--- title: "Getting Started with External Key Source Connection" slug: "fortanix-key-insight-getting-started-with-external-key-source-connection" updated: 2026-06-09T07:45:15Z published: 2026-06-09T07:45:15Z canonical: "support.fortanix.com/fortanix-key-insight-getting-started-with-external-key-source-connection" --- > ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # Getting Started with External Key Source Connection ## 1.0 Introduction This article helps you get started with the Fortanix Key Insight external key sources (Fortanix-Data-Security-Manager (DSM)) connection. It also describes: - How to sign up and log in to Fortanix Armor. - How to access the Fortanix Key Insight solution. - How to configure Fortanix DSM Software-as-a-Service (SaaS) environment to scan the keys and services in Fortanix Key Insight. - How to configure Fortanix DSM on-premises environment to scan the keys and services in Fortanix Key Insight. - How to scan external Hardware Security Models (HSMs) using Fortanix DSM HSM Gateway. ## 2.0 Terminology References *For the external key source connection concepts and supported features, refer to*[*External Key Source Connection Concepts*](https://support.fortanix.com/docs/fortanix-key-insight-for-external-key-source-concepts)*.* ## 3.0 Log In and Create an Account Fortanix Key Insight is a solution on the Fortanix Armor platform. Therefore, you must create an account on the Fortanix Armor platform to get started. ### 3.1 Sign Up and Log In to Fortanix Armor Platform - New Users If you are accessing Fortanix Key Insight for the first time, you must sign up for Fortanix Armor before you can access Fortanix Key Insight. *For detailed instructions to sign up and log in to Fortanix Armor, refer to*[*Getting Started with Fortanix Armor*](/v1/docs/fortanix-armor-getting-started#20-sign-up-on-fortanix-armor-platform-new-users)*.* ### 3.2 Log In to Fortanix Armor Platform - Existing Users If you already have a Fortanix Armor account, log in to the Fortanix Armor platform to access Fortanix Key Insight. *For detailed instructions to log in to Fortanix Armor, refer to*[*Getting Started with Fortanix Armor*](/v1/docs/fortanix-armor-getting-started#30-log-in-to-fortanix-armor-platform-existing-users)*.* ### 3.3 Create an Account After you log in, you must add a new Fortanix Armor account to access the Fortanix Key Insight solution. *For detailed instructions to create a Fortanix Armor account, refer to*[*Getting Started with Fortanix Armor*](/v1/docs/fortanix-armor-getting-started#40-create-an-account)*.* ## 4.0 Access Fortanix Key Insight After creating and selecting your Fortanix Armor account, you are redirected to the **Available Solutions** page in Fortanix Armor. From this page, you can access Fortanix Key Insight. Perform the following steps: 1. Ensure the appropriate region (**European Union** or **North America**) is selected from the **Region** drop down. The selected region determines where your data is processed and stored. It also ensures that connections, scans, and UI elements are displayed based on the selected region.*For more information on configuring regions, refer to*[*Fortanix Armor Solutions*](https://support.fortanix.com/docs/fortanix-armor-solutions#22-key-insight)*.* 2. Click **GO TO KEY INSIGHT** to access Fortanix Key Insight and begin onboarding external key source connections. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_Region Selector.png) **Figure 1: Access Fortanix Key Insight solution** ## 5.0 Configure Fortanix DSM (SaaS) Connection After you access the Key Insight solution from Fortanix Armor, if you want to onboard an external key source, that is, a **Fortanix DSM (SaaS)** connection, then you need to configure it to scan your keys and services. ### 5.1 Prerequisites The following are the prerequisites to add a Fortanix DSM (SaaS) connection to Fortanix Key Insight: - **Fortanix DSM Account Setup**: A valid and active Fortanix DSM (SaaS) account is set up to allow communication between Fortanix DSM and Key Insight. - **Application Configuration**: An application (app) must be created in Fortanix DSM (SaaS) to enable interaction between the two solutions. This application defines the roles and permissions required for key management. - **Security Objects Setup**: Security objects, such as keys or key versions, must be created and configured within Fortanix DSM (SaaS) to allow secure key management and usage by Fortanix Key Insight. - **Group Configuration**: User groups or access policies should be configured in Fortanix DSM (SaaS) to ensure appropriate access control and permissions for users interacting with keys through Fortanix Key Insight. *For more information on how to set up the above, refer to*[*Getting Started with Fortanix DSM - UI*](https://support.fortanix.com/docs/users-guide-getting-started-with-fortanix-data-security-manager-ui)*.* ### 5.2 Select External KMS Type Perform the following steps to select the external KMS key type: 1. On the **Select External KMS Type**step, select the **External Key Source Connections** type and the **Fortanix DSM (SaaS)** provider. 2. Click **NEXT.** ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/EKS SaaS Step 1.png) **Figure 2: Select a DSM (SaaS) provider** > [!NOTE] > NOTE > > You can also add a Fortanix DSM (SaaS) connection by clicking **ADD EXTERNAL KEY SOURCE** in the top-right corner of the **EXTERNAL KEY SOURCE** tab on the **Connections** page. ### 5.3 Set Up DSM (SaaS) Connection Perform the following steps to add a Fortanix DSM (SaaS) connection on the **Set Up DSM (SaaS) Connection** step: 1. **Connection name:**Enter a name for your Fortanix DSM (SaaS) connection. 2. **Region:**Select the required region from the drop down. For example, **North America**. *For the list of all supported regions, refer to*[*Fortanix DSM SaaS Global Availability Map*](https://support.fortanix.com/docs/fortanix-dsm-saas-global-availability-map)*.* 3. **This will create a DSM Connection. The connection can be deleted later from the connections screen:**Select the****check box to confirm that a Fortanix DSM SaaS connection will be created. The connection appears on the **EXTERNAL KEY SOURCE** tab on the **Connections** page, but it will not yet be integrated with Fortanix DSM. 4. Click **ADD CONNECTION & PROCEED**. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/EKS SaaS Step 2(1).png) **Figure 3: Add DSM (SaaS) connection** ### 5.4 Add Admin App UUID Perform the following steps to configure the private key and certificate on the **Add Admin App UUID** step: 1. Click **GENERATE PRIVATE KEY** to create a private key. You can generate a maximum of two private keys. - Click **GENERATE ANOTHER PRIVATE KEY** to generate an additional key. - You can delete the private key using ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/fortanix-key-insight---getting-started-with-external-key-source-connection-image-qkfjxcbk.png). 2. Click **GENERATE CERTIFICATE** to generate a self-signed certificate. This option becomes available only after a private key has been generated.. - You can copy the generated certificate details. - You can also **RE-GENERATE THE CERTIFICATE**, if required. 3. After generating and downloading the certificate, 1. Log in to your [Fortanix DSM](https://amer.smartkey.io/) account in the same region selected in *Step 2*of**[*Section 5.3: Set Up DSM (SaaS) Connection*](/v1/docs/fortanix-key-insight-getting-started-with-external-key-source-connection#53-set-up-dsm-saas-connection) above to ensure proper correlation. 2. Create an administrative (admin) app using the steps mentioned in [*Authentication*](https://support.fortanix.com/docs/users-guide-authentication#71-create-administrative-apps), selecting **Certificate** as the authentication method, and uploading the certificate generated in *Step 2*. 3. After creating the admin app, copy the **UUID** value. 4. **Admin app UUID:**Enter the value obtained from Fortanix DSM (SaaS) admin app. > [!NOTE] > NOTE > > It is recommended to use a unique Fortanix DSM admin app UUID for each Fortanix DSM (SaaS) connection in Fortanix Key Insight to prevent performance degradation and reduce unnecessary clutter. 5. Click **CONNECT** to establish the connection between Fortanix DSM (SaaS) and Fortanix Key Insight. If your credentials (region and certificate) are incorrect, an error message appears. Ensure you use the correct credentials to establish the connection with Fortanix DSM (SaaS). ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/EKS SaaS Step 3(3).png) **Figure 4: Configure Fortanix DSM (SaaS) in Fortanix Key Insight** > [!NOTE] > NOTE > > After onboarding the Fortanix DSM (SaaS) connection: > > - Access the **Overview** and **Keys** user interface (UI). You can also******switch the region** using the region switcher drop down located on the top navigation bar. When the region is changed, the UI updates automatically to show the data, connections, and scan results for that region. > > *For more information on the external key source (Fortanix DSM SaaS) UI, refer to*[*External Key Source Connection - User Interface Components*](https://support.fortanix.com/docs/fortanix-key-insight-user-interface-components-external-key-source). > - Users with the **Account Administrator** and **Group Administrator** roles can manage (edit, delete, rescan) the connection from the **Connections** page on the **EXTERNAL KEY SOURCE** tab. > - If you edit the Fortanix DSM (SaaS) connection, **rescan** both the Fortanix DSM (On-premises) connection and its associated parent connection (if any) to apply the changes. > - Deleting the Fortanix DSM (SaaS) connection cannot be undone. > - The **Rescan** option is available only when the Fortanix DSM (SaaS) connection status is **Connected.** > - After rescanning the Fortanix DSM (SaaS) connection, manually rescan the linked Fortanix Key Insight cloud or on-premises connection (if any) to update the correlated key data. > - A group with the same name will be created on the Fortanix IAM **Groups** page. *For more information on Groups, refer to*[*Fortanix Armor Identity and Access Management (IAM).*](/v1/docs/fortanix-fortanix-armor-identity-and-access-management-iam) > - All security objects in your Fortanix DSM (SaaS) account that are accessible to the admin application will be imported into Fortanix Key Insight. ## 6.0 Configure Fortanix DSM (On-premises) Connection After accessing the Fortanix Key Insight solution from Fortanix Armor, if you want to onboard an external key source, that is, a **Fortanix DSM (On-premises)** connection, you need to configure it to scan your keys and services. ### 6.1 Prerequisites *For prerequisites, refer to*[*Getting Started with On-premises Connection*](https://support.fortanix.com/docs/fortanix-key-insight-getting-started-with-on-premises-connection#51-prerequisites)*.* ### 6.2 Select External KMS Type Perform the following steps to select the external KMS key type: 1. On the **Select External KMS Type**step, select **External Key Source Connections** type and the **Fortanix DSM (On-Premises)** provider. 2. Click **NEXT.** ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/EKS On-prem Step 1.png) **Figure 5: Select DSM (On-Premises) provider** > [!NOTE] > NOTE > > You can also add a Fortanix DSM (On-premises) connection by clicking **ADD EXTERNAL KEY SOURCE** in the top-right corner of the **EXTERNAL KEY SOURCE** tab on the **Connections** page. ### 6.3 Set Up Fortanix DSM (On-premises) Connection Perform the following steps to add a Fortanix DSM (On-premises) connection on the **Set Up DSM (On-Premises) Connection** step: 1. **Connection name:**Enter a name for your Fortanix DSM (On-premises) connection. 2. **This will create a DSM Connection. The connection can be deleted later from the connections screen**: Select the check box to confirm that a Fortanix DSM SaaS connection will be created. The connection appears on the **EXTERNAL KEY SOURCE** tab on the **Connections** page, but it will not yet be integrated with Fortanix DSM. 3. Click **Fortanix on-premises scanner package** to download the Fortanix On-premises Scanner for Fortanix DSM on-premises connection. 1. After downloading the package, install it depending on your operating system (Linux or Windows). - *For instructions on how to install the Fortanix On-Premises Scanner package on Linux, refer to*[*On-premises Scanner Configuration - Linux*](https://support.fortanix.com/docs/fortanix-key-insight-on-premises-scanner-configuration-linux)*.* - *For instructions on how to install the Fortanix On-Premises Scanner package on Windows, refer to*[*On-premises Scanner Configuration - Windows*](https://support.fortanix.com/docs/fortanix-key-insight-on-premises-scanner-configuration-windows)*.* 2. After installing the package, configure the Fortanix DSM on-premises connection using the configuration file. *For information on Fortanix DSM On-premises connection configuration file parameters, refer to*[*On-premises Scanner Configuration File*](https://support.fortanix.com/docs/fortanix-key-insight-on-premises-scanner-configuration-file#34-external-key-source-fortanix-dsm-onpremises-connection)*.* 3. After configuration, execute the Fortanix On-premises Scanner package depending on your operating system (Linux or Windows). - *For instructions on how to execute the Fortanix On-Premises Scanner package on Linux, refer to*[*On-premises Scanner Configuration - Linux*](https://support.fortanix.com/docs/fortanix-key-insight-on-premises-scanner-configuration-linux#50-onpremises-scanner-execution)*.* - *For instructions on how to install the Fortanix On-Premises Scanner package on Windows, refer to*[*On-premises Scanner Configuration - Windows*](https://support.fortanix.com/docs/fortanix-key-insight-on-premises-scanner-configuration-windows#50-onpremises-scanner-execution)*.* 4. After installing and configuring the package, select the **I have downloaded and installed the Scanner package**check box.**** 5. Click **ADD DSM & GENERATE API KEY** to add the scanner using the generated API key. 6. In the **API Key Details** dialog box, click **COPY API KEY** to copy the API key value. This value is used to authenticate both the Fortanix On-premises Scanner and Fortanix Key Insight. 7. Close the dialog box to complete the onboarding. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/EKS On-prem Step 2(1).png) **Figure 6: Configure a Fortanix DSM on-premises connection** > [!NOTE] > NOTE > > After onboarding the Fortanix DSM (On-premises) connection: > > - You can verify the connection status on the **EXTERNAL KEY SOURCE** tab. > - If the status is **Connected**, you can access the **Overview** and **Keys** UI. You can also******switch the region** using the region switcher drop down located on the top navigation bar. When the region is changed, the UI updates automatically to show the data, connections, and scan results for that region. > > *For more information on the UI, refer to*[*External Key Source Connection - User Interface Components*](https://support.fortanix.com/docs/fortanix-key-insight-user-interface-components-external-key-source). > - If the status is **Disconnected**, restart the scanner to re-establish the connection. > - If the status is **Pending**, use the generated API key to connect to Fortanix Key Insight. After the connection is established, add the resources to begin scanning. > - Users with the **Account Administrator** and **Group Administrator** roles can manage (edit, delete, rescan, and view details) the connection from the **Connections** page on the **EXTERNAL KEY SOURCE** tab. > - If you edit the Fortanix DSM (On-premises) connection, **rescan** both the Fortanix DSM (On-premises) connection and its associated parent connection (if any) to apply the changes. > - Deleting the Fortanix DSM (On-premises) connection cannot be undone. > - The **Rescan** option is available only when the Fortanix DSM (On-premises) connection status is **Connected.** > - After rescanning the Fortanix DSM (On-premises) connection, manually rescan the linked Fortanix Key Insight cloud or on-premises connection (if any) to update the correlated key data. > - When viewing the connection details: > > ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1764327385952.png) > > **Figure 7: View Fortanix DSM (on-premises) key details** > - Copy the Connection ID. This value is required in the Fortanix On-premises Scanner configuration. > - Click **MANAGE API KEY** to manage (copy, delete, regenerate) the API key geneated. > - You can generate a maximum of two API keys for configuring the connection between Fortanix DSM (On-premises) and Fortanix Key Insight. > - Deleting an API key may revoke access for the Fortanix DSM (On-premises) connection, potentially disrupting its functionality. This action is irreversible. > - Click **DOWNLOAD PACKAGE** to download the package again in case you changed your machine, your current package has errors or was not installed correctly. > - A group with the same name will be created on the Fortanix IAM **Groups** page. *For more information on Groups, refer to*[*Fortanix Armor Identity and Access Management (IAM).*](/v1/docs/fortanix-fortanix-armor-identity-and-access-management-iam) ## 7.0 Scanning External HSMs Using Fortanix DSM HSM Gateway Fortanix Key Insight supports scanning cryptographic keys stored in external HSMs using the Fortanix DSM (SaaS or on-premises) HSM Gateway. > [!NOTE] > NOTE > > Before scanning, ensure the following: > > - The Fortanix DSM instance (SaaS or on-premises) already connected to Fortanix Key Insight. > - Fortanix DSM HSM Gateway installed and connected to the target HSM. In this scanning process, 1. Fortanix Key Insight connects to Fortanix DSM, which uses the HSM Gateway to reach the external HSM. 2. Fortanix Key Insight requests key information from Fortanix DSM. 3. Fortanix DSM retrieves the details from the HSM through the gateway and returns them to Fortanix Key Insight. This setup allows Fortanix Key Insight to, - Collect and view keys from different HSMs in one place, without needing a direct connection between Fortanix Key Insight and the external HSM. - Include the keys in security and compliance reports, such as CBOM. - Prepare for post-quantum readiness by including keys managed in external HSMs. *For detailed steps on how to add a new HSM Gateway to the Fortanix DSM, refer to*[*HSM Gateway*](https://support.fortanix.com/docs/users-guide-hsm-gateway)*.* Fortanix Key Insight identifies encryption keys and data services across on-premises and hybrid multicloud environments, providing a unified dashboard for tracking key mappings and cryptographic security. It offers security and compliance teams data-driven insights to assess risks, align with best practices, and meet industry regulations. Iy also supports continuous risk mitigation and crypto-agility, adapting to evolving security needs, including preparation for the post-quantum era. Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface. Fortanix Armor is a comprehensive cybersecurity solution that protects data and applications across on-premises, hybrid, and multi-cloud environments. It integrates Fortanix solutions into a single unified product, securing data throughout its lifecycle. Built on the **Confidential Computing** **Platform**, it ensures real-time encryption of data at rest, in transit, and during processing. Additionally, it includes platform services such as Identity and Access Management (IAM), Key Management Service (KMS), and Audit and Monitoring to simplify security management.