1.0 Introduction
This article describes how to integrate Fortanix-Data-Security-Manager (DSM) on-premises with Amazon Web Services (AWS) External Key Store (XKS) using Amazon’s Virtual Private Cloud network to protect the data in AWS using keys stored in Fortanix DSM that users can use to perform cryptographic operations.
It also describes how to:
Create and configure the AWS Network Load Balancer and Target Groups
Create the VPC Endpoint Service
Create Fortanix DSM objects
Create the External Key Store in AWS
When using Fortanix DSM as an external key store, AWS allows two ways of communication:
Public Endpoint Connectivity - AWS KMS connects to the external key store proxy (XKS proxy) over the internet using a public endpoint. This procedure is not covered in this article. You can follow the documentation link – Fortanix DSM with AWS XKS Concepts Guide and Fortanix DSM with AWS External Key Store (XKS) Integration Guide for the Public Endpoint Connectivity method.
Using Amazon VPC endpoint service - AWS KMS connects to the XKS proxy by creating an interface endpoint to an Amazon VPC endpoint service. This method uses AWS Direct Connect/VPN, which enables AWS KMS to privately connect to your Amazon VPC and your XKS proxy without using the public internet. This procedure is covered in this article.
2.0 Architecture Workflow
The diagram below depicts the connectivity flow between Fortanix DSM and AWS KMS:

Figure 1: AWS accessing Fortanix XKS using AWS VPC
The components of the above diagram include:
Amazon VPC connected to AWS XKS - needs to be created, or an existing VPC can be used. It is important to note that the VPC must have at least two private subnets in two different Availability Zones.
Amazon VPC endpoint service powered by AWS PrivateLink, configured with a network load balancer and target group.
An external proxy is configured in the on-premises environment to intercept AWS KMS traffic and relay it to the Fortanix DSM service.
Private DNS assigned to an external proxy.
Fortanix DSM installed in the on-premises environment.
The following steps explain the workflow:
An AWS service or custom application sends a request for a key to AWS KMS.
AWS KMS retrieves the double-enveloped key from its database and sends it to the URL of the XKS service (as implemented by Fortanix DSM) to decrypt.
A network load balancer relays the request from AWS KMS to the Fortanix DSM cluster located in the on-premises environment using the VPC endpoint service.
Fortanix DSM decrypts the outer envelope and returns the inner envelope to AWS KMS.
AWS KMS decrypts the inner envelope and returns the plaintext DEK to the calling service or application.
An external proxy created in the on-premises environment forwards the traffic to Fortanix DSM running with a public CA-signed certificate. The certificate must include the proxy endpoint as a SAN (Subject Alternate Name).
3.0 Prerequisites
Ensure the following:
NOTE
Creation and configuration of the VPC and establishment of connectivity between the VPC and the on-premises environment are out of the scope of this guide.
AWS resources:
Network Load Balancer (NLB)
Reference: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-network-load-balancer.html#configure-load-balancerVPC (with private subnet)
VPC Endpoint Service (Ensure to add
.TXT
record as per documentation. “Domain verification status” should be "Verified")
Reference: https://docs.aws.amazon.com/kms/latest/developerguide/vpc-connectivity.html#xks-nlbKMS
The connection between AWS Cloud and Fortanix DSM on-premises (VPN/Direct Connect)
On-premises resources:
Fortanix DSM on-premises version 4.9 and above.
High Availability Proxy: A minimum of two nodes is recommended to achieve high availability.
NOTE
Fortanix used the HAProxy proxy service for testing.
4.0 Fortanix DSM with AWS XKS Using VPC
With AWS XKS, administrators use Fortanix DSM to store cryptographic keys for encrypting and decrypting the Data Encryption Keys in AWS KMS. In this method, cryptographic operations are performed inside Fortanix DSM. This is different from the import-key (known as Bring Your Own Key or BYOK) functionality, where the key material for a key in Fortanix DSM (external HSM) is imported into AWS KMS, optionally with an expiration period, and cryptographic operations occur within an AWS data center.
5.0 Configure Fortanix DSM
A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:
5.1 Signing Up
To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.
For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.
5.2 Creating an Account
Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.
.png?sv=2022-11-02&spr=https&st=2025-05-30T06%3A02%3A16Z&se=2025-05-30T06%3A25%3A16Z&sr=c&sp=r&sig=vHbDcStmNE80eTmjwsf%2B8C6dnYqTTXILnPQ7Akri8N0%3D)
Figure 2: Logging in
For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.
5.3 Creating a Group
Perform the following steps to create a group in the Fortanix DSM:
In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.
Figure 3: Add groups
On the Adding new group page, do the following:
Title: Enter a name for your group.
Description (optional): Enter a short description of the group.
Click SAVE to create the new group.
The new group is added to the Fortanix DSM successfully.
5.4 Creating or Importing an AES Key
Perform the following steps to generate an AES key in the Fortanix DSM:
In the DSM left navigation panel, click the Security Objects menu item, and then click the + button to create a new security object.
Figure 4: Adding a security object
On the Add new Security Object page, do the following:
Security Object name: Enter the name for your security object.
Group: Select the group as created in Section 5.3: Creating a Group.
Select GENERATE.
In the Choose a type section, select the AES key type.
In the Key Size section, select the size of the key in bits.
In the Key operations permitted section, select the required operations to define the actions that can be performed with the cryptographic keys, such as encryption, decryption, signing, and verifying.
NOTE
Ensure that the new key has Encrypt and Decrypt key operations are allowed.
Click GENERATE to create the new security object.
The new security object is added to the Fortanix DSM successfully.
You can also import an AES encryption key. For more information on how to import a key, refer to the User's Guide: Fortanix Data Security Manager Key Lifecycle Management.
The UUID of this AES key is required in Section 6.3: Create External Key Store in AWS KMS to create the key in AWS XKS.
5.5 Copying the UUID of the AES Key
Perform the following steps to copy the security object UUID from the Fortanix DSM:
In the DSM left navigation panel, click the Security Objects menu item, and then click the security object created in Section 5.4: Creating a Security Object to go to the detailed view of the security object.
From the top of the security object’s page, click the COPY ID drop down menu and then select COPY UUID to copy it to use later.
5.6 Creating an Application
Perform the following steps to create an application (app) in the Fortanix DSM:
In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.
Figure 5: Add application
On the Adding new app page, do the following:
App name: Enter the name for your application.
ADD DESCRIPTION (optional): Enter a short description of the application.
Authentication method: Select AWS XKS as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.
Assigning the new app to groups: Select the group created in Section 5.3: Creating a Group from the list.
Click SAVE to add the new application.
The new application is added to the Fortanix DSM successfully.
5.7 Copying the App Configuration File
Perform the following steps to copy the app configuration file from the Fortanix DSM:
In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 5.6: Creating an Application to go to the detailed view of the app.
In the INFO tab and the AWS XKS section, click VIEW INSTRUCTIONS.
In the AWS XKS modal window, click COPY CONFIG FILE to copy all the configuration details at once to the clipboard in JSON format, or copy the URI and the configuration info individually and make a note of it.
The following are the configuration values:
Path prefix: A fixed path containing the Fortanix DSM app UUID.
Access key ID and Secret access key: The access key and secret access key are used by AWS to access Fortanix DSM.

Figure 6: Copy the AWS XKS app configuration
6.0 Configure HAProxy Service in Fortanix DSM On-Premises
It is highly recommended to configure at least two HAProxy servers in HA to receive KMS traffic using AWS VPC. It must be configured with SSL pass-through to forward the incoming traffic to the backend service URL. Following is an example of installing HAProxy on Ubuntu and configuring the proxy service.
NOTE
You must follow the operating system-specific HAProxy installation instructions. You can use other proxy services as per your choice. Here we used HAProxy for this testing.
apt-get install haproxy
Edit the configuration /etc/haproxy/haproxy.cfg
. The following is an example of the HAProxy configuration:
global
log /dev/log local0 info
stats socket [email protected]:9999 level admin
stats socket /var/run/haproxy.sock mode 666 level admin
stats timeout 2m
defaults
log global
option tcplog
timeout client 10s #Applies to all FrontEnd
timeout connect 10s #Applies to all Backend
timeout server 10s #Applies to all Backend
frontend stats
bind *:1936
mode http
stats uri /
stats show-legends
stats refresh 5s
no log
frontend https
bind *:443
mode tcp
default_backend bk_app
backend bk_app
mode tcp
server testdsm 10.197.192.40:443 check
6.1 Create and Configure AWS Network Load Balancer and Target Groups
NOTE
Before you start this section, it is assumed that you have the following configuration already in place:
AWS VPC configured
Communication between the Fortanix DSM on-premises to AWS VPC is established. (Direct Connect/VPN)
HAProxy is configured
Perform the following steps to create the target groups:
Go to the Amazon EC2 console at the URL: https://console.aws.amazon.com/ec2/
In the navigation pane, select Target Groups, and then click Create.
In the Basic configuration section, do the following:
Select the target type as IP addresses.
Enter a logical Target group name.
Select Protocol as TCP and Port as 443.
Select the IP address type as IPV4.
Select the VPC that you have created for the integration and click Next.
Figure 7: Create target group
Perform the following steps to register the targets in the Target Group.
Go to Target groups in the EC2 console, and then select Register targets.
Add the IP addresses of the HAProxy located in the on-premises environment. Enter Ports as 443 for routing to the target.
Figure 8: Register targets in the target group
Perform the following steps to create the load balancer:
Search “load balancer” in the Search Box of the AWS Console and select the Load Balancer EC2 feature.
Select Create Load Balancer, select Network Load Balancer, and then click Create.
Enter a logical name in the Load balancer name field.
Select the Scheme as Internal.
Select the IP address type as IPV4.
In the Network mapping section, select the VPC created for the integration, and then under Mappings, select both the zones.
In the Listeners and routing section, select Protocol as TCP and Port as 443. Select the target group created above for the Default action field. Click Add listener.
Verify and then click Create load balancer.
6.2 Create VPC Endpoint Service
Perform the following steps to create the VPC endpoint service:
Go to VPC in the AWS Console and click Endpoint services. Select Create.
In the Create endpoint service form, do the following:
Enter a logical name for the VPC endpoint service.
Select Load balancer type as Network.
Then select the load balancer created above under Available load balancers.
Figure 9: Create endpoint service
In the Additional settings section, do the following:
Clear the Acceptance required option.
Select the Associate a private DNS name with the service option.
Enter the Proxy DNS for the Private DNS name field.
Select IPV4 as the Supported IP address types.
Click Create.
Figure 10: Create endpoint services
After the VPC endpoint is created, it will generate the domain verification name and value. The Domain verification status shows “pendingVerification”. You must copy the Domain verification name and Domain verification value and create a TXT record on Route 53 under your domain. After the successful verification, the Domain verification status shows “Verified”.
Reference: https://docs.aws.amazon.com/kms/latest/developerguide/vpc-connectivity.htmlFigure 11: Domain verification name and value
You must add "Allow Principals" to use the VPC endpoint service as below. This is required to allow KMS to communicate through the VPC endpoint service you created.
In the navigation pane, choose Endpoint services.
Select the endpoint service and select the Allow principals tab.
To add permissions, click Allow principals.
In the Principals to add section, enter the ARN of the principal.
Figure 12: Allow principal
6.3 Create External Keystore in AWS KMS
Perform the following steps to create an external keystore in AWS KMS:
Go to Key Management Service in the AWS console and select External key stores.
Click the Create option to create the external key store.
Enter a logical name for the Key store name field.
Select the VPC endpoint service in the Proxy connectivity section.
Select the VPC endpoint service created in the previous section.
In the Proxy URI endpoint field, enter the proxy DNS name.
Upload the configuration file from Fortanix DSM that you copied to the clipboard in Section 5.6: Creating an Application. This will populate the fields in the Proxy Configuration section.
Click Create external key store.
Figure 13: Create XKS
After the external key store is created, click the keystore and check the Connection State.
It should show as Connected. This might take a while. If it shows a status other than Connected, then troubleshoot the connectivity.Figure 14: XKS connection state
Now, the KMS key can be created in this key store.
Click Create a KMS key in this keystore.
In the Key configuration form, enter the Fortanix DSM key UUID as copied in Section 5.5: Copying the Security Object UUID in the External key ID field.
Confirm the use of an external key store and click Next.
Figure 15: KMS key configuration
Enter the key Alias and click Next.
Figure 16: Add labels
Select the Key administrators from the list, click on the check box for the Key deletion based on your requirements, and click Next.
Figure 17: Key administrators permission
Figure 18: Key usage permission
Key Administrative permissions: AWS IAM users or roles who can manage the AWS external keystore key from the console.
Key Usage Permissions: AWS IAM users or roles who can use the key for cryptographic operations.
Finally, review the Key configuration and click Finish.
Figure 19: Review key configuration
7.0 Using the XKS Key to Encrypt S3 Bucket
7.1 Create an S3 Bucket
This section describes how to use a Fortanix DSM key as an AWS customer-managed key to encrypt an S3 bucket.
Create an S3 bucket, Amazon S3 → Buckets → Create bucket.
Figure 20: Create an S3 bucket
Upload a file to S3 and check the Fortanix key access logs.
Figure 21: Upload file to S3
Figure 22: Upload successful
Figure 23: Fortanix Key Access Logs
7.0 References
AWS XKS troubleshooting guide: https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html
Support key types with AWS external keystore: https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html
Support key types with AWS external keystore: https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keys.html
Controlling access to your External keystore: https://docs.aws.amazon.com/kms/latest/developerguide/authorize-xks-key-store.html