DSM-Accelerator - Concepts

1.0 Introduction

Fortanix DSM, in conjunction with DSM Accelerator, provides a comprehensive application encryption and tokenization service. Fortanix DSM allows you to securely generate, store, and use cryptographic keys and certificates, as well as secrets, such as passwords, API keys, tokens, or any blob of data. Fortanix DSM can be clustered in geographically dispersed locations and deployed in bare-metal, on-premises, or cloud-native VMs. This surely meets the demands of robust enterprise data security needs, but clients or applications that operate under extremely high performance, with ultra-low latency and high-throughput requirements can further satisfy their SLAs/needs by performing certain cryptographic operations locally using Fortanix DSM-Accelerator.

1.1 DSM-Accelerator Use Cases

Enterprises have multiple business applications running on their infrastructure to perform various functions to increase and measure productivity and operate business functions accurately to support day-to-day HR operations, business workflows, network security, and administrative use cases. These applications process a high number of transactions per second and store sensitive and personally identifiable information about the users and enterprise customers. To provide security and data protection of this sensitive data, enterprises must encrypt and decrypt the sensitive data processed by these enterprise applications at very high volumes with low response times. Fortanix DSM solves the data protection problem for clients by providing enhanced data security by encrypting sensitive data so that only people with access to a secret key or password can read it. 

Fortanix DSM is installed in a cluster on-premises or in the cloud remotely from client applications to secure the key material of the encrypted data to address data compliance. This increases the latency for client applications where application responses are time-sensitive. Fortanix DSM-Accelerator provides enterprise applications with the capability to support high rates of crypto operations by deploying in close proximity to client applications while providing a subset of the capabilities of Fortanix DSM while providing low latency and high throughput. 

1.2 Advantages of Using DSM-Accelerator

The following are the advantages of using DSM-Accelerator:

  • It delivers cryptographic operations at a very high throughput without adding more DSM nodes.

  • It provides negligible latency between business applications and the cryptographic interface.

1.3 DSM-Accelerator Security Tradeoffs

Since DSM-Accelerator offers a high throughput and negligible latency between the applications and the cryptographic interface, it results in a reduced security posture for keys in-use as the keys are cached locally outside the FIPS boundary for faster crypto operations. This is an accepted trade-off for high throughput and low latency requirements. For increased security posture, customers can continue to use the regular Fortanix PKCS#11 and JCE libraries, however, with slightly higher latency and lower throughput.

1.4 Authentication

Applications connecting to DSM-Accelerator need to be enrolled in the corresponding DSM. The DSM-Accelerator will authenticate with DSM using this Application’s credentials to fetch the requested key.

Currently, DSM-Accelerator only supports authentication using an API key. For details on how to create an app, see the Getting Started Guide.

1.5 Permission Required on Security Objects

The DSM-Accelerator will export the Security-object from Fortanix DSM and cache it locally to perform cryptographic operations locally.

NOTE

  • When creating a security object, make sure to select the “Export” permission to allow the object to be exportable. If the security object does not have export permission, it cannot be used by the DSM-Accelerator.

For more details on creating security objects and various permissions, please refer to the User's Guide: Fortanix Data Security Manager Key Lifecycle Management.

2.0 DSM-Accelerator Architecture

Architecture_DSM_A.png

3.0 DSM-Accelerator Webservice

For the DSM-Accelerator webservice deployment steps, refer to the DSM-Accelerator Webservice Deployment Guide

To download Fortanix DSM-Accelerator Webservice:

  1. Go to the Fortanix DSM Downloads portal.

  2. In the section Fortanix DSM-Accelerator, click the sub-section DSM-Accelerator Downloads.

  3. Click the article DSM-Accelerator Webservice and download the TAR file.

4.0 DSM-Accelerator PKCS#11 Client

4.1 Supported Operating System

  • DSM-Accelerator PKCS#11Client

    • Linux

      • CentOS 7, RedHat, Debian

For the DSM-Accelerator clients deployment process, refer to the DSM-Accelerator Clients Deployment Guide

To download Fortanix DSM-Accelerator PKCS#11 Client:

  1. Go to the Fortanix DSM Downloads portal.

  2. In the section Fortanix DSM-Accelerator, click the sub-section DSM-Accelerator Downloads.

  3. In the DSM Accelerator PKCS#11 section, click the latest DSM-Accelerator PKCS#11 version and download the desired Linux or Windows library.

5.0 DSM-Accelerator JCE Provider

5.1 Supported Operating Systems

The DSM-Accelerator Unified JCE/SDK client is supported on Linux and Windows Server operating systems.

  • DSM-Accelerator JCE Client

    • Linux

      • CentOS 7, RedHat, Debian

    • Windows

      • Windows Server 2019 and 2022

For the DSM-Accelerator JCE Provider deployment process, refer to the DSM-Accelerator JCE Provider Deployment Guide

To download Fortanix DSM-Accelerator JCE Provider:

  1. Go to the Fortanix DSM Downloads portal.

  2. Click the required sub-section under the section Downloads.

  3. Click the article DSM Accelerator JCE Provider and download the JCE library bundle for Java 8 or Java 11, and Java SDK.

6.0 Frequently Asked Questions


Does DSM-Accelerator support signing?

Yes, DSM-Accelerator supports signing