---
title: "Fortanix DSM with Amazon XKS Using Virtual Private Cloud"
slug: "data-security-manager-with-amazon-xks-using-virtual-private-cloud"
updated: 2026-04-10T11:20:21Z
published: 2026-04-10T11:20:21Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Fortanix DSM with Amazon XKS Using Virtual Private Cloud

## 1.0 Introduction

This article describes how to integrate **Fortanix-Data-Security-Manager (DSM)**on-premises with **Amazon Web Services (AWS) External Key Store (XKS)** **using Amazon’s Virtual Private Cloud network** to protect the data in AWS using keys stored in Fortanix DSM that users can use to perform cryptographic operations.

It also describes how to:

- Create and configure the AWS Network Load Balancer and Target Groups
- Create the VPC Endpoint Service
- Create Fortanix DSM objects
- Create the External Key Store in AWS

When using Fortanix DSM as an external key store, AWS allows two ways of communication:

- **Public Endpoint Connectivity** - AWS KMS connects to the external key store proxy (XKS proxy) over the internet using a public endpoint. This procedure is not covered in this article. *Refer to*[*Fortanix DSM with AWS External Key Store (XKS) - Concepts*](/v1/docs/fortanix-dsm-with-aws-external-key-store-xks-concepts)*for the Public Endpoint Connectivity method.*
- **Using Amazon VPC endpoint service** - AWS KMS connects to the XKS proxy by creating an interface endpoint to an Amazon VPC endpoint service. This method uses AWS Direct Connect/VPN, which enables AWS KMS to privately connect to your Amazon VPC and your XKS proxy without using the public internet. This procedure is covered in this article.

## 2.0 Architecture Workflow

The diagram below depicts the connectivity flow between Fortanix DSM and AWS KMS:

![AWS-XKS-VPC-Archi.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/18326480898964.png)

**Figure 1: AWS accessing Fortanix XKS using AWS VPC**

The components of the above diagram include:

- Amazon VPC connected to AWS XKS - needs to be created, or an existing VPC can be used. It is important to note that the VPC must have at least two private subnets in two different Availability Zones.
- Amazon VPC endpoint service powered by AWS PrivateLink, configured with a network load balancer and target group.
- An external proxy is configured in the on-premises environment to intercept AWS KMS traffic and relay it to the Fortanix DSM service.
- Private DNS assigned to an external proxy.
- Fortanix DSM installed in the on-premises environment.

The following steps explain the workflow:

1. An AWS service or custom application sends a request for a key to AWS KMS.
2. AWS KMS retrieves the double-enveloped key from its database and sends it to the URL of the XKS service (as implemented by Fortanix DSM) to decrypt.
3. A network load balancer relays the request from AWS KMS to the Fortanix DSM cluster located in the on-premises environment using the VPC endpoint service.
4. Fortanix DSM decrypts the outer envelope and returns the inner envelope to AWS KMS.
5. AWS KMS decrypts the inner envelope and returns the plaintext DEK to the calling service or application.
6. An external proxy created in the on-premises environment forwards the traffic to Fortanix DSM running with a public CA-signed certificate. The certificate must include the proxy endpoint as a SAN (Subject Alternate Name).

## 3.0 Prerequisites

Ensure the following:

> [!NOTE]
> NOTE
> 
> Creation and configuration of the VPC and establishment of connectivity between the VPC and the on-premises environment are out of the scope of this guide.

- **AWS resources:**
  - Network Load Balancer (NLB) **Reference:** [*AWS official documentation*](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-network-load-balancer.html#configure-load-balancer)
  - VPC (with private subnet)
  - VPC Endpoint Service (Ensure to add `.TXT` record as per documentation. “Domain verification status” should be "Verified") **Reference:** [*AWS official documentation*](https://docs.aws.amazon.com/kms/latest/developerguide/vpc-connectivity.html#xks-nlb)
  - KMS
  - The connection between AWS Cloud and Fortanix DSM on-premises (VPN/Direct Connect)
- **On-premises resources:**

> [!NOTE]
> NOTE
> 
> Fortanix used the HAProxy proxy service for testing.
  - Fortanix DSM on-premises version 4.9 and above.
  - High Availability Proxy: A minimum of two nodes is recommended to achieve high availability.

## 4.0 Fortanix DSM with AWS XKS Using VPC

With AWS XKS, administrators use Fortanix DSM to store cryptographic keys for encrypting and decrypting the Data Encryption Keys in AWS KMS. In this method, cryptographic operations are performed inside Fortanix DSM. This is different from the import-key (known as Bring Your Own Key or BYOK) functionality, where the key material for a key in Fortanix DSM (external HSM) is imported into AWS KMS, optionally with an expiration period, and cryptographic operations occur within an AWS data center.

## 5.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

### 5.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, [https://amer.smartkey.io.](https://amer.smartkey.io.) On-premises customers use the KMS URL, and the SaaS customers can use the URLs as listed [*here*](https://support.fortanix.com/hc/en-us/articles/4406135346068-Fortanix-DSM-SaaS-Global-Availability-Map) based on the application region.

*For more information on how to set up the Fortanix DSM, refer to the*[*User's Guide: Sign Up for Fortanix Data Security Manager SaaS*](https://support.fortanix.com/docs/users-guide-sign-up-for-fortanix-data-security-manager-saas)*.*

### 5.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_SaaS_Login_page(15).png)

**Figure 2: Logging in**

*For more information on how to set up an account in Fortanix DSM, refer to the*[*User's Guide: Getting Started with Fortanix Data Security Manager - UI*](https://support.fortanix.com/docs/users-guide-getting-started-with-fortanix-data-security-manager-ui)*.*

### 5.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the **Groups**menu item, and then click **ADD GROUP**to create a new group.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-Group(73).png)

**Figure 3: Add groups**
2. On the**Adding new group**page:
  1. **Title**: Enter a name for your group.
  2. **Description**(optional): Enter a short description of the group.
3. Click **SAVE**to create the new group.

The new group is added to the Fortanix DSM successfully.

### 5.4 Creating or Importing an AES Key

Perform the following steps to generate an AES key in the Fortanix DSM:

1. In the DSM left navigation panel, click the **Security Objects**menu item, and then click **ADD SECURITY OBJECT**to create a new security object.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-SO(28).png)

**Figure 4: Adding a security object**
2. On the **Add new Security Object**page:
  1. **Security Object name**: Enter the name for your security object.
  2. **Group**: Select the group as created in [*Section 5.3: Creating a Group*](/v1/docs/data-security-manager-with-amazon-xks-using-virtual-private-cloud#53-creating-a-group).
  3. Select **GENERATE**.
  4. In the **Choose a type** section, select the**AES** key type.
  5. In the **Key Size**section, select the size of the key in bits.
  6. In the **Key operations permitted**section, select the required operations to define the actions that can be performed with the cryptographic keys, such as encryption, decryption, signing, and verifying.

> [!NOTE]
> NOTE
> 
> Ensure that the new key has **Encrypt**and **Decrypt**key operations are allowed.
3. Click **GENERATE** to create the new security object.

The new security object is added to the Fortanix DSM successfully.

You can also import an AES key. *For more information on how to import a key, refer to the*[*User's Guide: Fortanix Data Security Manager Key Lifecycle Management*](/v1/docs/users-guide-fortanix-data-security-manager-key-lifecycle-management#111-import-security-objects)*.*

The UUID of this AES key is required in [*Section 6.3: Create External Key Store in AWS KMS to create the key in AWS XKS*](/v1/docs/data-security-manager-with-amazon-xks-using-virtual-private-cloud#70-using-the-xks-key-to-encrypt-s3-bucket).

### 5.5 Copying the UUID of the AES Key

Perform the following steps to copy the security object UUID from the Fortanix DSM:

1. In the DSM left navigation panel, click the**Security Objects**menu item, and then click the security object created in [*Section 5.4: Creating a Security Object*](/v1/docs/data-security-manager-with-amazon-xks-using-virtual-private-cloud#54-creating-a-security-object)**[](/v1/docs/using-data-security-manager-with-idcentral-key-management#44-creating-an-application)to go to the detailed view of the security object.
2. From the top of the security object’s page, click the **COPY ID** drop down menu and then select **COPY UUID** to copy it to use later.

### 5.6 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the **Apps**menu item, and then click **ADD APP**to create a new app.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-App(72).png)

**Figure 5: Add application**
2. On the **Adding new app**page:
  1. **App name**: Enter the name for your application.
  2. **ADD DESCRIPTION**(optional): Enter a short description of the application.
  3. **Authentication method**: Select **AWS XKS**as the authentication method from the drop down menu. *For more information on these authentication methods, refer to the*[*User's Guide: Authentication*](https://support.fortanix.com/docs/users-guide-authentication)*.*
  4. **Assigning the new app to groups**: Select the group created in [*Section 5.3: Creating a Group*](/v1/docs/data-security-manager-with-amazon-xks-using-virtual-private-cloud#53-creating-a-group)**[](/v1/docs/using-data-security-manager-with-idcentral-key-management#43-creating-a-group)from the list.
3. Click **SAVE**to add the new application.

The new application is added to the Fortanix DSM successfully.

### 5.7 Copying the App Configuration File

Perform the following steps to copy the app configuration file from the Fortanix DSM:

1. In the DSM left navigation panel, click the **Apps**menu item, and then click the app created in[*Section 5.6: Creating an Application*](/v1/docs/data-security-manager-with-amazon-xks-using-virtual-private-cloud#56-creating-an-application) to go to the detailed view of the app.
2. In the **INFO**tab and the **AWS XKS** section, click **VIEW INSTRUCTIONS**.
3. In the**AWS XKS** modal window, click **COPY CONFIG FILE** to copy all the configuration details at once to the clipboard in JSON format, or copy the URI and the configuration info individually and make a note of it.

The following are the configuration values:
  - **Path prefix**: A fixed path containing the Fortanix DSM app UUID.
  - **Access key ID**and**Secret access key**: The access key and secret access key are used by AWS to access Fortanix DSM.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1769074141325.png)

**Figure 6: Copy the AWS XKS app configuration**

## 6.0 Configure HAProxy Service in Fortanix DSM On-Premises

It is highly recommended to configure at least two HAProxy servers in HA to receive KMS traffic using AWS VPC. It must be configured with SSL pass-through to forward the incoming traffic to the backend service URL. Following is an example of installing HAProxy on Ubuntu and configuring the proxy service.

> [!NOTE]
> NOTE
> 
> You must follow the operating system-specific HAProxy installation instructions. You can use other proxy services as per your choice. Here we used HAProxy for this testing.

```bash
apt-get install haproxy
```

Edit the configuration `/etc/haproxy/haproxy.cfg`. The following is an example of the HAProxy configuration:

```bash
global
         log /dev/log local0 info
         stats socket ipv4@127.0.0.1:9999 level admin
         stats socket /var/run/haproxy.sock mode 666 level admin
         stats timeout 2m
defaults
         log global
         option tcplog
         timeout client  10s #Applies to all FrontEnd
         timeout connect 10s #Applies to all Backend
         timeout server  10s #Applies to all Backend
frontend stats
   bind *:1936
   mode http
   stats uri /
   stats show-legends
   stats refresh 5s
   no log
frontend https
         bind *:443
         mode tcp
         default_backend bk_app
backend bk_app
         mode tcp
         server testdsm  10.197.192.40:443 check
```

### 6.1 Create and Configure AWS Network Load Balancer and Target Groups

> [!NOTE]
> NOTE
> 
> Before you start this section, it is assumed that you have the following configuration already in place:
> 
> - AWS VPC configured
> - Communication between the Fortanix DSM on-premises to AWS VPC is established. (Direct Connect/VPN)
> - HAProxy is configured

Perform the following steps to create the target groups:

1. Go to the Amazon EC2 console at the*URL:*[*https://console.aws.amazon.com/ec2/*](https://console.aws.amazon.com/ec2/)*.*
2. In the navigation pane, select Target **Groups**, and then click **Create**.
3. In the **Basic configuration** section:
  1. Select the **target type** as **IP addresses**.
  2. Enter a logical **Target group name**.
  3. Select **Protocol** as **TCP** and **Port** as **443**.
  4. Select the **IP address type** as **IPV4**.
  5. Select the **VPC** that you have created for the integration and click **Next**.

![CreateTargetGroup1-XKS-VPC.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/18326557025940.png)

![CreateTargetGroup2-XKS-VPC.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/18327366279188.png)

**Figure 7: Create target group**

Perform the following steps to register the targets in the Target Group.

1. Go to **Target groups** in the EC2 console, and then select **Register targets**.
2. Add the **IP addresses** of the HAProxy located in the on-premises environment. Enter **Ports** as **443** for routing to the target.

![RegisterTargets-XKS-VPC.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/18326590760212.png)

**Figure 8: Register targets in the target group**

Perform the following steps to create the load balancer:

1. Search “load balancer” in the **Search Box** of the AWS Console and select the **Load Balancer EC2** feature.
2. Select **Create Load Balancer**, select **Network Load Balancer**, and then click **Create**.
  1. Enter a logical name in the **Load balancer name** field.
  2. Select the **Scheme** as **Internal**.
  3. Select the **IP address type** as **IPV4**.
  4. In the **Network mapping** section, select the **VPC** created for the integration, and then under **Mappings**, select both the zones.
  5. In the **Listeners and routing** section, select **Protocol** as **TCP** and **Port** as **443**. Select the target group created above for the **Default action** field. Click **Add listener**.
  6. Verify and then click **Create load balancer**.

### 6.2 Create VPC Endpoint Service

Perform the following steps to create the VPC endpoint service:

1. Go to **VPC** in the AWS Console and click **Endpoint services**. Select **Create**.
2. On the **Create endpoint service** form:
  1. Enter a logical name for the VPC endpoint service.
  2. Select **Load balancer type** as **Network**.
  3. Then select the load balancer created above under **Available load balancers**.

![CreateEndpointService1-XKS-VPC.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/18393049377428.png)

**Figure 9: Create endpoint service**
  4. In the **Additional settings** section:
    1. Clear **Acceptance required**.
    2. Select **Associate a private DNS name with the service**.
    3. Enter the Proxy DNS for the **Private DNS name** field.
    4. Select **IPV4** as the **Supported IP address types**.
    5. Click **Create**.

![CreateEndpointServiceAdditionalSettings-XKS-VPC.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/18326612262036.png)

**Figure 10: Create endpoint services**
    6. After the VPC endpoint is created, it will generate the domain verification name and value. The **Domain verification status** shows “**pendingVerification**”. You must copy the **Domain verification name** and **Domain verification value** and create a TXT record on Route 53 under your domain. After the successful verification, the **Domain verification status** shows “**Verified**”. Reference: [*AWS official documentation*](https://docs.aws.amazon.com/kms/latest/developerguide/vpc-connectivity.html)

![DomainVerification-XKS-VPC.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/18326606043540.png)

**Figure 11: Domain verification name and value**
    7. You must add "Allow Principals" to use the VPC endpoint service as below. This is required to allow KMS to communicate through the VPC endpoint service you created.
      1. In the navigation pane, choose **Endpoint services**.
      2. Select the endpoint service and select the **Allow principals** tab.
      3. To add permissions, click **Allow principals**.
      4. In the **Principals to add** section, enter the **ARN** of the principal.

![AllowPrincipal-XKS-VPC.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/18326614212116.png)

**Figure 12: Allow principal**

### 6.3 Create External Keystore in AWS KMS

Perform the following steps to create an external keystore in AWS KMS:

1. Go to **Key Management Service** in the AWS console and select **External key stores**.
  1. Click **Create** to create the external key store.
    1. Enter a logical name for the **Key store name** field.
    2. Select the **VPC endpoint service** in the **Proxy connectivity section**.
    3. Select the VPC endpoint service created in the previous section.
    4. In the **Proxy URI endpoint** field, enter the proxy DNS name.
    5. Upload the configuration file from Fortanix DSM that you copied to the clipboard in [*Section 5.7: Copying the App Configuration File*](/v1/docs/data-security-manager-with-amazon-xks-using-virtual-private-cloud#57-copying-the-app-configuration-file). This will populate the fields in the **Proxy Configuration** section.
    6. Click **Create external key store**.

![CreateExternalKeyStore-XKS-VPC.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/18326660520212.png)

**Figure 13: Create XKS**
2. After the external key store is created, click the keystore and check the **Connection State**. It should show as **Connected**. This might take a while. If it shows a status other than **Connected**, then troubleshoot the connectivity.

![ConnectionState-XKS-VPC.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/18326678189204.png)

**Figure 14: XKS connection state**
3. Now, the KMS key can be created in this key store.
  1. Click **Create a KMS key in this keystore.**
    1. On the **Key configuration** form, enter the Fortanix DSM key UUID as copied in [*Section 5.5: Copying the Security Object UUID*](/v1/docs/data-security-manager-with-amazon-xks-using-virtual-private-cloud#55-copying-the-security-object-uuid) in the **External key ID** field.
    2. Confirm the use of an external key store and click **Next**.

![AWS-VPC-ConfigureKeyXKS.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/18326669533972.png)

**Figure 15: KMS key configuration**
  2. Enter the key **Alias** and click **Next**.

![AddLabels-XKS-VPC.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/18326693761556.png)

**Figure 16: Add labels**
  3. Select the **Key administrators** from the list, click on the check box for the **Key deletion** based on your requirements, and click **Next**.

![KayAdmin-XKS-VPC.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/18326703589652.png)

**Figure 17: Key administrators permission**

![KeyUsagePerm-XKS-VPC.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/18326665982740.png)

**Figure 18: Key usage permission**
    - **Key Administrative permissions:** AWS IAM users or roles who can manage the AWS external keystore key from the console.
    - **Key Usage Permissions:** AWS IAM users or roles who can use the key for cryptographic operations.
  4. Finally, review the **Key configuration** and click **Finish**.

![ReviewKeyConfig-XKS-VPC.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/18326690547476.png)

**Figure 19: Review key configuration**

## 7.0 Using the XKS Key to Encrypt S3 Bucket

### 7.1 Create an S3 Bucket

This section describes how to use a Fortanix DSM key as an AWS customer-managed key to encrypt an S3 bucket.

1. Create an S3 bucket, **Amazon S3** → **Buckets** → **Create bucket**.

![AWS-XKS-VPC-CreateS3bucket.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/18326736609812.png)

**Figure 20: Create an S3 bucket**
2. Upload a file to S3 and check the Fortanix key access logs.

![UploadFileS3-XKS-VPC.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/18326726703124.png)

**Figure 21: Upload file to S3**

![UploadSuccessful-XKS-VPC.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/18326711845012.png)

**Figure 22: Upload successful**

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1769074155118.png)

**Figure 23: Fortanix Key Access Logs**

## 7.0 References

- [AWS XKS troubleshooting guide](https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html)
- [Support key types with AWS external keystore](https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html)
- [Support key types with AWS external keystore](https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keys.html)
- [Controlling access to your External keystore](https://docs.aws.amazon.com/kms/latest/developerguide/authorize-xks-key-store.html)

Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.

Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.

## Related

- [Managing Fortanix DSM Keys with OpenSSL and PKCS#11 Tool](/managing-fortanix-data-security-manager-keys-with-openssl-and-pkcs11-tool.md)
- [Command-Line Interface (CLI) for Fortanix DSM (sdkms-cli)](/clients-command-line-interface-cli-for-fortanix-data-security-manager.md)
- [Fortanix DSM with AWS External Key Store (XKS)](/using-fortanix-dsm-with-aws-external-key-store-xks.md)