1.0 Introduction
Fortanix-Data-Security-Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.
Fortanix DSM uses built-in cryptography in Intel® Xeon® CPUs to help protect the customer’s keys and data from all external agents, reducing the system complexity greatly by removing the reliance on characteristics of the physical boxes. Intel® SGX enclaves prevent access to customer’s keys or data by Fortanix or any other cloud service provider.
Unlike many hardware security technologies, Intel® SGX is architected to help protect arbitrary x86 program code. Fortanix DSM uses Intel® SGX not only to help protect the keys and data but also to all the application logic including role-based access control, account set up, password recovery, etc. The result is significantly improved security for a key management service that offers the elasticity of modern cloud software and the hardware-based security of an HSM appliance, all while drastically reducing initial and ongoing costs.
Fortanix DSM is designed to enable businesses to serve key management needs for all their applications, whether they are operating in a public, private, or hybrid cloud.
2.0 Cryptographic Operations and Key Management
Fortanix DSM enables you to manage the lifecycle of security objects (keys, certificates, etc.), and use them for performing cryptographic operations. The following operations are supported:
Create symmetric and asymmetric keys
Import your own keys
Import/export key
Derive new keys from existing keys
Key Tokenization
Role-based access control to determine which users, groups, or apps have access to which keys, and what operations on those keys
Statistics on the usage of keys
Complete audit trail for use of keys
Encryption and decryption using symmetric and asymmetric keys
Sign and verify operations
Create and update plugins
For more details, refer to the Fortanix DSM Algorithms Support.
Figure 1: Relationship between Fortanix DSM KMS Accounts, Groups, Apps, Keys, Users, and Plugins
3.0 Accounts 
A Fortanix DSM account is the top-level container for security objects managed by Fortanix DSM. An account is generally associated with an organization, rather than an individual. Security objects, groups, and applications belong to exactly one account. Different accounts are fully isolated from each other.
WARNING
When planning accounts, be aware that it is not possible to move security objects, groups, or applications between accounts. Therefore, create multiple accounts only when you are sure that there will not be a need to move objects between them.
4.0 Groups 
A group is a collection of related security objects. Access policies are set at the group level, so all security objects in a group share the same access policy. Any number of users and/or applications can be assigned to a group. Some examples of usage of groups are given in Authorization.
NOTE
Fortanix DSM versions < 4.34
Fortanix DSM user interface (UI) does not support loading more than 1000 groups. To view more groups, you can retrieve them using the Fortanix DSM REST API.
Fortanix DSM versions >= 4.34 - Server-Side Table Processing (SSTP)
If your DSM account contains more than 1000 groups,
The Groups page will display only the NAME, DESCRIPTION, and CREATED columns for a group.
You can only filter groups using the group Name, Description, and Created at.
The ADD APP button to add a new app using the APPS tab in the group’s details page will be disabled. However, you can use the Apps menu item in the DSM left-navigation bar to associate the app with the group.
You may experience delays in page loading.
You may notice reduced performance on the group’s details page if the group count exceeds 3000.
5.0 Applications 
An application (app) is a daemon, service, or other non-human clients that use Fortanix DSM. Applications can authenticate to Fortanix DSM using an API key (a secret token) or a TLS client certificate.
Depending on permissions, applications can:
create security objects
change properties of security objects
perform cryptographic operations using security objects
Applications cannot perform management operations like adding or modifying users and groups.
An application can be assigned to one or more groups. An application that is assigned to a group has permission to operate on all of the security objects in that group.
NOTE
Fortanix DSM versions < 4.34
Fortanix DSM UI does not support loading more than 1000 apps. To view more apps, you can retrieve them using the Fortanix DSM REST API.
Fortanix DSM versions >= 4.34 - Server-Side Table Processing (SSTP)
If your Fortanix DSM account contains more than 1000 apps,
The Apps page will display only the NAME, CREDENTIALS, CERT EXPIRES, GROUPS, and DESCRIPTION columns for an app.
You can only filter apps using the app Name and Description filters.
You may experience delays in page loading.
You may notice reduced performance on the app’s details page if the app count exceeds 3000.
6.0 Security Objects 
A security object is any datum stored in Fortanix DSM (e.g. a key, a certificate, secret, etc.). For asymmetric key pairs, both the private and public keys are stored in a single security object. It is also possible for a security object to hold a public key without the associated private key.
Users and applications assigned to the group have permission to view the security object and to perform operations on it. Users and applications not assigned to a security object’s group cannot view or operate on that security object. For more information about the Fortanix DSM authorization model, refer to Authorization.
The copy key feature will copy a security object from a standard Fortanix DSM group to another standard group. This feature has the following advantages:
Maintains a single source of key material while using/importing that key across various Fortanix DSM groups where applications in respective groups may need to use a single key to meet some business objectives.
Maintains a link of various copies of the same key material to the source key for audit and tracking purposes.
For more information, refer to Copy Key.
NOTE
Fortanix DSM versions >= 4.34 - Server-Side Table Processing (SSTP)
If your Fortanix DSM account contains more than 1000 security objects, you may experience delays in page loading.
You may notice reduced performance on the security object’s details page if the security object count exceeds 3000.
7.0 Users 
Users are associated with email addresses. A user can be a member of one or more accounts. For example, an employee might belong to an account for the corporate production environment, an account for the corporate test environment, and an account used for personal testing and development purposes.
Depending on permissions, users can:
perform management operations like adding or modifying users or groups
create security objects
change properties of security objects
review logs of Fortanix DSM key management and cryptographic activity
NOTE
Users are not able to perform cryptographic operations. Only applications can perform cryptographic operations.
8.0 Plugins 
Plugins are a powerful system allowing users to securely run sensitive business logic inside the Fortanix DSM.
For example, plugins may be used to
impose custom, arbitrarily complex access control policies on keys in Fortanix DSM.
require approval from a quorum before a key in Fortanix DSM is used.
ensure that an RSA key in Fortanix DSM may only sign certificates with a particular attribute.
require that a key in Fortanix DSM may only be wrapped with a certificate signed by a particular CA.
implement a secure higher-level cryptographic operation, including custom audit logs, to expose to outside apps.
Currently, Lua is the only language supported.
For more information about the Plugins, refer to Plugins - Getting Started.
NOTE
Fortanix DSM UI does not support loading more than 1000 plugins. To view more plugins, you can retrieve them using the Fortanix DSM REST API.
8.1 Plugin Library 
Plugin Library (PL) is a feature of the Fortanix DSM that allows users to view a list of frequently used plugins from a commonplace. Fortanix DSM users can create local copies of the plugins in the library that they intend to use and then they can start invoking them.
The Fortanix DSM PL is backed by a Git repository that contains the plugin code. As this repository is updated by Fortanix with new plugins, Fortanix DSM users will be able to view the updated and new plugins available for use. For more information about Plugin Library, refer to User's Guide: Plugin Library.
9.0 Tasks
The Tasks feature provides an overview of all the quorum approval requests in your Fortanix DSM account. For more information about Tasks, refer to User's Guide: Quorum Policy.
NOTE
Fortanix DSM UI does not support loading more than 1000 approval requests. To view more tasks, you can retrieve them using the Fortanix DSM REST API.
10.0 Audit Logs 
Fortanix DSM automatically maintains an internal audit log of system operations. You can configure Fortanix DSM to send these audit log entries to an external logging system such as Splunk, Google Stackdriver, and Syslog Server.
A typical enterprise might have a requirement to collect and maintain a log of all the systems including Fortanix DSM in a single place. These enterprises can write rules using external logging systems such as Splunk, Google Stackdriver, and Syslog to generate actions like alerts, emails, and so on when a log or event occurs. Fortanix DSM supports the mechanism to push all its logs/system events to these third-party servers to enable external logging of events. For more information about Audit Logs, refer to User's Guide: Logging.
11.0 Quorum Policy 
Enabling quorum approval policy for a group in Fortanix DSM Service (KMS) prevents a single user (or administrator) to be able to access or use a highly sensitive key. A group administrator may enable a quorum approval policy on a group, which mandates that all security-sensitive operations in that group would require a quorum approval. Such operations include using a key for cryptographic operations or deleting or updating a group. For more information about Quorum Policy, refer to User's Guide: Quorum Policy.
12.0 Single Sign-On
Fortanix DSM accounts can be integrated with third-party Single Sign-On (SSO) providers. When an account is configured for SSO, users in that account will be able to login with their SSO credentials. Currently, the following SSO mechanisms are available: SAML and OpenID Connect / OAuth. For more information about Single Sign-On, refer to User's Guide: Single Sign-On.
13.0 Authentication
All clients connecting to Fortanix DSM must be authenticated. Clients are classified as either users or applications. A user authenticates to Fortanix DSM using a password. An application authenticates to Fortanix DSM using either an API key or a TLS client certificate. For more information about Authentication, refer to User's Guide: Authentication.
14.0 Authorization
Once a user or an app is authenticated, it still needs authorization to perform an operation on Fortanix DSM. Fortanix DSM provides fine-grained authorization controls that can broadly be categorized into “time-based authorization”, “role-based access control (RBAC)”, “quorum-based authorization”, “key-based authorization”, “LDAP authorization” and “authorization for plugins”. For more information about Authorization, refer to User's Guide: Authorization.