3.0 Fortanix Key Insight - Log In and Create an Account
Fortanix Key Insight is a solution on the Fortanix Armor platform. Therefore, you need to create an account on the platform if you do not already have one.
3.1 Sign Up and Log In to Fortanix Armor Platform - New Users
If you are accessing Fortanix Key Insight for the first time, you need to sign up for Fortanix Armor to access Key Insight. For subsequent access, you can log in to Fortanix Armor directly.
After you access the Key Insight solution from Fortanix Armor, if you want to onboard AWS cloud accounts, then you need to configure the AWS cloud connection to scan your keys and services.
4.1 Prerequisites
The following are the prerequisites before configuring an AWS cloud connection on Fortanix Key Insight:
The following are the prerequisites to configure an AWS cloud connection with your identity provider:
Register a client application with your identity provider.
Configure the redirect URI on the client application.
Gather the Client ID, a unique identifier for your registered application.
Gather the OpenID configuration document (well-known) URL specific to your IdP tenant or account.
Set up IdP on your cloud account.
Set up the necessary permissions for AWS single account onboarding.
Set up the necessary permissions for AWS organization onboarding.
NOTE
Currently, Fortanix has tested PingOne and Microsoft Entra ID as the identity providers for configuring an AWS cloud connection based on federated authentication in Key Insight.
Fortanix Key Insight suggests creating a dedicated user account in the respective IdP for federated authentication in AWS. This account will be used to authenticate with the IdP or authorization server and consent to authorization.
The dedicated user account must stay active, and if any changes occur, re-authorization is required to refresh the authentication configuration.
4.2 Onboard AWS Cloud Account or AWS Organization
After you create a Fortanix Armor account, you will be redirected to the Fortanix Armor Available Solutions page.
Figure 1: Access Available Solutions
To onboard the AWS cloud accounts:
Click GO TO KEY INSIGHT.
On the Let's Connect to Your Cloud or On-Premises Provider page, select Cloud Connections type and the Amazon Web Services cloud provider.
Click NEXT.
Figure 2: Select AWS Cloud Provider
On the Select Authentication method form, you can select Secret based or Federated authentication as the connection type.
If you selected Secret based authentication, enter the AWS access key and the AWS secret access key. Click NEXT.
Figure 3: Select AWS Secret Based Authentication
If you selected Federated authentication,
Click the drop down menu for Select identity provider configuration and click ADD CONFIGURATION to add a new IdP configuration.
On the Configure Identity Provider form,
Select Authorization code flow.
Enter the Name of configuration.
Enter the Well-known URL.
Enter the Client ID of your IdP.
Add the required Scope(s). The default scopes are available to select. You can also add custom scopes if you have already configured them.
NOTE
Ensure to include the offline_access scope when configuring Microsoft Entra ID IdP.
Click AUTHORIZE.
For authorization, a new dedicated browser window opens depending on the IdP. After you complete the required steps, you will be navigating back to the Configure Identity Provider form with authorization processing.
After the authorization is completed, the new IdP will be added to the Select identity provider configuration.
Figure 4: Add an AWS IdP Provider
On the Setup Cloud Connections form, enter the following details:
Enter an AWS cloud connectionname. For example, AWS connection1.
In the Select scope section, select Organization if you want to onboard an AWS organization. This will allow you to onboard all the AWS accounts in the AWS organization. However, if you want to onboard a single AWS account, select Account.
Click NEXT.
Figure 5: Configure AWS Cloud Account in Key Insight
In the Select scope section:
If you selected Organization, then on the Select AWS Accounts screen, you can either select all the cloud accounts in the AWS organization using Select All to scan and onboard all the AWS accounts in the AWS organization or you can select the required accounts to onboard only the selected AWS accounts.
If you selected Account, then on the Select AWS Accounts screen, you can select the single AWS account to scan and onboard this account.
Click NEXT.
NOTE
Fortanix Key Insight will not scan the AWS key material, only the available metadata.
Figure 6: Select AWS Accounts
The System Defined Policy is selected by default on the Key Insight Policy page. This policy is designed to facilitate the scanning of keys and services based on predefined key sizes and permitted operations, ensuring compliance with standard security configurations. If necessary, you can later choose and apply any user-defined cryptographic policy that has been created in the Policy Center, allowing you to meet specific requirements or use cases. For more details, refer to Section 8.0: Fortanix Key Insight - Manage Policy Center.
Figure 7: Select Key Insight Policy
Click NEXT.
On the Select External Key Source page, you can select to integrate Fortanix Key Insight with an external key source, that is Fortanix DSM (SaaS) to correlate keys and improve key management.
You can select any of the following options:
Yes, connect now: This option allows you to add an external key source for your AWS cloud connection and correlate keys using the ADD EXTERNAL KEY SOURCE feature. For more details, refer to Section 7.1: Add an External Key Source Connection.
Once added, you must select that external key source to finish the onboarding.
Figure 8: Add External Key Source
No, I’ll connect later: This option allows you to onboard the AWS connection without adding an external key source. You can add it later if needed.
Figure 9: Onboard AWS Connection Without External Key Source
Click FINISH to scan the selected cloud account and onboard all services and keys, including those from external key sources.
This will take you to the AWS connection Overview page. You can see that the page lists all the scanned AWS keys and services.
If you added an external key source (Fortanix DSM SaaS) during AWS cloud connection onboarding, the Overview page will display the following after the successful scan:
The total key counts in all sections will be updated to include the correlated keys from the external key source.
The BYOK key source label will be replaced with “Fortanix”, displaying the count of the BYOK key source. This indicates that the BYOK keys are now correlated from the external key source, “Fortanix”.
If the count of the AWS accounts before the scan does not match the count of the AWS accounts displayed on the Overview page:
Ensure all the roles and permissions are appropriate in the AWS accounts before performing the scan.
Perform re-scan operation using the RESCAN option on the Overview page after some time.
After you access the Key Insight solution from Fortanix Armor, if you want to onboard Azure subscriptions, then you need to configure the Azure cloud connection to scan your keys and services.
5.1 Prerequisites
The following are the prerequisites to configure an Azure cloud connection on Fortanix Key Insight:
The following are the prerequisites to configure an Azure cloud connection with your identity provider:
Register a client application with your identity provider.
Configure the redirect URI on the client application.
Gather the Client ID, a unique identifier for your registered application.
Gather the OpenID configuration document (well-known) URL specific to your IdP tenant or account.
Provide the necessary Azure application permissions to scan resources.
NOTE
Currently, Fortanix has tested Microsoft Entra ID and PingOne as the identity providers for configuring an Azure cloud connection based on federated authentication in Key Insight.
Fortanix Key Insight suggests creating a dedicated user account in the respective IdP for federated authentication in Azure. This account will be used to authenticate with the IdP or authorization server and consent to authorization.
The dedicated user account must stay active, and if any changes occur, re-authorization is required to refresh the authentication configuration.
5.2 Onboard an Azure Management Group or Azure Subscription
After you create a Fortanix Armor account, you will be redirected to the Fortanix Armor Available Solutions page.
To onboard the Azure cloud accounts:
Click GO TO KEY INSIGHT.
On the Let's Connect to Your Cloud or On-Premises Provider page, select Cloud Connections type and the Azure cloud provider.
Click NEXT.
Figure 11: Select Azure Cloud Provider
On the Select Authentication method form, you can select Secret based or Federated authentication as the connection type.
If you select Secret based authentication, enter the Client ID, Client secret, and Tenant ID. Click NEXT.
Figure 12: Select Azure Secret Based Authentication
If you selected Federated Authentication,
Click the drop down menu for Select identity provider configuration and click ADD CONFIGURATION to add a new IdP configuration.
On the Configure Identity Provider form,
Select Authorization code flow.
Enter the Name of configuration.
Enter the Well-known URL.
Enter the Client ID of your IdP.
Add the required Scope(s). The default scopes are available to select. You can also add custom scopes if you have already configured them.
NOTE
Ensure to include the offline_access scope when configuring Microsoft Entra ID IdP.
Click AUTHORIZE.
For authorization, a new dedicated browser window opens depending on the IdP. After you complete the required steps, you will be navigating back to the Configure Identity Provider form with authorization processing.
After the authorization is completed, the new IdP will be added to the Select identity provider configuration.
Figure 13: Add an Azure IdP Provider
On the Setup Cloud Connections form, enter the following details:
Enter an Azure cloud connection name. For example, Azure Cloud.
In the Select scope section, select Management Groups to onboard all the Azure subscriptions. However, if you want to onboard a single subscription, select Subscription.
Enter the Management group ID or Subscription ID based on the scope.
Click NEXT.
Figure 14: Configure Azure Cloud Subscription in Key Insight
In the Select scope section,
If you selected Management Groups, then on the Select Azure Subscriptions page, you can either select all the subscriptions in the Azure management group using Select All Subscriptions to scan and onboard all the Azure subscriptions, or you can select the required subscriptions to onboard only the selected Azure subscriptions.
If you selected Subscription, then on the Select Azure Subscriptions page, you can select the single Azure subscription to scan and onboard this subscription.
Click NEXT.
NOTE
Fortanix Key Insight will not scan the Azure key material, only the available metadata.
Figure 15: Select Azure Subscriptions
The System Defined Policy is selected by default on the Key Insight Policy page. This policy is designed to facilitate the scanning of keys and services based on predefined key sizes and permitted operations, ensuring compliance with standard security configurations. If necessary, you can later select and apply any user-defined cryptographic policy that has been created in the Policy Center, allowing you to meet specific requirements or use cases. For more details, refer to Section 8.0: Fortanix Key Insight - Manage Policy Center.
Figure 16: Azure Key Insight Policy
Click NEXT.
On the Select External Key Source page, you can select to integrate Fortanix Key Insight with an external key source, that is Fortanix DSM (SaaS)to correlate keys and improve key management.
You can select any of the following options:
Yes, connect now: This option allows you to add the external key source for your Azure cloud connection to correlate keys using the ADD EXTERNAL KEY SOURCE feature. For more details, refer to Section 7.1: Add an External Key Source Connection.
After adding, you must select that external key source to finish the onboarding.
Figure 17: Add External Key Source
No, I’ll connect later: This option allows you to onboard the Azure connection without adding an external key source. You can add it later if needed.
Figure 18: Onboard AWS Connection Without External Key Source
Click FINISH to scan the selected cloud account and onboard all services and keys, including those from external key sources.
This will take you to the Azure connection Overview page. You can see that the page lists all the scanned Azure keys and services.
After creating the Azure cloud connection, a group with the same name will be created on the Fortanix IAM Groups page. For more details, refer to the Fortanix Armor Identity and Access Management-IAM.
If you have added any external key source during the Azure cloud connection onboarding, after the successful scan, the total key counts in all sections will be updated on the Overview page to reflect the correlated keys from the external key source.
If the count of Azure subscriptions before the scan does not match the count of the Azure subscriptions displayed on the Overview page:
Ensure all the roles and permissions are appropriate in the Azure subscriptions before performing the scan.
Perform a re-scan operation using the RESCAN option on the Overview page after some time.
The Connections page allows you to manage the cloud, on-premises, and external key source connections you have added to the Fortanix Key Insight.
Figure 20: Access Connections
The CLOUD tab shows all the cloud connections configured for the selected Key Insight account. You can use the Search bar to search for a specific cloud connection by entering its Name.
Figure 21: Access Cloud Connections
You can perform the following for a cloud connection:
Add
Edit
Delete
Rescan
NOTE
Users with the Account Administrator and Group Administrator roles can only perform add, edit, delete, and rescan operations for the cloud connection.
Figure 22: Manage a Cloud Connection
6.1 Add a Cloud Connection
You can add a new cloud connection using ADD CLOUD CONNECTION.
You can select any policies you have configured in the Policy Center instead of the default policy on the Key Insight Policy page. If you change the policy while adding or editing the cloud connection, you must rescan the cloud connection to apply the new policy.
You cannot map more than one external key source to a single cloud connection.
You cannot map the external key source to any cloud connection unless it is properly configured and mapped to Fortanix DSM SaaS.
6.2 Edit the Cloud Connection
Use this feature to update the cloud connection details if required.
Figure 23: Edit the Cloud Connection Details
6.3 Delete the Cloud Connection
Use this feature to remove a cloud connection and its associated information.
If you click DELETE, a deletion confirmation dialog box will appear.
Read all the details and enter the cloud connection name.
Click CONFIRM.
WARNING
Deleting the cloud connection cannot be undone.
After deletion, the cloud connection will be removed from the list on the Cloud tab.
Figure 24: Delete the Cloud Connection
6.4 Rescan the Cloud Connection
Use this feature to restart the cloud-based scan for keys and services. Click START SCANNING to restart the scan. If the scan is successful, the LAST SCAN column will be updated with the latest scan date and time.
An external key source, such as Fortanix Data Security Manager (DSM) SaaS integrated with Fortanix Key Insight, is used to manage and protect cryptographic keys. This integration also simplifies compliance by providing a unified, cohesive view of the entire key inventory and lifecycle governance.
Fortanix Key Insight correlates with Fortanix DSM SaaS using the Key ID and ensures real-time synchronization between the two.
You can add, edit, delete, and rescan external key sources within Fortanix Key Insight using the EXTERNAL KEY SOURCE tab on the Connections page.
Figure 26: Access External Key Source
NOTE
Users with the Account Administrator and Group Administrator roles can only perform add, edit, delete, and rescan operations for the external key source connection.
7.1 Add an External Key Source Connection
The following are the prerequisites to add an external key source to Fortanix Key Insight:
Fortanix DSM Account Setup: A valid and active Fortanix DSM SaaS account is set up to allow communication between DSM and Key Insight.
Application Configuration: An application must be created in Fortanix DSM SaaS to enable interaction between both. This application defines the roles and permissions needed for key management.
Security Objects Setup: Security objects, such as keys or key versions, must be created and configured within Fortanix DSM SaaS to allow secure key management and usage by Fortanix Key Insight.
Group Configuration: User groups or access policies should be configured in Fortanix DSM SaaS to ensure appropriate access control and permissions for users interacting with the keys through Fortanix Key Insight.
Click SAVE AND PROCEED. The connection will be added under the EXTERNAL KEY SOURCE tab, though it will not yet be integrated with Fortanix DSM SaaS.
Figure 27: Add a DSM Connection
On the Admin App UUID page, configure the private key and certificate to establish a connection with Fortanix DSM SaaS using the following steps:
Click GENERATE PRIVATE KEY to create a private key. You can generate a maximum of two private keys.
Click GENERATE ANOTHER PRIVATE KEY to generate an additional key.
You can delete the private key using .
Click GENERATE CERTIFICATE to generate a self-signed certificate. This button will only be enabled after generating a private key.
You can copy the generated certificate details.
You can also RE-GENERATE THE CERTIFICATE if required.
After generating and downloading the certificate,
Log in to your Fortanix Data Security Manager account in the same region selected in Step 2.b above to ensure proper correlation.
Create an admin app using the steps mentioned in Create Admin Apps, selecting Certificate as the authentication method, and uploading the certificate generated in Step b.
After creating the admin app, copy the UUID value.
Enter the Admin app UUID obtained from Fortanix DSM admin app.
Click CONNECT to establish the connection between Fortanix DSM SaaS and Fortanix Key Insight. If your credentials (region and certificate) are incorrect, an error message will appear. Ensure you use the correct credentials to establish the connection with Fortanix DSM SaaS.
Figure 28: Add Admin App UUID
After the external key source is added,
All security objects configured in your Fortanix DSM SaaS account that are accessible by the admin app will be imported to Fortanix Key Insight.
The new external key source will appear in the EXTERNAL KEY SOURCE tab with the TYPE value set to DSM.
LAST SCAN value reflecting the creation time stamp.
When adding or editing an external key source, it is recommended to use a unique admin app UUID for each external key source to prevent performance degradation and avoid unnecessary clutter.
After creating the external key source (DSM SaaS) connection, a group with the same name will be created on the Fortanix IAM Groups page.
Use this feature to update the external key source connection details if required.
Perform the following steps to edit the external key source connection:
Click EDIT for the required key source connection under the EXTERNAL KEY SOURCE tab.
On the Edit <External Key Source> page, update the following details, if required:
Connection name
Region
Generate Private key and certificate
Admin app UUID
Click SAVE to apply the changes. Click CANCEL to discard the changes.
NOTE
You can also edit the external key source connection during the cloud connections onboarding.
Figure 29: Edit Fortanix Key Source
When you update the external key source details, you must rescan both the external key source connection and any associated parent cloud connection to apply the new values.
7.3 Delete an External Key Source Connection
Use this feature to remove an external key source connection and its associated information.
Perform the following steps to delete the external key source connection:
Click DELETE for the required external key source connection under the EXTERNAL KEY SOURCE tab.
On the Delete External Key Source Connection dialog box, read all the details and enter the external key source name.
Click CONFIRM to delete the external key source.
WARNING
Deleting the external key source connection cannot be undone.
After deletion, the external key source connection will be removed from the EXTERNAL KEY SOURCE list.
7.4 Rescan an External Key Source Connection
Use this feature to restart the scan for external key sources.
Perform the following steps to rescan the external key source:
Click RESCAN for the required external key source connection under the EXTERNAL KEY SOURCE tab.
On the Scan Connection page, click START SCANNING to restart the scan.
If the re-scan is successful, the LAST SCAN column under the EXTERNAL KEY SOURCE tab will be updated with the latest scan date and time.
NOTE
After successfully rescanning the DSM connection, you must manually rescan the associated parent or linked cloud connection(s) (AWS or Azure) if any, to update the correlated key data.
8.0 Fortanix Key Insight - Manage Policy Center
Fortanix Key Insight supports account-level cryptographic policies that can be applied to accounts, allowing restrictions on the types of keys that can be created and the operations that are permitted.
When onboarding a connection (cloud or on-premises), Fortanix Key Insight by default applies a system-defined cryptographic policy to scan keys, services, or resources.
It also allows users to create customized, user-defined policies, configure access to Fortanix DSM (using API keys), and utilize the synchronized policies from Fortanix DSM SaaS for these connections.
Figure 30: Access Policy Center
NOTE
Users with the Account Administrator and Group Administrator roles can only manage (Import, Duplicate, Edit, and Delete) the cryptographic policies on Fortanix Key Insight – Policy Center.
8.1 Access System Defined Cryptographic Policy
By default, when a connection (cloud or on-premises) is onboarded into Fortanix Key Insight, the system automatically applies a pre-configured cryptographic policy. This policy is labeled as System Defined Policy and is classified under the System default policy type on Policy Center. It serves as the baseline policy for managing cryptographic operations until the user decides to customize or modify it.
This ensures that every new connection adheres to a set of predefined security rules and cryptographic standards, maintaining consistency and minimizing the risk of configuration errors.
Figure 31: Access System Defined Policy
NOTE
You cannot edit and delete the system-defined cryptography policy. You can only duplicate and modify it to generate a new user-defined policy.
8.2 Manage User-Defined Cryptographic Policy
Fortanix Key Insight allows users to customize and modify the default cryptographic policy, allowing them to create their user-defined policies. This customization enables users to develop the cryptographic rules and operations to meet their specific security requirements or compliance standards.
8.2.1 Add a User-Defined Cryptographic Policy
To add a user-defined cryptographic policy for the first time from the default policy:
Click Duplicate and Modify on the default policy.
On the Duplicate and modify Cryptographic Policy page,
Enter the Policy Name.
In the Allowed object types for the account section, select the key types that you want to allow for this account. By default, all the key types are selected except DES3, DES, BLS, ML-KEM, and ML-DSA.
In the Allowed key sizes section, add the required allowed key size(s) for the keys. The default key sizes are carefully selected to ensure that the keys meet compliance requirements and are not flagged as non-compliant.
Click SAVE POLICY to add the new user-defined policy.
Figure 32: Modify and Create New Policy
The new user-defined policy will be added under the User defined (KI) category in the policy center, with the name specified in Step a.
To add a user-defined cryptographic policy from the existing user-defined policy:
Click Duplicate and Modify on the current user-defined policy.
Repeat Step 2 above.
NOTE
After the user-defined policy is added, it will be available for selection on the Key Insight Policy form during a connection onboarding.
8.2.2 Edit a User-Defined Cryptographic Policy
To edit the details of the existing user-defined cryptographic policy:
Click Edit on the user-defined cryptographic policy.
On the Edit Cryptographic Policy page, update the policy name and allowed object types or key sizes as per the requirement.
Click SAVE POLICY to update the policy details.
8.2.3 Delete a User-Defined Cryptographic Policy
You can delete the user-defined policy if it is no longer required.
To delete a user-defined cryptographic policy:
Click Delete on the required user-defined cryptographic policy.
On the Delete Cryptographic Policy dialog box,
You can view the number of connections linked to the policy and read all the details.
Enter the policy name to confirm the deletion.
Click CONFIRM to remove the policy from the Policy Center.
WARNING
Deleting the user-defined policy is irreversible and will remove the policy permanently. Affected connections will revert to the System Default Policy.
8.3 Import Fortanix DSM Policy
Fortanix Key Insight offers the flexibility to import cryptographic policies from Fortanix DSM to streamline the management and application of cryptographic standards across your cloud or on-premises environments. By importing policies from Fortanix DSM, you can ensure consistency in key management, encryption protocols, and security settings, allowing you to easily apply the same policies across multiple connections.
WARNING
For a single account, you can duplicate or import policies using the user interface (UI) up to 10 times. To import or duplicate policies beyond this limit, you must first delete the existing ones.
You can import Fortanix DSM cryptographic policies to Fortanix Key Insight using an administrative (admin) application (app) API Key.
To import a Fortanix DSM cryptographic policy using the admin app API key:
Click IMPORT DSM POLICY.
On the Import DSM Policy dialog box,
Enter the Fortanix DSM Admin app API key. For details on how to obtain the admin app API key, refer to the User’s Guide: Authentication.
Click IMPORT to import the policy from Fortanix DSM to Fortanix Key Insight. The imported policy will be listed on the Policy Center page with the type Fortanix DSM.
You can manage the Federated Authentication identity provider (IdP) configurations on the Authentication page in Fortanix Key Insight.
For the selected Fortanix Key Insight account, the Authentication page lists all the existing AWS and Azure IdP configurations.
NOTE
Users with the Account Administrator and Group Administrator roles can only manage (Add, Edit, and Delete) the authentications in Fortanix Key Insight.
Figure 34: Access Authentication
NOTE
Expired authentication configurations will have the Status column marked as Expired. For these configurations, you must click and click Authorize to perform reauthorization.
For Microsoft Entra ID IdP using the single page application (SPA) option in Azure, you must reauthorize every 24 hours because refresh tokens are valid only for 24 hours, according to the Refresh Tokens Policy in the Microsoft Identity Platform.
9.1 Add an IdP Configuration
To configure a new AWS or Azure IdP, click ADD CONFIGURATION.
The Select identity provider configuration drop down menu in the Select Authentication form while onboarding the AWS or Azure cloud connection.
NOTE
You cannot select the IdP configuration whose authorization has expired or is pending on the Select identity provider configuration drop down in the Select Authentication form while onboarding the AWS or Azure cloud connection. To activate it, you must reauthorize it using REAUTHORIZE.
9.2 Edit an IdP Configuration
You can modify the details of the IdP configuration if required. To perform this:
Use this feature to remove an IdP configuration and its associated information.
If you click , a deletion confirmation dialog box will appear.
Read all the details and enter the cloud connection name.
Click DELETE.
Figure 36: Delete an IdP
WARNING
Deleting the IdP configuration cannot be undone.
The IdP configuration will be removed from the the Authentication page and also on the Select identity provider configuration drop down in the Select Authentication form while onboarding the AWS or Azure cloud connection.
Fortanix Key Insight identifies encryption keys and data services across on-premises and hybrid multicloud environments, providing a unified dashboard for tracking key mappings and cryptographic security. It offers security and compliance teams data-driven insights to assess risks, align with best practices, and meet industry regulations. Iy also supports continuous risk mitigation and crypto-agility, adapting to evolving security needs, including preparation for the post-quantum era.
Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.
Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.
Fortanix Armor is a comprehensive cybersecurity solution that protects data and applications across on-premises, hybrid, and multi-cloud environments. It integrates Fortanix solutions into a single unified product, securing data throughout its lifecycle. Built on the Runtime Encryption Platform, it ensures real-time encryption of data at rest, in transit, and during processing. Additionally, it includes platform services such as IAM, KMS, and Audit and Monitoring to simplify security management.
Fortanix DSM’s BYOK feature generates Linked or Copied virtual keys from a source key enabling backup and key replication to other CSP accounts/subscriptions, regional instances, key repositories, and, most importantly, to multiple cloud providers, including private clouds. This includes seamless movement between private clouds (on-premises) and public clouds. BYOK keys also allow tracking of key activities across multiple CSP repositories for easier restoration if keys are deleted or disabled.