Fortanix Data Security Manager - Sysadmin Settings - External Entropy

  • Updated on Mar 2, 2026
  • Published on Feb 24, 2026
  • 4 minute(s) read
Prev Next

1.0 Introduction

This article describes how to configure and manage External Entropy in Fortanix-Data-Security-Manager (DSM).

Fortanix DSM supports integration with an external entropy source, including Quantum Random Number Generator (QRNG) services such as Quantum Entropy-as-a-Service (QEaaS), to provide additional randomness that is combined with its internal entropy during seeding of the Deterministic Random Bit Generator (DRBG) used for cryptographic operations.

By default, Fortanix DSM uses its internal entropy source to generate randomness for key generation, token creation, session identifiers, and other security-sensitive operations. When an external entropy source is configured at the cluster-level, Fortanix DSM combines entropy obtained from the external provider with its internal entropy during DRBG seeding and reseeding operations.

2.0 Overview

External entropy allows Fortanix DSM to retrieve random seed material from a configured external service endpoint over a secure Hypertext Transfer Protocol Secure (HTTPS)/Transport Layer Security (TLS) connection.

Your title goes here

During cluster startup or restart, the initial entropy required to establish HTTPS/TLS connections is sourced from Fortanix DSM’s internal entropy mechanism. After the secure connection to the external entropy provider is established, entropy from the external source is combined with internal entropy during subsequent DRBG reseeding operations.

When external entropy is enabled:

  • The configuration applies at the cluster-level.

  • All nodes in the Fortanix DSM cluster inherit and enforce the same configuration.

  • All cryptographic operations continue to reside within Fortanix DSM.

  • Entropy retrieval occurs securely over HTTPS using the configured authentication and Transport Security Layer (TLS) certificates.

If the external entropy endpoint becomes temporarily unavailable or unreachable, Fortanix DSM maintains operational availability by continuing to use its internal entropy source.

3.0 Prerequisites

Ensure the following:

  • All cluster nodes can establish outbound HTTPS connections to the configured endpoint.

  • A valid HTTPS endpoint (Fully Qualified Domain Name (FQDN) is recommended).

  • Valid authentication credentials (if required by the provider).

  • A trusted TLS certificate chain for the endpoint.

  • Proxy rules allow outbound connectivity (if applicable).

4.0 Configure External Entropy

Perform the following steps to configure an external entropy source:

  1. Navigate to System Administration → Settings → EXTERNAL ENTROPY.

    Figure 1: External entropy menu item

  1. In the External Entropy form, do the following:

    1. Select the External Entropy disabled toggle button to enable the feature.

    2. Name: Enter a name for the external entropy source.

    3. Description (Optional): Enter a brief description.

    4. URL: Enter the HTTPS endpoint of the external entropy provider. For example, https://example-entropy-provider.com:port.

      NOTE

      Only secure HTTPS endpoints are supported.

    5. In the Authentication Type section, select one of the following authentication methods supported by the entropy provider:

      1. X-Api-Key: Select this option to authenticate requests using API Key.

      2. Bearer Token: Select this option to authenticate requests using Bearer token.

      3. Basic Auth: Select this option to authenticate requests using Username and Password.

    6. In the TLS Configuration section, click ADD AUTHENTICATION CERTIFICATE to upload the certificate. In the CONFIGURE CUSTOM CERTIFICATE dialog box, do the following:

      1. Host validation: Select the Validate host check box to ensure that the hostname specified in the URL matches the hostname specified in the server certificate. To skip hostname verification, clear the Validate host check box.

      2. Validate certificate: Fortanix DSM establishes a secure TLS connection to the external entropy endpoint. Depending on the certificate used by the entropy provider:

        • If the endpoint certificate is signed by a well-known public Certificate Authority (CA), select Global Root CAs.

        • If the endpoint certificate is signed by a private or internal CA, select Custom CA Certificate, and upload the corresponding CA certificate.

      3. Click SAVE.

      4. Click TEST CONNECTION to verify connectivity with the external entropy endpoint.

    Figure 2: External entropy form

  1. Click SAVE CHANGES to apply the configuration.

After the configuration is applied and the cluster restart completes, the account Dashboard displays the External Entropy Connections count as 1, indicating that an external entropy source is active.

Figure 3: Dashboard view for external entropy

NOTE

  • The configuration applies cluster-wide; only one external entropy source can be configured at a time.

  • If a new external entropy endpoint is configured, the existing configuration is automatically overridden. To switch to a different entropy provider, update the current configuration or disable it before reconfiguring.

  • Fortanix DSM logs an error entry if the external entropy endpoint is unreachable, misconfigured, or if authentication fails. Sensitive information is not logged in plaintext. 

    Error while refreshing entropy for source mock entropy server: Invalid external entropy credentials 
Error while refreshing entropy for source mock entropy server: Request timed out

4.1 Disable External Entropy

You can disable the external entropy source at any time.

Perform the following steps to disable external entropy:

  1. Navigate to System AdministrationSettings.

  2. Select the External Entropy enabled toggle button to disable the feature.

After this action, a  Pending Changes banner appears. The update takes effect only after a backend container rolling restart.  

Figure 4: Pending changes banner

To revert the configuration change before the cluster restart begins, click CANCEL CHANGE in the Pending changes banner.

In the Cancel changes dialog box, click DELETE to confirm and restore the previous configuration, or click CANCEL to return without making any changes.

Figure 5: Confirm action

After the configuration is applied, Fortanix DSM resumes using the internal entropy source for all cryptographic operations.

Related articles

Platform
Fortanix Armor
Armet AI Key Insight Data Security Manager Confidential Computing Manager
Open Source Platform
Enclave Development Platform®

Solutions
Use Cases
Legacy to Cloud Infrastructure Migration Regulatory Compliance Post-Quantum Readiness Secure, Data-Driven Innovation
Industry
Healthcare Banking & Financial Services Fintech Manufacturing Federal Government

Company
About Us Partners Careers Confidential Computing University Blog FAQ Contact Us Awards Events Webinars Press News Services Media Kit Newsletters

Customers

Resources

Support
Fortanix-logo

4.6

star-ratings

As of August 2025

Request a Demo