--- title: "Fortanix DSM with SAP" slug: "fortanix-dsm-with-sap" updated: 2026-04-01T08:27:22Z published: 2026-03-18T08:33:30Z --- > ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # Fortanix DSM with SAP ## 1.0 Introduction This article describes the different integration methods for **Fortanix-Data-Security-Manager (DSM)**with **SAP Data Custodian** for key management, generation, and cryptographic operations. It also contains the information for: - Generating a key in Fortanix DSM and perform Bring Your Own Key (BYOK) into SAP Data Custodian. - Generating a key in Fortanix DSM and hold the key in DSM so that SAP Data Custodian will use the key from DSM. ### 1.1 Fortanix DSM with SAP Data Custodian Using Fortanix BYOK with Data Custodian, enterprises can securely import cryptographic keys from Fortanix DSM into the SAP Data Custodian Key Management Service. This gives Data Custodian customers control over their key, ensuring it is only used for its authorized purposes, and protecting the security of the data on the platform. While most encryption needs can be provisioned securely using the BYOK approach, some customers may have specific use cases where sensitive data can never be shared or transmitted outside their security perimeter. The security for this sensitive content needs to be strictly on-premises, with extremely limited access and sharing. With the Hold Your Own Key (HYOK) approach of key management, the customers generate, manage, and store encryption keys in their own environment. In this scenario, cryptographic key management is provided through Fortanix DSM. SAP Data Custodian Customers can store and protect Key Encryption Keys (KEK) in the cloud or on-premises with Fortanix DSM. ## 2.0 BYOK to SAP Data Custodian Fortanix provides organizations with the ability to generate cryptographic keys in DSM and retain control of those keys while making them available, as required, for use in SAP Data Custodian. ![DSMwithSAPDC-BYOK.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/18002457831572.png) **Figure 1: SAP Data Custodian BYOK with Fortanix DSM** Using BYOK with Fortanix DSM, SAP Data Custodian now effectively safeguards its customer’s public cloud and other SAP applications, such as SAP S/4 HANA, using keys generated in Fortanix DSM. You can use a Fortanix DSM Data Custodian Bring Your Own Key (BYOK) Plugin to implement Fortanix BYOK with SAP Data Custodian and import your keys into SAP Data Custodian. To BYOK into SAP Data Custodian: 1. Create a group in SAP Data Custodian to hold your imported Fortanix DSM key for BYOK. *For more information, refer to*[*SAP - Create a Group for BYOK: Fortanix DSM*](https://help.sap.com/docs/sap-data-custodian/key-management-service/create-group-for-byok-fortanix-dsm). 2. Create an Application Technical User (APP TU) for BYOK to connect your SAP applications to SAP Data Custodian. You must complete this step to generate the APP TU and the credential file needed to connect to your Fortanix DSM key store. *For more information, refer to*[*SAP - Create an Application Technical User: Fortanix DSM*](https://help.sap.com/docs/sap-data-custodian/key-management-service/create-application-technical-user-fortanix-byok). 3. Create the APP TU credential. *For more information, refer to*[*SAP - Generate an Application Technical User Credential: Fortanix DSM*](https://help.sap.com/docs/sap-data-custodian/key-management-service/generate-application-technical-user-credential-fortanix-byok)*.* 4. The Fortanix DSM [Data Custodian BYOK plugin](https://github.com/fortanix/sdkms-plugin-library/tree/master/datacustodian) can be used for the following operations: - Importing a Fortanix DSM key (AES or RSA) into Data Custodian - Rotating a key in Fortanix DSM and importing the new key version of an existing key into Data Custodian > [!NOTE] > NOTE > > - The Fortanix DSM Data Custodian Bring Your Own Key (BYOK) Plugin is only available for Fortanix Data Security Manager (Fortanix DSM) applications running on Version 4.2.1528 or higher. > - The SAP Data Custodian BYOK plugin also supports importing Fortanix DSM keys (AES and RSA) into Data Custodian groups or rotating them if they are already imported in AWS keystore providers. ## 3.0 HYOK to SAP Data Custodian To manage SAP Data Custodian customers’ most sensitive data within their own security perimeter, Fortanix DSM offers the option of HYOK. In this scenario, cryptographic key management is provided through Fortanix DSM. ![DSMwithSAPDC-HYOK.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/18002444658580.png) **Figure 2: SAP Data Custodian HYOK with Fortanix DSM** SAP Data Custodian restricts HYOK configuration activities to the Key Administrator user role to maintain system integrity. SAP Data Custodian customers must also ensure that their Fortanix key store is enabled in the same region as the consuming SAP service and their SAP Data Custodian Key Management Service tenant. SAP Data Custodian uses JSON Web Token (JWT) based authentication and leverages Fortanix DSM Restful APIs for key management operations. The master key for wrapping and unwrapping the data encryption key in SAP Data Custodian resides in Fortanix DSM to ensure the customer maintains control over their keys from their key store. To HYOK into SAP Data Custodian: 1. Create a group in SAP Data Custodian to hold your registered Fortanix DSM keys for HYOK. *If you are creating a key group for Fortanix DSM on-premises key store, refer to*[*SAP - Create a Key Group for HYOK: Fortanix DSM*](https://help.sap.com/docs/sap-data-custodian/key-management-service/create-group-for-hyok-fortanix-dsm). 2. Generate a key in your external Fortanix DSM key store that will be used for HYOK scenarios. 1. Create a Fortanix DSM account. 2. Enable the Fortanix DSM key store. 3. Create an RSA key with the following requirements: *For more information on how to create a Fortanix DSM account and generate a key, refer to the*[*User's Guide: Getting Started with Fortanix Data Security Manager - UI*](https://support.fortanix.com/v1/docs/users-guide-getting-started-with-fortanix-data-security-manager-ui). - **Key Type**: RSA - **Key Size**: 3072, 4096 - **Required Key Operations**: Encrypt, Decrypt - **Optional Key Operations**: Sign, Verify, Wrap, Unwrap 3. Register keys from your Fortanix DSM key store in SAP Data Custodian for HYOK. Tenants with Connect Service workflows will be required to register a Master Key. *For more information, refer to*[*SAP - Data Custodian HYOK Scenarios*](https://help.sap.com/docs/sap-data-custodian/key-management-service/fortanix-dsm-hyok-scenarios)*.* Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface. Fortanix DSM’s BYOK feature generates Linked or Copied virtual keys from a source key enabling backup and key replication to other CSP accounts/subscriptions, regional instances, key repositories, and, most importantly, to multiple cloud providers, including private clouds. This includes seamless movement between private clouds (on-premises) and public clouds. BYOK keys also allow tracking of key activities across multiple CSP repositories for easier restoration if keys are deleted or disabled. ## Related - [Deployment Options](/fortanix-data-security-manager-deployment-options.md) - [Sequoia-PGP](/fortanix-dsm-clients-sequoia-pgp.md) - [Fortanix DSM with ServiceNow](/fortanix-dsm-with-servicenow.md) - [Account Cryptographic Policy](/fortanix-dsm-account-cryptographic-policy.md)