Stormshield KMaaS 4.5.0 new features and enhancements

Support for Google features

Send Gmail encrypted emails to anyone

KACLS now supports the Send to Anyone Gmail feature. It allows users to send end-to-end encrypted emails to anyone, even if the recipient uses a different email provider, without having to deploy a complex PKI.

For more information, refer to the Google documentation.

Full support for Google Meet hardware

It is now possible to join an encrypted Google Meet conference from a room with Meet hardware.

Key Access Management

The new Key Access Management feature is dedicated to the Stormshield SDK. It enables:

  • Symmetric encryption and decryption,

  • Asymmetric rewrap to allow Stormshield SDK to retrieve or re-encrypt keys needed to decrypt protected data.

Find out more

Customized access rules (OPA)

Attribute Based Access Control (ABAC)

You can now write OPA rules using Attribute Based Access Control (ABAC) for Crypto API and Key Access Management. This allows for a better implementation of Data Centric Security and Zero Trust concepts.

Find out more

Centralized authorization server

You can enhance security by centralizing authorization through an OPA server for KACLS and Crypto API. You can still use the local policy.wasm and policy.data.json files if you do not have an OPA server.

Find out more

OPA enforcement

You can now configure OPA enforcement for each tenant and feature:

  • For the KACLS, the configuration files are policy.wasm and policy.data.json,

  • For Crypto API, the configuration files are policy-crypto-api.wasm and policy-crypto-api.data.json.

  • For the Key Access Management, the configuration files are policy-kas.wasm and policy-kas.data.json.

If a feature is enabled, you must set its policy_enforcement parameter to specify whether the OPA rules must be used or not.

Find out more

KACLS

In the config.json file, you can now specify the KMS domain for Thales Ciphertrust API REST use. The domain is common to all tenants, and contains KEKs and Gmail private keys.

Find out more

Crypto API

API key authentication

Crypto API now supports API key authentication.

Find out more

KEK for data encryption

When encrypting data with Crypto API, you can now specify the key encryption key (KEK) to be used to encrypt the data encryption key (DEK).

Public API

The following fields have been renamed for more consistency:

  • The "encryptedData" response field for the crypto_api/encrypt route has been renamed "encrypted_data",

  • The "encryptedData" input parameter for the crypto_api/decrypt route has been renamed "encrypted_data".

Find out more

PKI

The new PKI feature allows issuing certificates for mTLS authentication from a Certificate Signing Request (CSR).

Find out more

Logs

Log format

In the config.json file, you can now specify the format of the logs to be generated, in order to prepare for migration to the new log format.

Find out more