---
title: "Installation from Azure Marketplace"
slug: "fortanix-data-security-manager-installation-from-azure-marketplace"
updated: 2026-05-28T14:21:59Z
published: 2026-05-28T14:21:59Z
canonical: "support.fortanix.com/fortanix-data-security-manager-installation-from-azure-marketplace"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Installation from Azure Marketplace

## 1.0 Introduction

This article describes the steps required to install Fortanix-Data-Security-Manager (DSM) from Microsoft Azure Marketplace.

## 2.0 Security Updates

From time to time, security updates will need to be applied by the cloud provider to the platform running your Fortanix DSM virtual machines. Azure will notify you through email of “Action required for your Azure Confidential Computing workload” or similar. Generally, they will inform you of a time frame in which you must reboot each of your VMs. At the end of the time period, VMs that have not yet been rebooted will be forcibly rebooted by the system. To ensure the continued availability of your service and stored data, Fortanix urges you do a rolling reboot of all the VMs during the reboot opt-in period.

> [!NOTE]
> NOTE
> 
> To avoid loss of cluster, VMs should be rebooted in a rolling manner, that is, only one VM should be rebooted at a time. The next VM should be rebooted only after the previously rebooted VM is fully functional as part of the Fortanix DSM cluster.

## 3.0 Maintenance

During any type of VM maintenance, if the VMs are being rebooted or replaced, then only one VM should be rebooted or replaced. The next VM should be rebooted or replaced only after the previously rebooted/replaced VM is fully functional as part of the Fortanix DSM cluster.

## 4.0 Prerequisites

To install Fortanix DSM, the following requirements have to be met:

1. A valid account in Microsoft Azure
2. It is recommended to create a minimum 3-node cluster

> [!NOTE]
> **NOTE**
> 
> Ensure your Azure account has the necessary permissions to create the required number of Confidential Computing VMs for SGX (DC8_v2 or DC8s_v3 type) and General Compute VMs for non-SGX (D8ds_v4 type) in the target region. Contact your Azure support for an increase in the limit if required.

## 5.0 List of Required Open Ports

*For port requirements, refer to*[*Fortanix Data Security Manager Port Requirements*](https://support.fortanix.com/v1/docs/fortanix-data-security-manager-port-requirements)*.*

## 6.0 Fortanix DSM Deployment from Azure Marketplace

A system administrator should follow the steps described in the following sections to deploy the Fortanix DSM software from Microsoft Azure Marketplace and install it on a Microsoft Azure Virtual Machine (VM). A VM can fail due to various reasons, such as connectivity issues, system failures, and so on. Since we are going to host Fortanix DSM on a VM, we have to ensure that the service is available and running even during these failures. To handle this, we use multiple VMs so that the cluster is highly available for the Fortanix DSM applications running on these VMs and the user does not face any issues in scenarios when a VM downtime occurs (planned or unplanned).

> [!WARNING]
> **WARNING**
> 
> After Fortanix DSM is configured and set up, do not shut down all of your VMs. If all VMs are shut down and then powered on later, it may require resetting the Fortanix DSM cluster and reconfiguring if the VMs happen to start with a different physical CPU.

> [!NOTE]
> **NOTE**
> 
> Azure confidential computing supports up to three availability zones based on what the chosen Region supports. Deploying VMs across different availability zones enhances fault tolerance and ensures higher availability in the event of a failure in one zone.

### 6.1 Creating a Virtual Machine from Azure Marketplace

1. Go to Azure Marketplace and visit the Fortanix DSM page in the URL: [*https://azuremarketplace.microsoft.com/en-us/marketplace/apps/fortanix.fortanix-sdkms-sgx*](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/fortanix.fortanix-sdkms-sgx)*.*

![Azuredeployment1.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/4403031721492.png)

**Figure 1: Fortanix DSM Listing on Azure Marketplace**
2. Click **GET IT NOW** on the left to enter the Azure portal and create the app in Azure.

![Azuredeployment2.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/4403038678036.png)

**Figure 2: Enter the Azure Portal**
3. In the **Create this app in Azure** pop-up window, click **Continue** to agree to the Microsoft Standard Contract terms of use.

![Azuredeployment3.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/4403031728020.png)

**Figure 3: Agree to Microsoft Contract Terms**

This will take you to the Fortanix DSM page to complete the process.
4. In the Fortanix DSM page, click **Create**.

![Azuredeployment4.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/4403031729428.png)

**Figure 4: Create a resource group in Azure**
5. In the form under **Project details** section, for the **Region** field:

> [!NOTE]
> **NOTE**
> 
> Fortanix DSM service is currently available in the above regions.

![Azuredeployment5.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/4403038679572.png)

**Figure 5: Select Region**
  1. For **SGX** - Select either **East US**, **West US2**, **UK South**, **West Europe**, or **Southeast Asia** region (more regions will be added as Azure adds Confidential Computing support to more regions).
  2. For **Non-SGX** - Select any region supporting VM sizes: **D8ds_v4**.
6. Enter **Cluster Name**, **Cluster Size** (the default cluster size is `3`), **Username**, **Authentication type**, and **VM Size**.
7. For SGX, select the required SGX **DSM Version** and the **DSM Plan** as **sgx-plan**.

![SGX-AzureInstall.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot from 2024-09-02 13-55-37 (1)(1).png)

**Figure 6: SGX plan**

> [!NOTE]
> NOTE
> 
> The user must allocate a minimum of 512GB of disk space while launching the marketplace image on the Fortanix DSM.
8. For non-SGX, select the required non-SGX **DSM Version** and the **DSM Plan** as **non-sgx-plan**.

![Non-SGX-AzureInstall.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot from 2024-09-02 13-56-25.png)

**Figure 7: Non-SGX plan**
9. Click the **Review + create** to create the VM.
10. A deployment verification will start and will validate the inputs provided.

![Azuredeployment8.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/4403031763732.png)

**Figure 9: Deployment Started**
11. Click **Create** to start the SDKMS deployment.

![deployment_progress.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360056482772.png)

**Figure 10: Deployment Progress**

Wait for the deployment process to finish. Based on the size of the cluster it can take around 30 minutes for this process to complete.
12. Gather information regarding the Load balancer IP and the VM IP for the next steps. After the deployment completes, go to the resource group that was used to create the Fortanix DSM cluster.
  - Go to the “**<cluster-name>-lbPublicIP**” resource to get the Load Balancer IP.

![loadbal_ip.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360056483572.png)

**Figure 11: Load balancer IP**
  - Go to “**<cluster-name>-vm<number>**” resource and click **Connect** in the left panel to get the VM IP address.

![vm_ip_connect.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360056632811.png)

**Figure 12: VM IP**

### 6.2 Creating and Configuring a Cluster for Fortanix DSM

> [!NOTE]
> **NOTE**
> 
> - Add additional admin users to make sure you are not locked-out on the loss of the public key.
> - Disable public ssh access for each VM after configuration is complete.

1. Log in all the three VMs and reboot them.

```bash
#Log in
ssh user@ip
#Reboot
sudo reboot
```
2. Run the following command to reset the cluster on all the three VMs.

```bash
sudo sdkms-cluster reset --delete-data --reset-iptables
```
3. Reboot the node to apply the changes.
4. Copy `config.yaml` file to the current directory on the master VM `sdkms-server-vm1`.

```bash
cp /opt/fortanix/sdkms/config/config.yaml.example config.yaml
```
5. Modify `config.yaml` as below on the master VM `&lt;cluster-name&gt;-vm1`. Set the `externalLoadBalancer` value to true.

```bash
global:
 externalLoadBalancer: true
sdkms:
 clusterIp: 
keepalived:
 nwIface: eth0
```

For online DCAP attestation support on Azure DCsv3, edit the `config.yaml` file on the master VM `&lt;cluster-name&gt; -vm1` as below:

```bash
global:
  rebootEnabled: true
  attestation:
    dcap:
      type: online
  externalLoadBalancer: true
  allowedSgxTypes:
    - standard
    - scalable
sdkms:
  clusterIp: 10.197.65.253
  dcapProviderConfig:
    pcs: Azure
    azure:
      api_version: 3
keepalived:
        nwIface: eno1
```
6. Run the command below to create the cluster on `sdkms-server-vm1`.

```bash
sudo sdkms-cluster create --self=<server ip address/subnet mask> --config config.yaml
```

![Picture37.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360049786312.png)

**Figure 13: Create Cluster on Master VM**

In the above snapshot, `10.0.1.5` is the private IP of `sdkms-server-vm1`.
7. If the creation of a cluster is successful, then you will see a command to make/configure the other nodes/servers (other VMs).

![Picture1.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360049907771.png)

**Figure 14: Join Nodes**
8. Verify if the `sdkms-server-vm1` pod is running using the `get pods` command.

![Picture39.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360049786392.png)

**Figure 15: Get Pods**

> [!NOTE]
> NOTE
> 
> After the cluster is created, wait for ten minutes before proceeding with the following steps.
9. Run the cluster join commands on `sdkms-server-vm2` and `vm3`. Make sure that the `join` command on one server runs after completion of the previous.

```bash
sdkms-cluster join –-peer=10.0.1.5/24 –-token=c34608.771dd4c4dace2721
```
10. If the joining of the node is successful, then you would see the `sdkms-server-vm2` and `vm3` in the pod view.

![Picture41.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360049786432.png)

**Figure 16: VM3 Join Successful**

From the snapshot above, the pods are crashing, and this is due to certificates not being installed.

### 6.3 Create, Install Certificates and Access the Cluster from Browser

The Fortanix DSM requires 2 SSL certificates for the services, one for Main API service, and another for Static asset service. We support Certificate Signing Request (CSR) generation for both these certificates which can be signed by your preferred CA provider.

1. Generate a CSR to get an SSL certificate. The CSR contains information (for example: common name, organization, country) which the Certificate Authority (CA) will use to create your certificate. Run the following command to generate the CSR in pem format on the node where the cluster was created (`sdkms-server-vm1`). Save the CSR to `sdkms.csr`.

```bash
sudo get_csrs
```

The tool supports 2 ways of generating each CSR:

There is also an option to add Subject Alternative Names. More than one can be added, each one on a new line.

The following will be then asked to enter through the script:

![Picture43.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360049906511.png)

**Figure 17: Generate Certificate**

Two CSRs are generated for **Main**and **Assets**as shown in the figure below:

![Picture44.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360049906551.png)

**Figure 18: CSRs Generated**

> [!NOTE]
> NOTE
> 
> For the purpose of this demo the “domain name” has been defined as “http://azure-sdkms.com” for both Main and Assets section. You could also use a different domain name if required. This would create a certificate request for both the CSRs. You will need to sign both the CSRs from one of the CA or locally sign it yourself.
  1. A simple way (option 1): where Domain name and SANS can be provided. For ex: "fortanix.com".
  2. Distinguished (option 2): where full DN string can be provided. For ex: CN=www.fortanix.com O=Fortanix L=Mountain View ST=California
  1. The domain name for the cluster (Main)
  2. The domain name for the UI (Assets)
  3. Cluster name
  4. Sysadmin email address
  5. Sysadmin password
2. If you want to self-sign the CSRs, run the below command to sign the `sdkms.csr,` and generate the `sdkms.crt`.

```bash
Untar tarball (tar zxvf test_ca.tgz)
go to folder: cd test_ca
./setup
./sign sdkms.csr sdkms.crt
```

The URL to download `test_ca.tgz` is: [https://sdkms-release.s3-us-west-1.amazonaws.com/test_ca.tgz](https://sdkms-release.s3-us-west-1.amazonaws.com/test_ca.tgz) And then use that signed certificate when doing `install_certs`.
3. Install the certificate by running the following command and add this certificate for both Main and Assets.

```bash
sudo install_certs
```

![Picture45.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360049786632.png)

**Figure 19: Install Certs in Main**

![Picture46.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360049786652.png)

**Figure 20: Install Certs in Assets**
4. You should now see a message “deployment of sdkms successfully rolled out” for the certificate installation status.

![Picture48.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360049906691.png)

**Figure 21: Install Certs Successful**
5. With the successful installation of certificates, none of your pods will crash.

> [!NOTE]
> **NOTE**
> 
> If the domain name “azure-sdkms.com” is registered, there is an additional procedure that you need to follow in Azure. Since this domain is not registered and the certificates are not digitally signed by CA, we will bypass this task.
6. Modify `/etc/hosts&nbsp;` on the machine where you would access the browser and map the IP address of the Azure load balancer with the domain name “azure-sdkms.com”.

To get the IP Address of the Azure load balancer, see t­he screenshot below.

![loadbal_ip.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360056483572.png)

**Figure 22: IP Address of the Azure Load Balancer**
  - On Linux based machines, you can do this by adding an entry in the file `/etc/hosts`.
  - On Windows machines, you can do this by adding an entry in the file `c:\Windows\System32\Drivers\etc\hosts`
7. If you are using a self-signed certificate in your setup, then you will need to install root CA that was used to sign the Fortanix DSM CSR into your browser's trusted CA.

### 6.4 Testing the Fortanix DSM Installation on Azure

1. In your browser open the URL `https://&lt;FORTANIX_DSM_URL&gt; balancer IP&gt;` OR DNS associated with the IP. You will now see the Fortanix DSM login page as shown below.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (1757).png)

**Figure 23: Fortanix Login Page**

### 6.5 Configure Data Center Labeling

After all nodes have successfully joined the cluster, you must perform data center labeling. In a multi-site deployment, data center labeling configuration helps achieve better read resiliency by allowing requests to read data from the local data center and supports the Read-Only mode of operation when a global quorum is lost and a local quorum is available. *Refer to*[*Fortanix Data Security Manager Data Center Labeling*](/v1/docs/fortanix-data-security-manager-data-center-labeling)*(use the automated script to configure DC labeling).*

*For more information, refer to*[*Fortanix DSM Read-Only Mode of Operation*](/v1/docs/fortanix-data-security-manager-read-only-mode-of-operation).

Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.

Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.

## Related

- [Fortanix DSM with Oracle TDE](/using-fortanix-dsm-with-oracle-tde.md)
- [Fortanix DSM - Quickstart](/fortanix-data-security-manager-quickstart.md)
- [Installation on VMware](/fortanix-data-security-manager-installation-on-vmware.md)