu v16.10 4.8.0-36 and 4.8.0-46

SD Linux Client: Supports Ubuntu v16.04 with the new kernel v4.8

Issue: SDLinux Client supports Ubuntu V16.04.02 with the new kernel 4.8. Alternatively, SDLinux Client should support Ubuntu V16.04.02 with kernel 4.4.

This issue is now fixed: Upgrade the kernel from 4.4 to 4.8 by run command "sudo apt install --install-recommends linux-generic-hwe-16.04" to download kernel online and the new driver (4.8.0-46) is already injected into the installation package. The full kernel versions are 4.8.0-36 and 4.8.0-46. With 4.8.0-36 driver will automatically download from our server during installation.

SD-22478

SD Linux Client: Sends recovery information to SES while recover data from encrypted system

New Feature: SDLinux now has the capability to send recovery information back to SES, in order to recover data from an encrypted/encrypting or non-bootable VM. The recovery information can be properly exported and SDLinux can successfully recover.

Limitation: LVM-based system recovery is a limitation in v7.28.

SD-22656

SD Linux Client: Supports static IP (limited to RHEL 7.3 only)

SD-22657

SD Linux Client: Supports LVM resizing on an encrypted volume

Improvement: CloudVM now supports an encrypted VM with LVM configuration, and is able to extend the LVM volume for more space without any disruption.

Solution: The changing LVM volume size after installation, PBA was unable to match the volume correctly at boot time, by removing the extra check for size when the volume name matches the volume type is LVM (this doesn’t change the name).

Client machine is unable to begin decryption with the “Decrypt All” option in SecureDoc Control Center

Issue: Windows client machine is unable to start decryption when using "Decrypt All" in SecureDoc Control Center (SDCC). SecureDoc progress bar does not open and decryption does not start when using "Decrypt All" function in SDCC.

Limitation: In SES 7.28 the common Users will not have a chance to go to this option. You can start decryption from the start button. There is no purpose for decryption because immediately after decryption it will be encrypted again (SDOT-Bitlocker is deployed).

Manufacturer info registration not updated properly for Scale Environment CloudVM’s

Enhancement: The manufacturer info registration for Scale Environment CloudVM's are currently the manufacturers info during device registration for Scale VM's are registered as "Red Hat". The Manufacturer info should be displayed/Identified depending on Scale VM's or Environment.

Limitation: This currently exist in SES 7.28

SD-23625

Newly supported regions has not been added to Azure GEO location policies list

Enhancement: The newly announced Regions for Africa and Asia Pacific should be added into Azure GEO location policies list. The list in Prevent Azure from Auto-Booting if found in the following Region(s) is missing 2 regions of Africa and 2 regions of Asia Pacific:
- Africa: South Africa West and South Africa North
- Asia Pacific: Australia Central 1 and Australia Central 2

Limitation: This currently exist in SES 7.28

SD-23720

Error 500 when creating Emergency Disk (EMG)

Issue: Error 500 displayed when creating Emergency Disk while client installing BootLogon.  The issue occurs in Windows client while BootLogon is being installed and creating an Emergency Disk in SES Web at the same time.

Note: This issue does NOT occur on Linux Client.

SecureDoc CloudVM does not support moving of parent folders between two different Organizational Units (OU’s) in the Active Directory

If any parent folder is moved from one OU to a different OU, then duplicate OU names are created in the SecureDoc Enterprise Sever (SES).

Recommendation: Users should avoid the movement of parent folders between Organization units, if at all possible.

The deployed installation packages (which contains the profile options) created using the SESWeb cannot be modified

Recommendation: At this stage, if a different profile behavior is required for a given device, the device should be decrypted, SecureDoc should be uninstalled, a new profile/package deployed to the device and the device re-encrypted.

Child Virtual Machines fails at registration if the parent machine is permanently deleted from SES

The cloned and/or child virtual machines move to the same folder where a parent machine moves. If a parent is moved to the Recycle Bin (to save a license), the clones and/or child virtual machines will also move to the Recycle Bin.

Recommendation: The parent virtual devices should either be active or present in the Recycle Bin.

Self-Help warning messages, such as “Self-Help questions must be answered before continuing” and “Self-Help recover is not available for this user

Please contact your administrator” is prompted after the User logs into SecureDoc Control Center (SDCC).

Recommendation: Users are advised that, though self-help recovery is incongruous in the context of Cloud-hosted servers (since they auto-boot), at this point the standard behavior of the SecureDoc Key File applies, which natively normally requires responses to Self-Help recovery questions.

Installation packages cannot be created and prepared in an environment where SES Console and SDConnex are installed on physically separate instances (VM’s or real hardware)

The SecureDoc installation package creation fails if SES administrators use a different server (i.e. SDConnex is configured on a different server using the key file and Database from the other server) for creation of web installer packages.

SecureDoc CloudVM extends limited support for Azure Classic VM’s

When Azure Classic VM’s are synced into SES Web, the instant state will be reported as “ReadyRole” instead of “Running”.

Note: “ReadyRole” actually means the same as a status of “Running” for other devices. This is because the Classic instances, unlike the RM instances, have a different system state label.

SecureDoc CloudVM does not support Generation 2 (UEFI) Virtual Machines on Hyper-V environment and vSphere UEFI virtual machine

The SecureDoc pre-boot functionality does not work on the Generation 2 with UEFI virtual machines. Therefore, these Generation 2 VMs cannot be encrypted using SecureDoc CloudVM.

When the “Prevent KF from being saved locally on the machine at deployment” option in the SESWeb installation package settings is set to Yes
The key files will still be pushed down to:

• Users assigned to a package
• Windows accounts, if enabled
• Users assigned to a folder where a device is moved

Recommendation: It is strongly recommended not to enable this option. If you want to push a key file to a device, manually push them by assigning user to a device.

Encryption progress bar is NOT displayed on some Azure RM Virtual Machines with Standard A1 & A0 size

When the SESWeb package is created and deployed with the "Hide Encryption Progress from User" option set to NO, the encryption progress bar is not visible after the device restart.

Recommendation: Please note that (in this version) in some circumstances you may not see the Encryption Progress panel on Azure RM Virtual machines with Standard A1 and A0 sizes, even if the installation package was configured to display it.

The remote command “Lock Device” does NOT work

The client device fails to lock when SES administrator’s attempts to lock a selected client device by sending a remote “Lock Device” command from SESWeb.

New clones cannot be created from the crypto-erased parent machines

If a Master virtual machine is crypto-erased, the new child instances using that master image will also be crypto-erased. It is recommended not to crypto-erase a parent virtual machine if you want to create new clones from its image.

Recommendation: Do not crypto-erase a parent virtual machine if you want to create new clones from its image.

SESWeb will NOT support partition encryption and excluding partitions

The Encrypt partition only option has been removed from SESWeb. SecureDoc CloudVM installation packages cannot be created and deployed to the client devices with the “encrypt partition only” option.

Microsoft Azure Classic VMs are not removed to Recycle Bin upon termination from Azure

When the Azure Classic VMs are terminated from Azure GUI, they are still visible on the Devices tab in the SESWeb are not moved to the Recycle Bin. The SecureDoc CloudVM license count remains unaffected.

Recommendation: If it is confirmed that an Azure Classic VM has been terminated, the SES Administrator should manually delete that VM, sending it to the Recycle Bin.

Auto-Scaled up and down cloud instances are not moved to Recycle Bin

When the cloud devices are auto-scaled up and then down within the 3-hour interval, the terminated devices (auto-scaled down) do not get moved from the Devices tab to Recycle Bin.

Since these devices still exist in the Devices tab, their licenses are not freed up. SES administrators should manually move the terminated (auto-scaled down) devices to Recycle Bin to free up the licenses.

Recommendation: Manually move the terminated (auto-scaled down) devices to Recycle Bin to free up the licenses consumed by these terminated auto-scale devices.

Contact Technical Support error occurs when sending cryptoerase device to SDLinux devices

Issue: SES Console is sending cryptoerase device to SDLinux device shows error '781a contact technical support'. In the SES console, sending Crypto-erase command to Linux client still works properly but got a pop-up error.

Note: Pop-up error does not show when sending command from SES Web.

Limitation: This issue only occurs in Private cloud (VMWare, Hyper-V and VSphere) but not in Public cloud (Microsoft Azure and Amazon).

SD-23307,

Issue: [AWS] Fails to deploy default package on Ubuntu 16.04 LTS (HVM) kernel 4-4.0-1020 (New Kernel). No driver file was found for new kernel version 4.4.0-1020 when deploying package on Ubuntu. This kernel is the special version for AWS: https://launchpad.net/ubuntu/+source/linux-aws/4.4.0-1020.29

Work-around: Download the new version of prebuild file for kernel 4.4.0-1020, and add the new version in the publishing build.

Issue:  Ubuntu 16.10 kernel 4.8.0-46-generic: Online fast conversion skipped root volume:adjustSectorBlockToConvert failed 0x7f2bb79c. The volume sda1 (root volume) was skipped while other data/swap volumes encrypting/encrypted after deployed package. And this only happens on 16.10 with kernel 4.8.0-46-generic.

Work-around: N/A.

CloudVM Linux runs on the following flavors of Linux along with these Kernel versions

Please note that SecureDoc pre-boot requires a separate volume in which is created during the installation process. Otherwise, the installation process will fail if we are unable to create this special volume.

Recommendation: Please confirm if the kernel version of the VM device to be deployed is currently supported with SecureDoc’s supported list included above.

For conversion, please see the recommendation listed here:

1. We highly recommend encrypting a Linux VM using our “Fast” and “Offline” mode set to yes.
2. Please do not forcibly power off a VM during the encryption process regardless of the conversion mode. Whether it’s in the “fast” or “thorough” Mode.
3. If you are using the “fast” conversion mode and Offline mode set to No then do not perform any read and/or write operations while VM is running. Example: copying a file or working on a program, during the conversion process.

Concerning current public Cloud market place images

In Azure, SecureDoc does not currently support the deployment of Ubuntu and CentOS flavors, due to environments limitations on Azure.

Recommendation: Please use custom images with available free space or SWAP space in the mentioned flavors if to be deployed in Azure.
In AWS, Secure Doc does not support the newer kernel versions for Ubuntu 16 flavors.

Client’s info is not all sent back to SES database after deploying and encrypting

Specifically Public and Private IP addresses as well as attached volumes and drives.

On rare occasions the device does not start after installing Linux on the machine with redhat7.2 client on Azure

Please note that this is an issue with Azure infrastructure and not an issue with SES.

Installation of multi volume encryption is haled on reboot for a system with more than 16 volumes

Recommendation: Please ensure that (including root + SWAP) that the environment does not have in excess of 16 volumes.

Encryption does not start when creating multi volume Linux VM environment specifically where there are volumes after the given range of sectors used or SWAP

Recommendation: This issue mainly manifests in LVM type devices used in private cloud instances and custom public cloud images. Please do not create any data volumes after creating SWAP space. Create all required data volumes prior to defining the space which would be used for SWAP.

In Microsoft Azure, SDLinux solutions cannot be deployed on either CentOS or Ubuntu related flavors

SDLinux requires the boot - encryption does not start with Linux installation package for SES web for offline conversion of boot disk. This is a result of both Ubuntu and CentOS requiring the boot drive to be the primary drive.

Work-around: We recommend using a custom VM Image (environment) created with either available SWAP or Free Space for the SDSpace volume to be created on the root Drive.

SecureDoc Linux AWS-RHEL7.3 does not support Amazon EFS instance storage types

Please find more information from the following link: https://aws.amazon.com/efs/details/. SecureDoc does not currently support Dynamically allocated\deallocated storage space.

Recommendation: Please use AWS’s EBS storage solutions.

An SDLinux package, created with the encryption type “Encrypt All Disks", "Data Only Fast Encryption" will switch to Through encryption when faced with a volume with an un-recognized file system

Recommendation: As SecureDoc supports Most modern file systems, this issue is only randomly visible. It is however by design as it provides the maximum protection for such volumes. Feature can be readily visible when encrypting SWAP Space.