Fortanix-Data-Security-Manager (DSM) provides a secure and efficient Filesystem Encryption (FSE) solution for Linux, built on the Gocryptfs and FUSE frameworks. It enables users to encrypt filesystems while maintaining seamless application functionality. DSM handles the generation, storage, and management of cryptographic keys and fine-grained policies, ensuring that access to encrypted files is tightly controlled. With features like Quorum policies for enhanced security and audit logging for accountability, DSM offers a centralized and robust approach to data protection.
The encryption process involves DSM securely managing the Master Key and Key Encryption Key (KEK). During initialization, the Master Key is encrypted with the KEK and stored securely. Upon mounting the filesystem, the FSE agent retrieves the Master Key, derives a Content Encryption Key for file data and an optional File Name Encryption Key for filenames, and enforces policies without retaining the Master Key in memory. This streamlined process ensures that sensitive data remains protected, while access policies written in Rego for Open Policy Agent (OPA) grant granular control to authorized users.
For more details on how to install and configure Filesystem Encryption on Linux, refer to Filesystem Encryption-Linux Using Fortanix Data Security Manager guide.