Fortanix Data Security Manager - DCAP Offline Attestation

  • Updated on Oct 6, 2025
  • Published on Sep 23, 2025
  • 4 minute(s) read
Prev Next

1.0 Introduction

Fortanix-Data-Security-Manager (DSM) is built to operate entirely within Intel® Software Guard Extensions (SGX) enclaves, ensuring that users’ cryptographic keys are protected from even highly privileged attacks. To fully leverage the security benefits of SGX, it is essential to verify that Fortanix DSM software is running unmodified within a genuine SGX enclave on trusted hardware.

This article provides instructions for configuring Data Center Attestation Primitives (DCAP) Offline Attestation in Fortanix DSM clusters.

2.0 What is Intel SGX Attestation?

Intel® Software Guard Extensions (SGX) is a technology that allows software developers to encrypt their application’s data at run time. It achieves this by allowing applications to launch specially protected software containers, also known as enclaves. These enclaves can be used for protecting the application’s data from adversaries who could have root privileges or even physically tap the memory bus.

To utilize the security guarantees of SGX fully, the user must also verify that the application that they have built is running unmodified inside a secure enclave. With the clustered environment, it is also important that each node shares data only after verifying the authenticity of the Software and Hardware of the other node.

The SGX attestation process enables each node in a Fortanix DSM cluster to cryptographically prove the following:

  • The DSM software, as built and signed by Fortanix, is running unaltered inside a genuine Intel® SGX enclave.

  • The underlying hardware is a trusted SGX platform with all required microcode updates applied at boot.

  • All necessary hardware and software configurations for SGX are correctly in place.

3.0 Attestation Events

Attestation is performed when substantial changes are made to a Fortanix DSM cluster. Fortanix DSM communicates with the DCAP service when a valid attestation is required for a node.

Below are the events when this is required:

  • Creation of a new cluster.

  • Addition of a new node to the cluster.

  • Replacing nodes in an existing cluster (for example: replacing failed hardware nodes).

  • Software upgrade. All nodes require attestation.

  • Node reboot post-BIOS changes.

Once the above events pass with valid attestations, no further attestation is sought during the normal software execution or API requests.

4.0 What is Intel DCAP?

Intel® enables attestation of SGX enclaves through a remote attestation service called DCAP.

DCAP is a set of libraries and APIs provided by Intel to enable attestation of SGX enclaves without relying on Intel’s IAS (Intel Attestation Service).

DCAP allows relying parties (verifiers) to perform attestation within a data center, using platform-provided evidence.

5.0 What is Offline Attestation?

Intel DCAP Offline Attestation is a method of verifying the trustworthiness of a system using Intel® SGX (Software Guard Extensions), without requiring direct access to Intel’s cloud-based attestation service. It is commonly used in confidential computing environments where external internet access is restricted.

6.0 Configure DCAP Offline Attestation

Perform the following steps to configure DCAP Offline Attestation on a new Fortanix DSM cluster:

  1. Create a config.yaml file, including the following:

    global:
 rebootEnabled: true
 attestation:
   dcap:
    type: offline
 externalLoadBalancer: true
sdkms:
 clusterIp: 1.1.1.1

  2. Run the following command to create a Fortanix DSM cluster:

    sudo sdkms-cluster create --config ./config.yaml --self <NODE_IP>

  3. Pull the appropriate container image that matches your Fortanix DSM version.

    For example, the following image ID is used for Fortanix DSM version 5.0

    crictl pull containers.fortanix.com:5000/dcap-retrieve-pckid:2.25.100.3-0.1.0

  4. Navigate to /usr/bin and run the following command to fetch the pckid of the node:

    root@dsm-server:/usr/bin# ./retrieve-pckid

    Copy the PCK ID value from the output and save it to a CSV file named pckid.csv.

  5. Download the dcap_artifact_retrieval executable.

    NOTE

    Contact Fortanix Support for the download link.

    Example:

    wget https://sdkms-artifacts-release.s3.us-west 1.amazonaws.com/2815/dcap_artifact_retrieval

chmod +x dcap_artifact_retrieval

  6. Run the dcap_artificact_retrieval command to download the artifacts to /data/dcap-artifacts directory:

    sudo ./dcap_artifact_retrieval --pckid-file pckid.csv --output-dir /data/dcap-artifacts -v

    NOTE

    Artifacts can be downloaded on a separate Linux host with internet access. The artifacts for each node can then be copied to the respective node and stored under /data/dcap-artifacts.

  7. Run the following command to delete the sdkms pod and ensure that the pod restarts without issues:

    sudo kubectl delete pod sdkms-...

  8. Proceed with standard certificate procedures:

    • get_csrs

    • install_certs

    For more information, refer to the Fortanix Data Security Manager Installation Guide - On-Prem.

  9. Repeat Steps 4 to 7 for each node to add to the cluster.

7.0 Frequently Asked Questions

  1. Can I switch from online to offline DCAP attestation on an existing cluster?

    Yes. If the cluster was configured with attestation enabled, it can switch from online to offline mode. In the event of a network outage, the cluster will automatically fall back to offline attestation using the artifacts stored in /data/dcap-artifacts.

  2. Can I enable offline attestation on a cluster that was not configured for attestation?

    No. Offline attestation cannot be enabled on clusters that were initially set up without any attestation mode. In such cases, you must recreate the cluster with attestation enabled in the configuration.