---
title: "Exporting Fortanix DSM Keys to Cloud Providers for BYOK - Alibaba"
slug: "exporting-dsm-keys-to-cloud-providers-for-byok-alibaba"
updated: 2026-04-17T16:50:53Z
published: 2026-04-17T16:50:53Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Exporting Fortanix DSM Keys to Cloud Providers for BYOK - Alibaba

## 1.0 Introduction

There are several ways to export **Fortanix-Data-Security-Manager (DSM)** keys to major cloud providers that support Bring your Own Key (BYOK) for server-side encryption.

## 2.0 Prerequisites

Ensure the following:

- Fortanix DSM must be accessible. *For more information, refer to*[*Section 3.1: Signing Up*](/v1/docs/exporting-dsm-keys-to-cloud-providers-for-byok-alibaba#31-signing-up)*and*[*Section 3.2: Creating an Account*](/v1/docs/exporting-dsm-keys-to-cloud-providers-for-byok-alibaba#32-creating-an-account).
- Download the DSM CLI from [*here*](https://fortanix.zendesk.com/hc/en-us/sections/17701671182356-Fortanix-DSM-CLI).

## 3.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

### 3.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, [https://amer.smartkey.io.](https://amer.smartkey.io.) On-premises customers use the KMS URL, and the SaaS customers can use the URLs as listed [*here*](https://support.fortanix.com/hc/en-us/articles/4406135346068-Fortanix-DSM-SaaS-Global-Availability-Map) based on the application region.

*For more information on how to set up the Fortanix DSM, refer to the*[*User's Guide: Sign Up for Fortanix Data Security Manager SaaS*](https://support.fortanix.com/docs/users-guide-sign-up-for-fortanix-data-security-manager-saas)*.*

### 3.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_SaaS_Login_page(15).png)

**Figure 1: Logging in**

*For more information on how to set up an account in Fortanix DSM, refer to the*[*User's Guide: Getting Started with Fortanix Data Security Manager - UI*](https://support.fortanix.com/docs/users-guide-getting-started-with-fortanix-data-security-manager-ui)*.*

### 3.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the **Groups**menu item, and then click **ADD GROUP**to create a new group.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-Group(74).png)

**Figure 2: Add groups**
2. On the**Adding new group**page:
  1. **Title**: Enter a name for your group.
  2. **Description**(optional): Enter a short description of the group.
3. Click **SAVE**to create the new group.

The new group is added to the Fortanix DSM successfully.

### 3.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the **Apps**menu item, and then click **ADD APP**to create a new app.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-App(73).png)

**Figure 3: Add application**
2. On the **Adding new app**page:
  1. **App name**: Enter the name for your application.
  2. **ADD DESCRIPTION**(optional): Enter a short description of the application.
  3. **Authentication method**: Select the default **API Key**as the authentication method from the drop down menu. *For more information on these authentication methods, refer to the*[*User's Guide: Authentication*](https://support.fortanix.com/docs/users-guide-authentication)*.*
  4. **Assigning the new app to groups**: Select the group created in [*Section 3.3: Creating a Group*](/v1/docs/exporting-dsm-keys-to-cloud-providers-for-byok-alibaba#33-creating-a-group)**[](/v1/docs/using-data-security-manager-with-idcentral-key-management#43-creating-a-group)from the list.
3. Click **SAVE**to add the new application.

The new application is added to the Fortanix DSM successfully.

### 3.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

1. In the DSM left navigation panel, click the **Apps**menu item, and then click the app created in [*Section 3.4: Creating an Application*](/v1/docs/exporting-dsm-keys-to-cloud-providers-for-byok-alibaba#34-creating-an-application)**to go to the detailed view of the app.
2. On the **INFO**tab, click **VIEW API KEY DETAILS**.
3. From the **API Key Details**dialog box, copy the **API Key**of the app to use in [*Section 6.0: Authenticate the Application*](/v1/docs/exporting-dsm-keys-to-cloud-providers-for-byok-alibaba#60-authenticate-the-application).

## 4.0 Create an External Key in Alibaba KMS

Perform the following steps to create and prepare an external key for BYOK import into Alibaba Cloud KMS:

1. In the Alibaba Cloud Key Management Service (KMS), create a new key and select **External**as the key material source.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image(26).png)

**Figure 4: Create an external key**
2. After creation, the key appears with the status**Pending Import**and the key material source set to **External**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image(27).png)

**Figure 5: Pending import status**
3. Download the key encryption material from Alibaba Cloud and use this material to wrap the key in Fortanix DSM and complete the import into Alibaba.
  - **Public key**
  - **Import Token**

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image(28).png)

**Figure 6: Download key material**

## 5.0 Creating a Security Object

### 5.1 Import Alibaba Public Key

Perform the following steps to import the Alibaba public key in the Fortanix DSM:

1. In the DSM left navigation panel, click the **Security Objects**menu item, and then click **ADD SECURITY OBJECT**to create a new security object.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-SO(29).png)

**Figure : Adding security object**
2. On the **Add new Security Object**page:
  1. **Security Object name**: Enter the name for your security object.
  2. **Group**: Select the group as created in [*Section 3.3: Creating a Group*](/v1/docs/exporting-dsm-keys-to-cloud-providers-for-byok-alibaba#33-creating-a-group).
  3. Select **IMPORT**.
  4. In the **Choose a type** section, select the **RSA** key type.
  5. In the **Place value here or import from file**section, select the value format type as **Hex**, **Base64**, or **Raw**and click **UPLOAD A FILE**to import the Alibaba public key.
  6. In the **Key operations permitted**section, select the required operations to define the actions that can be performed with the cryptographic keys, such as encryption, decryption, signing, and verifying.
3. Click **IMPORT**to create the new security object.
4. From the top of the security object’s page, click the copy icon ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1747062862398.png) next to the security object **UUID**to copy it to use in [*Section 7.0: Wrap and Import Customer Master Key into Alibaba KMS*](/v1/docs/exporting-dsm-keys-to-cloud-providers-for-byok-alibaba#70-wrap-and-import-customer-master-key-into-alibaba-kms).

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1769074489325.png)

**Figure 8: RSA key imported**

The new security object is added to the Fortanix DSM successfully.

### 5.2 Generate Customer Master Key

Perform the following steps to generate a Customer Master Key (CMK) in DSM which will be wrapped later with Alibaba public key and imported into Alibaba:

1. In the DSM left navigation panel, click the **Security Objects**menu item, and then click **ADD SECURITY OBJECT******to create a new security object.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-SO(30).png)

**Figure 9: Adding security object**
2. On the **Add new Security Object**page:
  1. **Security Object name**: Enter the name for your security object.
  2. **Group**: Select the group as created in [*Section 3.3: Creating a Group*](/v1/docs/exporting-dsm-keys-to-cloud-providers-for-byok-alibaba#33-creating-a-group).
  3. Select **GENERATE**.
  4. In the **Choose a type** section, select the **AES** key type.
  5. In the **Key Size**section, select the size of the key in bits.
  6. In the **Key operations permitted**section, select the required operations to define the actions that can be performed with the cryptographic keys.

> [!NOTE]
> NOTE
> 
> Ensure to select the Export permission.
3. Click **GENERATE** to create the new security object.
4. From the top of the security object’s page, click the copy icon ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1747062862398.png) next to the security object **UUID**to copy it to use in [*Section 7.0: Wrap and Import Customer Master Key into Alibaba KMS*](/v1/docs/exporting-dsm-keys-to-cloud-providers-for-byok-alibaba#70-wrap-and-import-customer-master-key-into-alibaba-kms).

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1769074517871.png)

**Figure 10: AES key generated**

The new security object is added to the Fortanix DSM successfully.

## 6.0 Authenticate the Application

Run the following command to authenticate the app using the Fortanix DSM CLI:

```bash
sdkms-cli app-login --api-endpoint Fortanix Data Security Manager --api-key YOUR_APP_API_KEY
```

Where,

- `api_endpoint`: Refers to the Fortanix DSM URL.
- `YOUR_APP_API_KEY`: Refers to the Fortanix DSM app API key as copied in [*Section 3.5: Copying the API Key*](/v1/docs/exporting-dsm-keys-to-cloud-providers-for-byok-alibaba#35-copying-the-api-key).

## 7.0 Wrap and Import Customer Master Key into Alibaba KMS

Perform the following steps to securely wrap the CMK with Alibaba’s public key and import it into Alibaba Cloud KMS:

1. Run the following command to wrap the AES key (customer master key) with the Alibaba public key:

```bash
$ sdkms-cli wrap-key --kid <Target Key UUID in DSM > --alg RSA --mode OAEP_MGF1_SHA1 --wrapping-kid <UUID of Alibaba Wrapping Public Key > --out alibabawrap.key
```

Where,
  - `&lt;Target Key UUID in DSM&gt;`: Refers to the UUID of the AES key in Fortanix DSM that you want to import to Alibaba KMS, as copied in [*Section 5.1: Import the Security Object*](/v1/docs/exporting-dsm-keys-to-cloud-providers-for-byok-alibaba#51-import-alibaba-public-key).
  - `&lt;UUID of Alibaba Wrapping Public Key&gt;`: Refers to the UUID of the Alibaba RSA key that you imported in Fortanix DSM, as copied in [*Section 5.2: Generate the Security Object*](/v1/docs/exporting-dsm-keys-to-cloud-providers-for-byok-alibaba#52-generate-customer-master-key).
2. Run the following OpenSSL command to encode the wrapped key in base64 format:

```bash
$ openssl enc -e -base64 -A -in alibabawrap.key -out alibabawrapbase64.key
```
3. Upload the base64-encoded wrapped key to Alibaba KMS. During the upload process, use the **Import Token** that you downloaded from Alibaba KMS in [*Section 4.0: Create an External Key in Alibaba KMS*](/v1/docs/exporting-dsm-keys-to-cloud-providers-for-byok-alibaba#30-create-an-external-key-in-alibaba). This step completes the secure import of the externally managed key.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image(31).png)

**Figure 11: Import key material form**
4. After a successful import, verify that the external key status in Alibaba KMS is set to **Enabled**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image(32).png)

**Figure 12: External key status**

Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.

Fortanix DSM’s BYOK feature generates Linked or Copied virtual keys from a source key enabling backup and key replication to other CSP accounts/subscriptions, regional instances, key repositories, and, most importantly, to multiple cloud providers, including private clouds. This includes seamless movement between private clouds (on-premises) and public clouds. BYOK keys also allow tracking of key activities across multiple CSP repositories for easier restoration if keys are deleted or disabled.

## Related

- [Command-Line Interface (CLI) for Fortanix DSM (sdkms-cli)](/fortanix-dsm-clients-command-line-interface-cli.md)
- [DSM Accelerator - Concepts](/dsm-accelerator-concepts.md)
- [Fortanix DSM Key for Generating Certificates](/generating-certificates-using-a-fortanix-dsm-key.md)
- [Exporting Fortanix DSM Keys to Cloud Providers for BYOK - Salesforce](/exporting-fortanix-dsm-keys-to-cloud-providers-for-byok-salesforce.md)
- [Logging](/fortanix-ccm-users-guide-logging.md)