Fortanix Key Insight is a solution on the Fortanix Armor platform. Therefore, you need to create an account on the Fortanix Armor platform if you do not already have one.
3.1 Sign Up and Log In to Fortanix Armor Platform - New Users
If you are accessing Fortanix Key Insight for the first time, you need to sign up for Fortanix Armor to access Key Insight. For subsequent access, you can log in to Fortanix Armor directly.
After creating and selecting your Fortanix Armor account, you are redirected to the Available Solutions page in Fortanix Armor. From this page, you can access Fortanix Key Insight.
Perform the following steps:
Ensure the appropriate region (European Union or North America) is selected from the Region drop down. The selected region determines where your data is processed and stored. It also ensures that connections, scans, and UI elements are displayed based on the selected region. For more information on configuring regions, refer to Fortanix Armor – Solutions.
Click GO TO KEY INSIGHT to access Fortanix Key Insight and begin onboarding external key source connections.
Figure 1: Access Fortanix Key Insight solution
5.0 Configure Fortanix DSM (SaaS) Connection
After you access the Key Insight solution from Fortanix Armor, if you want to onboard an external key source, that is, a Fortanix DSM (SaaS) connection, then you need to configure it to scan your keys and services.
5.1 Prerequisites
The following are the prerequisites to add a Fortanix DSM (SaaS) connection to Fortanix Key Insight:
Fortanix DSM Account Setup: A valid and active Fortanix DSM (SaaS) account is set up to allow communication between Fortanix DSM and Key Insight.
Application Configuration: An application (app) must be created in Fortanix DSM (SaaS) to enable interaction between the two solutions. This application defines the roles and permissions required for key management.
Security Objects Setup: Security objects, such as keys or key versions, must be created and configured within Fortanix DSM (SaaS) to allow secure key management and usage by Fortanix Key Insight.
Group Configuration: User groups or access policies should be configured in Fortanix DSM (SaaS) to ensure appropriate access control and permissions for users interacting with keys through Fortanix Key Insight.
Perform the following steps to select the external KMS key type:
On the Select External KMS Type step, select the External Key Source Connections type and the Fortanix DSM (SaaS) provider.
Click NEXT.
Figure 2: Select a DSM (SaaS) provider
NOTE
You can also add a Fortanix DSM (SaaS) connection by clicking ADD EXTERNAL KEY SOURCE in the top-right corner of the EXTERNAL KEY SOURCE tab on the Connections page.
5.3 Add Fortanix DSM (SaaS) Connection
Perform the following steps to add a Fortanix DSM (SaaS) connection on the Add DSM (SaaS) Connection step:
Connection name: Enter a name for your Fortanix DSM (SaaS) connection.
Region: Select the required region from the drop down. For example, North America. For the list of all supported regions, refer to Fortanix DSM SaaS Global Availability Map.
This will create a DSM Connection. The connection can be deleted later from the connections screen: Select thecheck box to confirm that a Fortanix DSM SaaS connection will be created. The connection appears under the EXTERNAL KEY SOURCE tab on the Connections page, but it will not yet be integrated with Fortanix DSM.
Click ADD CONNECTION & PROCEED.
Figure 3: Add DSM (SaaS) connection
5.4 Add Admin App UUID
Perform the following steps to configure the private key and certificate on the Add Admin App UUID step:
Click GENERATE PRIVATE KEY to create a private key. You can generate a maximum of two private keys.
Click GENERATE ANOTHER PRIVATE KEY to generate an additional key.
You can delete the private key using .
Click GENERATE CERTIFICATE to generate a self-signed certificate. This button will only be enabled after generating a private key.
You can copy the generated certificate details.
You can also RE-GENERATE THE CERTIFICATE, if required.
Create an administrative (admin) app using the steps mentioned in Create Admin Apps, selecting Certificate as the authentication method, and uploading the certificate generated in Step 2.
After creating the admin app, copy the UUID value.
Admin app UUID: Enter the value obtained from Fortanix DSM (SaaS) admin app.
NOTE
It is recommended to use a unique Fortanix DSM admin app UUID for each Fortanix DSM (SaaS) connection in Fortanix Key Insight to prevent performance degradation and reduce unnecessary clutter.
Click CONNECT to establish the connection between Fortanix DSM (SaaS) and Fortanix Key Insight. If your credentials (region and certificate) are incorrect, an error message appears. Ensure you use the correct credentials to establish the connection with Fortanix DSM (SaaS).
Figure 4: Configure Fortanix DSM (SaaS) in Fortanix Key Insight
NOTE
After onboarding the Fortanix DSM (SaaS) connection,
Users with theAccount AdministratorandGroup Administratorroles can manage (edit, delete, rescan) the connection from the Connections page under the EXTERNAL KEY SOURCE tab.
If you edit the Fortanix DSM (SaaS) connection, rescan both the Fortanix DSM (On-premises) connection and its associated parent connection (if any) to apply the changes.
Deleting the Fortanix DSM (SaaS) connection cannot be undone.
The Rescan option is available only when the Fortanix DSM (SaaS) connection status is Connected.
After rescanning the Fortanix DSM (SaaS) connection, manually rescan the linked Fortanix Key Insight cloud or on-premises connection (if any) to update the correlated key data.
You can switch the region at any time using the region switcher drop down located on the top navigation bar of the connection UI. When the region is changed, the UI updates automatically to show the data, connections, and scan results for that region.
After accessing the Fortanix Key Insight solution from Fortanix Armor, if you want to onboard an external key source, that is, a Fortanix DSM (On-premises) connection, you need to configure it to scan your keys and services.
Perform the following steps to select the external KMS key type:
On the Select External KMS Type step, select External Key Source Connections type and the Fortanix DSM (On-Premises) provider.
Click NEXT.
Figure 5: Select DSM (On-Premises) provider
NOTE
You can also add a Fortanix DSM (On-premises) connection by clicking ADD EXTERNAL KEY SOURCE in the top-right corner of the EXTERNAL KEY SOURCE tab on the Connections page.
6.3 Add Fortanix DSM (On-premises) Connection
Perform the following steps to add a Fortanix DSM (On-premises) connection on the Add DSM (On-Premises) Connection step:
Connection name: Enter a name for your Fortanix DSM (On-premises) connection.
This will create a DSM Connection. The connection can be deleted later from the connections screen: Select the check box to confirm that a Fortanix DSM SaaS connection will be created. The connection appears under the EXTERNAL KEY SOURCE tab on the Connections page, but it will not yet be integrated with Fortanix DSM.
Click Fortanix on-premises scanner package to download the Fortanix On-premises Scanner for Fortanix DSM on-premises connection.
After downloading the package, install it depending on your operating system (Linux or Windows).
After installation and configuration of the package, select any of the following:
ADD DSM: Select this option if you have not enabled the I have downloaded and installed the Scanner package check box.The connection will be added under the EXTERNAL KEY SOURCE tab on the Connections page, though it will not yet be integrated with Fortanix DSM.
Perform the following steps:
Select I have downloaded and installed the Scanner package check box to confirm the scanner installation.
Click GENERATE API KEY to add the scanner using the generated API key.
In the API Key Details dialog box, click COPY API KEY to copy the API key value.
Close the dialog box to complete the onboarding.
ADD DSM & GENERATE API KEY: Select this option if you have enabled the I have downloaded and installed the Scanner package check box to add the scanner using the generated API key. You will be authenticating with Fortanix Key Insight using the API keys.
Perform the following steps:
In the API Key Details dialog box, click COPY API KEY to copy the API key value. This value is used to authenticate both the Fortanix On-premises Scanner and Fortanix Key Insight.
Close the dialog box to complete the onboarding.
Figure 6: Configure a Fortanix DSM on-premises connection
NOTE
After onboarding the Fortanix DSM (On-premises) connection,
You can verify the connection status from the Connections page under the EXTERNAL KEY SOURCE tab.
If the status is Disconnected, restart the scanner to re-establish the connection.
If the status is Pending, use the generated API key to connect to Fortanix Key Insight. After the connection is established, add the resources to begin scanning.
Users with theAccount AdministratorandGroup Administratorroles can manage (edit, delete, rescan, and view details) the connection from the Connections page under the EXTERNAL KEY SOURCE tab.
If you edit the Fortanix DSM (On-premises) connection, rescan both the Fortanix DSM (On-premises) connection and its associated parent connection (if any) to apply the changes.
Deleting the Fortanix DSM (On-premises) connection cannot be undone.
The Rescan option is available only when the Fortanix DSM (On-premises) connection status is Connected.
After rescanning the Fortanix DSM (On-premises) connection, manually rescan the linked Fortanix Key Insight cloud or on-premises connection (if any) to update the correlated key data.
When viewing the connection details:
Copy the Connection ID. This value is required in the Fortanix On-premises Scanner configuration.
Click MANAGE API KEY to manage (copy, delete, regenerate) the API key geneated.
You can generate a maximum of two API keys for configuring the connection between Fortanix DSM (On-premises) and Fortanix Key Insight.
Deleting an API key may revoke access for the Fortanix DSM (On-premises) connection, potentially disrupting its functionality. This action is irreversible.
Click DOWNLOAD PACKAGE to download the package again in case you changed your machine, your current package has errors or was not installed correctly.
You can switch the region at any time using the region switcher drop down located on the top navigation bar of the connection UI. When the region is changed, the UI updates automatically to show the data, connections, and scan results for that region.
7.0 Scanning External HSMs Using Fortanix DSM HSM Gateway
Fortanix Key Insight supports scanning cryptographic keys stored in external HSMs using the Fortanix DSM (SaaS or on-premises) HSM Gateway.
NOTE
Before scanning, ensure the following:
The Fortanix DSM instance (SaaS or on-premises) already connected to Fortanix Key Insight.
Fortanix DSM HSM Gateway installed and connected to the target HSM.
In this scanning process,
Fortanix Key Insight connects to Fortanix DSM, which uses the HSM Gateway to reach the external HSM.
Fortanix Key Insight requests key information from Fortanix DSM.
Fortanix DSM retrieves the details from the HSM through the gateway and returns them to Fortanix Key Insight.
This setup allows Fortanix Key Insight to,
Collect and view keys from different HSMs in one place, without needing a direct connection between Fortanix Key Insight and the external HSM.
Include the keys in security and compliance reports, such as CBOM.
Prepare for post-quantum readiness by including keys managed in external HSMs.
For detailed steps on how to add a new HSM Gateway to the Fortanix DSM, refer to the User's Guide: HSM Gateway.
Fortanix Key Insight identifies encryption keys and data services across on-premises and hybrid multicloud environments, providing a unified dashboard for tracking key mappings and cryptographic security. It offers security and compliance teams data-driven insights to assess risks, align with best practices, and meet industry regulations. Iy also supports continuous risk mitigation and crypto-agility, adapting to evolving security needs, including preparation for the post-quantum era.
Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.
Fortanix Armor is a comprehensive cybersecurity solution that protects data and applications across on-premises, hybrid, and multi-cloud environments. It integrates Fortanix solutions into a single unified product, securing data throughout its lifecycle. Built on the Runtime Encryption Platform, it ensures real-time encryption of data at rest, in transit, and during processing. Additionally, it includes platform services such as IAM, KMS, and Audit and Monitoring to simplify security management.
.png?sv=2022-11-02&spr=https&st=2026-03-15T05%3A37%3A57Z&se=2026-03-15T05%3A59%3A57Z&sr=c&sp=r&sig=pgy6%2F6kxYV3FawWw59Dbtp%2BN0i8D6MQc13CWCgib9DE%3D)
..png?sv=2022-11-02&spr=https&st=2026-03-15T05%3A37%3A57Z&se=2026-03-15T05%3A59%3A57Z&sr=c&sp=r&sig=pgy6%2F6kxYV3FawWw59Dbtp%2BN0i8D6MQc13CWCgib9DE%3D)
.png?sv=2022-11-02&spr=https&st=2026-03-15T05%3A37%3A57Z&se=2026-03-15T05%3A59%3A57Z&sr=c&sp=r&sig=pgy6%2F6kxYV3FawWw59Dbtp%2BN0i8D6MQc13CWCgib9DE%3D)
