--- title: "Sysadmin Settings - External Entropy" slug: "fortanix-data-security-manager-sysadmin-settings-external-entropy" updated: 2026-04-01T07:28:06Z published: 2026-03-18T09:11:25Z canonical: "support.fortanix.com/fortanix-data-security-manager-sysadmin-settings-external-entropy" --- > ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # Sysadmin Settings - External Entropy ## 1.0 Introduction This article describes how to configure and manage **External Entropy** in**Fortanix-Data-Security-Manager (DSM)**. Fortanix DSM supports integration with an external entropy source, including Quantum Random Number Generator (QRNG) services such as Quantum Entropy-as-a-Service (QEaaS), to provide additional randomness that is combined with its internal entropy during seeding of the Deterministic Random Bit Generator (DRBG) used for cryptographic operations. By default, Fortanix DSM uses its internal entropy source to generate randomness for key generation, token creation, session identifiers, and other security-sensitive operations. When an external entropy source is configured at the cluster-level, Fortanix DSM combines entropy obtained from the external provider with its internal entropy during DRBG seeding and reseeding operations. ## 2.0 Overview External entropy allows Fortanix DSM to retrieve random seed material from a configured external service endpoint over a secure Hypertext Transfer Protocol Secure (HTTPS)/Transport Layer Security (TLS) connection. > [!NOTE] > NOTE > > During cluster startup or restart, the initial entropy required to establish HTTPS/TLS connections is sourced from Fortanix DSM’s internal entropy mechanism. After the secure connection to the external entropy provider is established, entropy from the external source is combined with internal entropy during subsequent DRBG reseeding operations. When external entropy is enabled: - The configuration applies at the cluster-level. - All nodes in the Fortanix DSM cluster inherit and enforce the same configuration. - All cryptographic operations continue to reside within Fortanix DSM. - Entropy retrieval occurs securely over HTTPS using the configured authentication and Transport Security Layer (TLS) certificates. If the external entropy endpoint becomes temporarily unavailable or unreachable, Fortanix DSM maintains operational availability by continuing to use its internal entropy source. ## 3.0 Prerequisites Ensure the following: - All cluster nodes can establish outbound HTTPS connections to the configured endpoint. - A valid HTTPS endpoint (Fully Qualified Domain Name (FQDN) is recommended). - Valid authentication credentials (if required by the provider). - A trusted TLS certificate chain for the endpoint. - Proxy rules allow outbound connectivity (if applicable). ## 4.0 Configure External Entropy Perform the following steps to configure an external entropy source: 1. Navigate to **System Administration → Settings → EXTERNAL ENTROPY**. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot%20(3084).png) **Figure 1: External entropy menu item** 1. In the **External Entropy** form, ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/2026-02-19_12-15-37.png) **Figure 2: External entropy form** 1. Select the **External Entropy disabled**toggle to enable the feature. 2. **Name**: Enter a name for the external entropy source. 3. **Description** (Optional): Enter a brief description. 4. **URL**: Enter the HTTPS endpoint of the external entropy provider. For example, `https://example-entropy-provider.com:port`. > [!NOTE] > NOTE > > Only secure HTTPS endpoints are supported. 5. In the **Authentication Type**section, select one of the following authentication methods supported by the entropy provider: 1. **X-Api-Key**: Select this option to authenticate requests using **API Key**. 2. **Bearer Token**: Select this option to authenticate requests using **Bearer token**. 3. **Basic Auth**: Select this option to authenticate requests using **Username**and **Password**. 6. In the **TLS Configuration**section, click **ADD AUTHENTICATION CERTIFICATE** to upload the certificate. In the **CONFIGURE CUSTOM CERTIFICATE**dialog box, 1. **Host validation**: Select the **Validate host**check box to ensure that the hostname specified in the URL matches the hostname specified in the server certificate. To skip hostname verification, clear the **Validate host** check box. 2. **Validate certificate**: Fortanix DSM establishes a secure TLS connection to the external entropy endpoint. Depending on the certificate used by the entropy provider: - If the endpoint certificate is signed by a well-known public Certificate Authority (CA), select **Global Root CAs**. - If the endpoint certificate is signed by a private or internal CA, select **Custom CA Certificate**, and upload the corresponding CA certificate. 3. Click **SAVE**. 4. Click **TEST CONNECTION** to verify connectivity with the external entropy endpoint. 1. Click **SAVE CHANGES**to apply the configuration. After the configuration is applied and the cluster restart completes, the account **Dashboard** displays the **External Entropy Connections** count as **1**, indicating that an external entropy source is active. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1771490703769.png) **Figure 3: Dashboard view for external entropy** > [!NOTE] > NOTE > > - The configuration applies cluster-wide; only one external entropy source can be configured at a time. > - If a new external entropy endpoint is configured, the existing configuration is automatically overridden. To switch to a different entropy provider, update the current configuration or disable it before reconfiguring. > - Fortanix DSM logs an error entry if the external entropy endpoint is unreachable, misconfigured, or if authentication fails. Sensitive information is not logged in plaintext. > > ```bash > Error while refreshing entropy for source mock entropy server: Invalid external entropy credentials > Error while refreshing entropy for source mock entropy server: Request timed out > ``` ### 4.1 Disable External Entropy You can disable the external entropy source at any time. Perform the following steps to disable external entropy: 1. Navigate to **System Administration** → **Settings**. 2. Select the **External Entropy enabled** toggle to disable the feature. After this action, a **Pending Changes** banner appears. The update takes effect only after a backend container rolling restart. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/fortanix-data-security-manager---sysadmin-settings---external-entropy-image-jlytbgng.png) **Figure 4: Pending changes banner** To revert the configuration change before the cluster restart begins, click**CANCEL CHANGE**in the **Pending changes** banner. In the **Cancel changes** dialog box, click **DELETE** to confirm and restore the previous configuration, or click **CANCEL** to return without making any changes. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/fortanix-data-security-manager---sysadmin-settings---external-entropy-image-cyvzgufv.png) **Figure 5: Confirm action** After the configuration is applied, Fortanix DSM resumes using the internal entropy source for all cryptographic operations. Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.