Fortanix Data Security Manager Architecture

Prev Next

Fortanix Data Security Manager™ (DSM) enables users and applications to securely generate, manage, and store cryptographic keys. It uses Intel® Software Guard Extensions (Intel® SGX) technology in Intel® Xeon® CPUs to keep keys and data safe within Intel® SGX enclaves, protecting them from malware, the operating system, hypervisors, and service providers. This software-based approach offers HSM-grade security without the need for physical hardware security modules (HSMs), supporting deployment across public cloud, on-premise, or hybrid infrastructures.

Fortanix DSM leverages Intel® SGX to run critical application functions like authentication and access control within secure enclaves, providing superior security compared to traditional HSMs. Its FIPS 140-2 Level 3 certified hardware appliance, built from off-the-shelf components, reduces initial and operational costs.

The system is horizontally scalable, meaning its capacity grows as more nodes are added, and it is designed for high availability with built-in redundancy and disaster recovery. It uses a distributed encrypted storage system with Cassandra, incorporating Paxos and Raft protocols to safeguard against data loss and corruption.

Fortanix DSM generates or derives various keys and uses them to secure data at different points within the system. Fortanix DSM always keeps customer keys encrypted, whether they are on the disk, on the network, or in a Fortanix DSM node's memory. The following are the high-level overview of the key hierarchy in Fortanix DSM:

  • Platform keys

  • Cluster Wide Keys

  • Keys for protecting data at rest

  • Keys for protecting data in transit

  • Keys for protecting data in use (only applicable when using SGX-based deployments)

For more details about the architecture, key hierarchy, and the building blocks of Fortanix DSM, refer to the DSM On-Premise Architecture Guide.