Fortanix Data Security Manager - Workflows Tokenization

  • Updated on Jan 24, 2026
  • Published on Jan 24, 2026
  • 6 minute(s) read
Prev Next

1.0 Introduction

This article describes the Workflow – Tokenization feature in Fortanix-Data-Security-Manager (DSM). The tokenization workflow provides a guided and efficient data tokenization workflow that allows you to configure tokenization in a single, streamlined process.

Using this workflow, you can create and configure all required components, such as groups, applications, and tokenization security objects, without navigating across multiple pages in the Fortanix DSM.

NOTE

The recommended approach for creating tokenization security objects is to use the new guided tokenization workflow described in this section, as it provides a more intuitive and efficient experience. However, you can continue to create tokenization security objects using the legacy Fortanix DSM UI workflow by navigating to the relevant pages. For detailed procedure, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

2.0 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

Figure 1: Logging In

3.0 Access the Tokenization Workflow

This section explains how to use the Tokenization Workflow to create and configure all required tokenization components in a single, guided flow without navigating across multiple Fortanix DSM screens.

Perform the following steps to access the Tokenization workflow in Fortanix DSM:

  1. Log in to Fortanix DSM user interface (UI).

  2. In the DSM left navigation panel, click the Workflows menu item, and then select Tokenization.

    Figure 2: Select tokenize

  3. The Get Started page appears on the screen.

    Figure 3: Landing screen

3.1 Step 1: Get Started

This screen provides an overview of the tokenization workflow and explains how the configuration progresses through the following stages:

  • Create or select a group

  • Create an application

  • Create a tokenization security object

  • Review and complete the setup

Click LET’S GET STARTED to continue.

Figure 4: Get started

3.2 Step 2: Adding New Group

This screen allows you to create a group to manage access and policies for tokenization objects.

Figure 5: Add group

On the Adding new group page, do the following:

  1. Title: Enter a name for your group.

  2. Description (optional): Enter a short description of the group.

  3. Add Group Quorum Policy (optional): Click ADD QUORUM POLICY to configure approval requiments for sensitive operations. For more information, refer to User's Guide: Group Quorum Policy.

  4. Click NEXT to save the new group and proceed further.

The new group is created successfully in Fortanix DSM.

3.3 Step 3: Adding New App

This screen allows you to create an application (app) that defines how clients authenticate and access tokenization services in Fortanix DSM.

Figure 6: Add app

On the Adding new app page, do the following:

  1. App name: Enter the name for your application.

  2. Interface (optional): Select REST as the interface type from the drop down menu.

  3. ADD DESCRIPTION (optional): Enter a short description of the application.

  4. Authentication method: Select one of the following authentication methods:

    • API Key

    • Certificate

    • Trusted CA

    • Google Service Account

    • JSON Web Token (JWT)

    • External Directory

    • AWS IAM

    • AWS XKS

    • Workspace CSE App Auth

    For more information on these authentication methods, refer to the User's Guide: Authentication.

  5. (Optional) Select the Require TLS client certificate authentication check box to enforce mutual TLS (mTLS) by requiring the application to present a valid client certificate during authentication.

  6. (Optional) Select the Enable OAuth toggle to authorize the application to perform cryptographic and key management operations on behalf of the user.

  7. Assigning the new app to groups: Displays the group name to which the app is assigned.

  8. Click NEXT to add the new application and proceed further.

The new application is added successfully in Fortanix DSM.

3.4 Step 4: Create Tokenization Security Object

This screen allows you to create a tokenization security object that defines how sensitive data is tokenized and protected.

In this example, let us understand the tokenization and masking feature using the Social Security Number (SSN) type.

The tokenization of a security object converts sensitive data, such as a Social Security Number, into a random string of characters (called a token) that has no meaningful value if breached. A typical SSN consists of 9 digits. A token representing an SSN may be configured to retain the real first 5 digits. This allows representatives to verify user identities without exposing the entire SSN.

Figure 7: Add security object

On the Add new Security Object page, do the following:

  1. Security Object Name: Enter a name for your security object.

  2. Group: Displays the group name to which the app is assigned.

  3. Key Size: Enter a key size for the security object in bits. The following key sizes are available:

    • 128 bits

    • 192 bits

    • 256 bits

  4. In the Data type section, select the SSN tokenization type for the tokenization security object.

  5. If you want to mask your token, then select the Apply dynamic data masking pattern check box.
    You can choose to tokenize specific digits of an SSN using a pattern. There are two types of tokenization patterns that can be applied:

    • Fully tokenize the SSN – full token. For example:
      In this pattern, a Fortanix DSM user can also choose to tokenize the complete SSN using the toggle button.


      Apply dynamic data masking pattern: This is an optional field that can be applied when the data is detokenized so that the detokenizing application with Masked Decrypt permission sees the masked data instead of original data in plain text.

      NOTE

      The Apply dynamic data masking pattern option is not applicable for the full token pattern, instead masking can be applied only to the last 4 digits.


      With this pattern, a Fortanix DSM user can choose to mask only the last four digits. Masking can be applied using the Apply dynamic data masking pattern option in the UI. The masking pattern replaces the selected digits of the token with asterisks (*), further securing the token’s identity.

    • Tokenize all but the last 4 digits of the SSN – token + 4 digits. For example:

      NOTE

      The Apply dynamic data masking pattern option is not applicable for this pattern.

  6. In the Key operations permitted section, select the required operations to define the actions that can be performed with the cryptographic keys.

    • Tokenize (encrypt)

    • Detokenize (decrypt)

    • App Manageable

    • Export

    NOTE

    To convert a Tokenization key into an Irreversible Tokenization key, remove the Detokenize and Export operations.

    Figure 8: Select key operations

  7. Custom Attributes (Optional): Add custom metadata as key–value pairs to associate additional information with the tokenization security object.

  8. Activation Date (Optional) and Deactivation Date (Optional): Specify the activation and deactivation dates to control when the tokenization security object becomes active and when it is automatically deactivated.

  9. Audit log: Use this toggle button to enable or disable audit logging for all actions performed on the tokenization security object, including creation, updates, tokenization, and detokenization operations.

  10. Click NEXT to create a tokenized security object and proceed further.

The new tokenization security object for SSN is created in Fortanix DSM.

3.5 Step 5: Review Configuration

The Review and Validate Configuration screen displays a summary of all selections made during the workflow, including:

  • Group details

  • Application details

  • Security object details

Figure 9: Review configuration

Before completing the workflow, Fortanix DSM automatically validates the configuration. If any required information is missing or incorrectly configured, the screen displays an error icon on the affected section.

Figure 10: Resolve errors

These errors must be resolved before you can complete the workflow. Common validation issues include:

  • Missing required fields (for example, group name or security object name)

  • Incomplete or unresolved quorum policy settings

  • Invalid or unsupported configuration values

Click START RESOLVING to navigate directly to the screen that requires attention and fix the highlighted issues.

Ensure to review the configuration carefully and click SUBMIT to complete the workflow or click BACK to make additional changes.

The tokenization workflow setup is now complete.

Related articles