New Features, Enhancements, and Changes

>Release: 10.2  

NOTE   If you are upgrading from a version of Sentinel LDK that is earlier than 10.0, be sure to review the release notes for all intervening versions. Significant enhancements and changes are introduced in each version of Sentinel LDK. Download a ZIP file that contains all Sentinel LDK release notes to see the changes.

Release: 10.2  

>Fingerprint Generation API for Windows and Linux

>Support for Remote Developer Key with Envelope

>Enhanced License Readability with custom_info Tag Support

>Enhanced Envelope Support for .NET Core Application Assemblies

>Sentinel LDK Data File Protection Write Support for Linux

>Enhanced Sentinel LDK Envelope Protection for Python Applications Under Linux and Windows

>Vendor Code Can Be Excluded From Sentinel LDK Envelope Project File

>Enhanced Control for Disabling Secure Storage ID Check

Fingerprint Generation API for Windows and Linux

Sentinel LDK now supports the generation of a machine fingerprint for machines in situations where outgoing file transmission is restricted (for example, for air-gapped machines).

A user can determine the required hardware identifiers data for generating a license on the target machine and share the data with you by telephone or email. You enter the provided data in to the Fingerprint Generator API (on a Windows and Linux ARM machines) to generate a C2V file. The C2V file can then be passed to Sentinel LDK-EMS, which will use the C2V to generate a V2C or V2CP file to install an SL AdminMode or SL UserMode license on the target machine.

The user can provide one or more of the following hardware identifiers for generating the license:

>MAC address

>FQDN (Fully Qualified Domain Name)

>IP address

>SID (Security Identifier on Windows or System ID on Linux)

The Fingerprint Generator API enables you to:

>Support environments where C2V files cannot be shared due to security restrictions.

>Generate fingerprints that are compatible with both Windows and Linux platforms.

>Generate fingerprints for both physical machines and virtual machines.

>Validate the accuracy of manually provided entered hardware identifier using checksum characters. The checksum is optional. If omitted, the API accepts the identifier as is and skips checksum validation.

When generating a fingerprint file, consider the following:

>Security decreases when using fewer components (for example, using only MAC address or only FQDN).

>If the SSID (Secure Storage Identifier) is not provided, Thales recommends that you use Perpetual or Expiration Date licenses for enhanced security to avoid possible license abuse.

>When generating a license using the fingerprint generated by the API, you must use the custom clone protection scheme. This ensures compatibility with the fingerprint data and prevents license misuse or cloning.

For more information, see Sentinel LDK Software Protection and Licensing Guide.

Support for Remote Developer Key with Envelope

The Sentinel LDK License Manager now supports the use of a remote Developer key with Envelope.

Envelope (V3, .NET, Java, and Linux) and Data File Protection tools (dfcrypt and Data Protection utility) now support using a Developer key connected to a remote machine within the same network.

This enhancement enables multiple engineers to share a single physical Developer key without requiring individual keys. It simplifies collaborative development and build automation, and allows you to integrate Envelope protection into build environments that do not have USB connectivity.

Only Developer keys support remote access. Master keys support only local use.

NOTE      

>In an environment where developers or build servers are using remote Developer keys: You must implement a process to ensure that the relevant development machines or build servers always have the most recent downloaded API libraries.

>The Master Wizard does not support using a remote Developer key. A local Developer key or Master key must be connected during the Master Wizard introduction process.

To enable remote access for a Developer key, contact your Thales representative.

Enhanced License Readability with custom_info Tag Support

The Sentinel LDK License Manager now supports an additional attribute in the license file, improving license readability through the <custom_info> tag.

You can use Sentinel LDK-EMS or License Generation API to embed feature-specific descriptions within the license file using the <custom_info> tag placed under the <feature> tag. This tag applies to SL-AdminMode and SL-UserMode protection keys and is visible when the license is configured as human-readable.

This enhancement helps you review license files before installation, especially when feature IDs or names are similar or non-intuitive.

For details, see "How to specify custom information for a Feature" in the Sentinel License Generation API Reference.

Enhanced Envelope Support for .NET Core Application Assemblies

Sentinel LDK Envelope has been enhanced to support the Windows shell protection feature for .NET Core Main assemblies.

For these assemblies, Linux is now also supported for Linux Intel (x86_64), Linux ARMHF, and Linux ARM64.

Sentinel LDK Data File Protection Write Support for Linux

Sentinel LDK Data File Protection (DFP) for Linux now includes full read and write support. This enhancement adds mmap-based file access and allows combining mmap with standard file I/O.

As a vendor developing a Linux application that uses DFP to encrypt data files, you can now create new encrypted files, specify file name patterns for encryption, and assign a feature ID for each file. If no feature ID is specified, the default value of 0 is used.

The input_glob and ignore_glob parameters use the same pattern syntax as the JSON configuration file in Script Envelope.

This enhancement enables you to protect and modify data files on Linux Intel and ARM platforms (32-bit and 64-bit), improving workflow efficiency and flexibility.

Enhanced Sentinel LDK Envelope Protection for Python Applications Under Linux and Windows

Script Envelope for Python applications (under Windows or Linux) now supports the optional entry_scripts_glob parameter in the project file.

You can use this parameter in your Script Envelope project file to specify one or more entry scripts for your Python project.

Script Envelope generates stub code to ensure that the runtime libraries load correctly. The behavior of stub generation depends on whether you specify the entry_scripts_glob parameter.

This enhancement reduces unnecessary stub files, enforces valid entry scripts, and helps vendors ensure that the runtime loads correctly for the intended entry scripts only.

For more details, see Sentinel LDK Envelope for Linux or Sentinel LDK Envelope for Windows.

Vendor Code Can Be Excluded From Sentinel LDK Envelope Project File

You can now prevent Sentinel LDK Envelope from caching the Vendor Code in the Sentinel LDK Envelope project file.

The Vendor Code is used by Envelope to protect applications and by the Data Protection utility to protect data files. Envelope retrieves the Vendor Code either from a location on the file system or from the Sentinel LDK-EMS database, depending on the option that you select in the he Sentinel Vendor Code screen. Until now, Envelope would always cache the retrieved Vendor Code in the project file for subsequent sessions regardless of how the Vendor Code was obtained. The cached Vendor Code was then used by Envelope GUI, by the Envelope command-line version, and by the Data File Protection utility.

Effective with the release of Sentinel LDK Envelope 10.2, when you select the option to retrieve the Vendor Code from the Sentinel LDK-EMS database:

>To work with Envelope, you are required to provide login credentials to access Sentinel LDK-EMS. When the Vendor Code is required, Envelope will retrieve the Vendor Code from Sentinel LDK-EMS. The Vendor Code is not be cached in the Envelope project file. For details, see Sentinel LDK Envelope for Windows.

>The Data File Protection utility obtains the Vendor Code from Envelope if an active session of Envelope exists. If an active session of Envelope does not exist, the Data File Encryption Utility requires you to provide login credentials to access Sentinel LDK-EMS.

>When working with the Envelope command-line version, you must provide login credentials to access Sentinel LDK-EMS. For details, see Sentinel LDK Envelope for Windows.

>When working with an Envelope project file created by an earlier version of Sentinel LDK Envelope, the cached Vendor Code is removed from the project file.

When you select the option to retrieve the Vendor Code from a location on the file system, Envelope continues to cache the Vendor Code in the project file.

Enhanced Control for Disabling Secure Storage ID Check

You can disable the Secure Storage ID (SSID) check by adding the <ignore_secure_storage_id_check> tag in the license while license generation.

This tag applies only to Features that use the license models you specify. This tag behaves as follows:

>Perpetual Features remain enabled regardless of this tag.

>The SSID check is disabled for the Default Feature (FID 0) if you include the global option under <license_properties>.

For details, see the topic "How to disable Secure Storage ID Check" in the Sentinel License Generation API Reference.