---
title: "Workflows Tokenization"
slug: "fortanix-data-security-manager-workflows"
updated: 2026-04-01T10:46:31Z
published: 2026-03-18T08:57:51Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Workflows Tokenization

## 1.0 Introduction

This article describes the**Workflow – Tokenization** feature in Fortanix-Data-Security-Manager (DSM). The tokenization workflow provides a guided and efficient data tokenization workflow that allows you to configure tokenization in a single, streamlined process.

Using this workflow, you can create and configure all required components, such as groups, applications, and tokenization security objects, without navigating across multiple pages in the Fortanix DSM.

> [!NOTE]
> NOTE
> 
> The recommended approach for creating tokenization security objects is to use the new guided tokenization workflow described in this section, as it provides a more intuitive and efficient experience. However, you can continue to create tokenization security objects using the legacy Fortanix DSM UI workflow by navigating to the relevant pages. *For detailed procedure, refer to the*[*User's Guide: Getting Started with Fortanix Data Security Manager - UI*](/v1/docs/users-guide-getting-started-with-fortanix-data-security-manager-ui)*.*

## 2.0 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_SaaS_Login_page(15)(1).png)

**Figure 1: Logging In**

## 3.0 Access the Tokenization Workflow

This section explains how to use the Tokenization Workflow to create and configure all required tokenization components in a single, guided flow without navigating across multiple Fortanix DSM screens.

Perform the following steps to access the Tokenization workflow in Fortanix DSM:

1. Log in to Fortanix DSM user interface (UI).
2. In the DSM left navigation panel, click the **Workflows**menu item, and then select **Tokenization**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Select Workflows - Tokenization.png)

**Figure 2: Select tokenize**
3. The **Get Started** page appears on the screen.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Get-Started-Screen - Copy.png)

**Figure 3: Landing screen**

### 3.1 Step 1: Get Started

This screen provides an overview of the tokenization workflow and explains how the configuration progresses through the following stages:

- Create or select a group
- Create an application
- Create a tokenization security object
- Review and complete the setup

Click **LET’S GET STARTED** to continue.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Get-Started-Screen.png)

**Figure 4: Get started**

### 3.2 Step 2: Adding New Group

This screen allows you to create a group to manage access and policies for tokenization objects.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-Group-Form.png)

**Figure 5: Add group**

On the **Adding new group** page:

1. **Title**: Enter a name for your group.
2. **Description**(optional): Enter a short description of the group.
3. **Add Group Quorum Policy** (optional): Click **ADD QUORUM POLICY** to configure approval requirements for sensitive operations. *For more information, refer to*[*User's Guide: Group Quorum Policy*](/v1/docs/users-guide-group-quorum-policy)*.*
4. Click **NEXT**to save the new group and proceed further.

The new group is created successfully in Fortanix DSM.

### 3.3 Step 3: Adding New App

This screen allows you to create an application (app) that defines how clients authenticate and access tokenization services in Fortanix DSM.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-App-Form.png)

**Figure 6: Add app**

On the **Adding new app** page:

1. **App name**: Enter the name for your application.
2. **Interface**(optional): Select **REST**as the interface type from the drop down menu.
3. **ADD DESCRIPTION** (optional): Enter a short description of the application.
4. **Authentication method**: Select one of the following authentication methods:

*For more information on these authentication methods, refer to the*[*User's Guide: Authentication*](/v1/docs/users-guide-authentication)*.*
  - API Key
  - Certificate
  - Trusted CA
  - Google Service Account
  - JSON Web Token (JWT)
  - External Directory
  - AWS IAM
  - AWS XKS
  - Workspace CSE App Auth
5. (Optional) Select the **Require TLS client certificate authentication**check box to enforce mutual TLS (mTLS) by requiring the application to present a valid client certificate during authentication.
6. (Optional) Select the **Enable OAuth** toggle to authorize the application to perform cryptographic and key management operations on behalf of the user.
7. **Assigning the new app to groups**: Displays the group name to which the app is assigned.
8. Click **NEXT**to add the new application and proceed further.

The new application is added successfully in Fortanix DSM.

### 3.4 Step 4: Create Tokenization Security Object

This screen allows you to create a tokenization security object that defines how sensitive data is tokenized and protected.

In this example, let us understand the tokenization and masking feature using the Social Security Number (SSN) type.

The tokenization of a security object converts sensitive data, such as a Social Security Number, into a random string of characters (called a token) that has no meaningful value if breached. A typical SSN consists of 9 digits. A token representing an SSN may be configured to retain the real first 5 digits. This allows representatives to verify user identities without exposing the entire SSN.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-SO-Screen.png)

**Figure 7: Add security object**

On the **Add new Security Object** page:

1. **Security Object Name**: Enter a name for your security object.
2. **Group**: Displays the group name to which the app is assigned.
3. **Key Size**: Enter a key size for the security object in bits. The following key sizes are available:
  - 128 bits
  - 192 bits
  - 256 bits
4. In the **Data type** section, select the **SSN** tokenization type for the tokenization security object.
5. If you want to mask your token, then select the **Apply dynamic data masking pattern** check box. You can choose to tokenize specific digits of an SSN using a pattern. There are two types of tokenization patterns that can be applied:
  - Fully tokenize the SSN – full token. For example, In this pattern, a Fortanix DSM user can also choose to tokenize the complete SSN using the toggle.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (1418).png)

**Apply dynamic data masking pattern**: This is an optional field that can be applied when the data is detokenized so that the detokenizing application with **Masked Decrypt** permission sees the masked data instead of original data in plain text.

> [!NOTE]
> NOTE
> 
> **Apply dynamic data masking pattern** is not applicable for the full token pattern, instead masking can be applied only to the last 4 digits.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (1419).png) With this pattern, a Fortanix DSM user can choose to mask only the last four digits. Masking can be applied using**Apply dynamic data masking pattern** in the UI. The masking pattern replaces the selected digits of the token with asterisks (*), further securing the token’s identity.
  - Tokenize all but the last 4 digits of the SSN – token + 4 digits. For example, ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (1420).png)

> [!NOTE]
> NOTE
> 
> **Apply dynamic data masking pattern** is not applicable for this pattern.
6. In the **Key operations permitted** section, select the required operations to define the actions that can be performed with the cryptographic keys.

> [!NOTE]
> NOTE
> 
> To convert a **Tokenization** key into an **Irreversible Tokenization** key, remove the **Detokenize** and **Export** operations.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Key-Operation-Permitted.png)

**Figure 8: Select key operations**
  - Tokenize (encrypt)
  - Detokenize (decrypt)
  - App Manageable
  - Export
7. **Custom Attributes**(Optional): Add custom metadata as key–value pairs to associate additional information with the tokenization security object.
8. **Activation Date** (Optional) and **Deactivation Date**(Optional): Specify the activation and deactivation dates to control when the tokenization security object becomes active and when it is automatically deactivated.
9. **Audit log**: Use this toggle to enable or disable audit logging for all actions performed on the tokenization security object, including creation, updates, tokenization, and detokenization operations.
10. Click **NEXT**to create a tokenized security object and proceed further.

The new tokenization security object for SSN is created in Fortanix DSM.

### 3.5 Step 5: Review Configuration

The **Review and Validate Configuration** screen displays a summary of all selections made during the workflow, including:

- Group details
- Application details
- Security object details

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Review-Screen.png)

**Figure 9: Review configuration**

Before completing the workflow, Fortanix DSM automatically validates the configuration. If any required information is missing or incorrectly configured, the screen displays an error icon ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot 2026-01-12 121320.png) on the affected section.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Review-Screen-Start-Resolving.png)

**Figure 10: Resolve errors**

These errors must be resolved before you can complete the workflow. Common validation issues include:

- Missing required fields (for example, group name or security object name)
- Incomplete or unresolved quorum policy settings
- Invalid or unsupported configuration values

Click **START RESOLVING** to navigate directly to the screen that requires attention and fix the highlighted issues.

Ensure to review the configuration carefully and click **SUBMIT**to complete the workflow or click **BACK**to make additional changes.

The tokenization workflow setup is now complete.

Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.