1.0 Introduction
This article describes the user interface (UI) features of the external key source (Fortanix-Data-Security-Manager (DSM) SaaS or On-Premises) connection on Fortanix Key Insight.
2.0 Terminology References
For Fortanix Key Insight - external key source terminologies, refer to Fortanix Key Insight for External Key Source Concepts.
3.0 External Key Source Overview
Users can access the External Key Source Overview page after adding a Fortanix DSM (SaaS or On-Premises) connection in Fortanix Key Insight.
The Overview page summarizes the keys and related correlation details of the external key source (Fortanix DSM SaaS or On-Premises).
.png?sv=2022-11-02&spr=https&st=2025-08-29T09%3A16%3A56Z&se=2025-08-29T09%3A38%3A56Z&sr=c&sp=r&sig=vM%2BnLe4ptNKM0VPTR5Y8kr5vkOWh9a%2BtBTaSIUHt35k%3D)
Figure 1: Access external key source overview
For more information on how to onboard the external key source, refer to Fortanix Key Insight – Getting Started with External Key Source Connection.
NOTE
You can click the numerical value on the Overview page, where applicable, to view the list of corresponding external key source keys, filtered accordingly.
The Overview page will not display data if the Fortanix DSM (SaaS or On-Premises) connection with Fortanix Key Insight is not established. In this scenario, you must edit the associated cloud or on-premises connection configuration and re-establish the connection.
The Overview page helps users get a summary of the Fortanix DSM SaaS or On-Premises keys, as described in the following sections:
3.1 DSM Discovery
This section summarizes the Fortanix DSM (SaaS or On-Premises) keys discovered during the scan.
It includes the following information:
The total count of Fortanix DSM (SaaS or On-Premises) keys imported from your DSM account during integration with Fortanix Key Insight.
The count of Fortanix DSM (SaaS or On-Premises) keys successfully correlated within the Fortanix Key Insight platform and linked to cloud (Azure or AWS) or on-premises connection.
NOTE
When a new external key source (Fortanix DSM) is added, Fortanix Key Insight automatically triggers a scan to import externally backed keys from the Fortanix DSM (SaaS or on-premises) connection.
To view the correlated keys count:Manually rescan the linked cloud or on-premises connection. The linked connection appears in the Key Correlations by Connection section of the Overview page.
After the scan is completed, click
on the Overview page to view the correlated keys count.
Figure 2: Perform refresh
Clicking each label takes you to its list view.
3.2 Cryptography Bill of Materials (CBOM)
This section describes how to export cryptographic asset metadata from an external key source (Fortanix DSM) into a standardized CBOM JSON file. The exported CBOM format is useful for maintaining a cryptographic inventory, demonstrating regulatory compliance, and evaluating post-quantum cryptography (PQC) readiness.
To export the CBOM data, click EXPORT. The file named bom_report_<DSM_scan_id>.json will be downloaded to your local machine, where DSM_scan_id is the unique identifier generated for each Fortanix DSM connection scan.
For example,
The exported file adheres to the CycloneDX specification and includes the following components:
bomFormat
: Specifies the format of the bill of materials. For CBOM, this value is set to CycloneDX.specVersion
: Indicates the version of the CycloneDX specification being used.version
: Denotes the version of this specific CBOM file.components
: Lists cryptographic components such as DSM keys. Each entry includes details such as type, name, algorithm, associated services, and other relevant information.services
: Returns an empty list as Fortanix DSM connections do not support services.dependencies
: Returns an empty list, since Fortanix DSM connections do not support services, and therefore no dependencies are defined.
NOTE
If your Fortanix DSM SaaS or On-Premises connection was last scanned before the Fortanix Key Insight 25.07 release and has not been rescanned since, you must perform a Rescan to ensure the correct export of CBOM data.
For more information on how to perform a rescan, refer to Section 3.6: Rescan an External Key Source Connection.
3.3 Keys by Status
This section provides a detailed summary of the imported external key source (Fortanix DSM SaaS or On-Premises) keys following a successful scan. It includes a breakdown of the keys that are without expiry and those that are non-compliant:
Keys without expiry: These are keys that have been created in Fortanix DSM (SaaS or On-Premises) without an expiry date set. As a result, these keys remain valid indefinitely unless manually revoked.
Non-compliant keys: These keys do not meet the cryptographic policy standards as outlined in the Fortanix DSM account-level cryptographic policy. These keys may require attention to ensure compliance with security best practices and regulatory requirements.
For more information on the Fortanix DSM account-level cryptographic policy, refer to the User's Guide: Account Cryptographic Policy.
NOTE
If no account-level cryptographic policy is configured on the Fortanix DSM, all keys will be shown as compliant, and the count of non-compliant keys will be zero.
Since Fortanix DSM On-Premises users cannot import cryptographic policies into Fortanix Key Insight, scan results for the external key source (Fortanix DSM On-Premises) will always appear compliant, and the count of non-compliant keys will always be 0.
Click the Keys by Status label to go to the list view of the keys.
3.4 Keys by Type
This section provides a detailed count of the key specifications imported from your Fortanix DSM account.
Click the “key type” label to go to the tabular view of the key specification.
3.5 Key Correlations by Connection
This section provides an overview of the association between the external key source connection and the Fortanix Key Insight cloud or on-premises connections. It summarizes how the keys are linked across the cloud or on-premises environment.
NOTE
If no correlated key data is available, recheck the linked connections and rescan.
Click the Key Correlation by Connection Type label to navigate to the Keys page.
Click the connection to access its corresponding keys list view.
3.6 Rescan an External Key Source Connection
Click RESCAN on the Overview page to perform a rescan and verify if any keys have been added, deleted, or updated in the Fortanix DSM SaaS or On-Premises connection.
NOTE
The RESCAN option is accessible only to users with the Account Administrator and Group Administrator roles.
The RESCAN option is available only when the external key source connection status is 'Connected'.
.png?sv=2022-11-02&spr=https&st=2025-08-29T09%3A16%3A56Z&se=2025-08-29T09%3A38%3A56Z&sr=c&sp=r&sig=vM%2BnLe4ptNKM0VPTR5Y8kr5vkOWh9a%2BtBTaSIUHt35k%3D)
Figure 3: Scan again
If you click RESCAN and start the scan, you can monitor the progress bar while the scan is running. After the scan is completed successfully,
The Last scanned label will be updated with the date and time of completion.
The Overview page will reflect the new state of the external key source keys.
4.0 Keys
After onboarding an external key source, click Keys in the Fortanix Key Insight left navigation panel.
Clicking Keys will take you to the Keys page that shows a map of all the Fortanix DSM SaaS or On-Premises keys with the following details:
Security object name
Current key status
Key Check Value (KCV): It is a cryptographic checksum or hash value derived from a Fortanix DSM cryptographic key.
Key operations supported. Click + more to view all supported key operations. For more information on each key operation, refer to Key Operations.
Key export status: Exportable or Non-exportable
The group associated with the key
Key creation date
Object type, key size, and key curve
Key source
Key description
Owners
Usage description
Expiry date
NOTE
You can view up to six columns on the Keys list view. For more information on how to configure the columns display, refer to Section 4.3: Customize Columns Display in List View.

Figure 4: Keys list view
4.1 Filter Keys
In the list view, you can filter the keys using the Search field with the following criteria and available values:
Key Name
Key Size
Key State: Pre-Active, Deactivated, Active, Compromised, Destroyed, Deleted, Not Available
Group Id
Group Name
Object Type
Elliptic Curve
Key Type
Enabled: Enabled, Not Enabled
Key Correlation: Yes, No
Host IP
HSM Type: AWS CloudHSM, AWS Key Management Service, Azure Key Vault, Fortanix DSM, Fortanix DSM FIPS cluster, GCP Key Management Service, Entrust nShield HSM, Other, Thales Luna HSM
Owner
Key Description
Usage Description
Compliance: Compliant keys, Non-Compliant keys
Vulnerability: Keys without expiry, Quantum vulnerable key
You can use a combination of the above filter options to display the keys with specific results.
4.2 Export Keys Data
For more information, refer to Section 5.0: Scanned Data Export.
4.3 Customize Columns Display in List View
Perform the following steps to modify the Keys table column display in the list view:
Click
.
On the Customize Columns dialog box, select a maximum of six columns that you want to display in the table.
Click SAVE to view only the selected columns on the table.
Click RESET TO DEFAULT to display the default columns if required.

Figure 5: Customize Keys list columns display
4.4 Add Key Details
After an external key source connection (Fortanix DSM SaaS or On-Premises) is onboarded to Fortanix Key Insight, you can assign owners to the scanned keys to enhance key management, simplify tracking, and improve remediation workflows.
Perform the following steps to add the key(s) details:
Select the checkbox (
) next to the required key(s) in the list.
Click ADD DETAILS in the top right corner.
NOTE
If your Fortanix DSM SaaS or On-Premises connection was last scanned before the Fortanix Key Insight 25.03 release and a new scan was not performed, clicking the ADD DETAILS option will show a Rescan Required to Add Details dialog box. To ensure your key details are correctly added, you must rescan the connection and then add the key details.
For more information on how to perform a rescan, refer to Section 3.6: Rescan an External Key Source Connection.
On the Add Details dialog box, enter the following details:
Primary owner: Enter the primary owner’s name or employee ID.
Email ID: Enter the primary owner’s valid email ID.
Click ADD SECONDARY OWNER to add the secondary owner’s details, if required.
Description (Optional): Enter an optional description.
Click ADD to add the ownership details to the selected key(s).
NOTE
To add ownership details, specifying a primary owner is mandatory before adding a secondary owner.
.png?sv=2022-11-02&spr=https&st=2025-08-29T09%3A16%3A56Z&se=2025-08-29T09%3A38%3A56Z&sr=c&sp=r&sig=vM%2BnLe4ptNKM0VPTR5Y8kr5vkOWh9a%2BtBTaSIUHt35k%3D)
Figure 6: Add key details
On the Keys page, the primary and secondary owners’ names or employee IDs and email addresses will appear in the OWNERS column, and the description will appear in the USAGE DESCRIPTION column.
NOTE
Only users with Account Administrator permissions can add or edit key details.
4.5 Edit Key Details
You can modify the details of the selected key(s).
Perform the following steps to edit the key(s) details:
Select the checkbox (
) next to the required key(s) in the list.
Click EDIT DETAILS in the top right corner.
On the Edit Details dialog box,
Update the primary owner’s name or employee ID, and email ID.
Update the secondary owner’s name or employee ID, and email ID.
Update the description if required.
Click UPDATE to save the details to the selected key(s).
4.6 View Key Details
Click the security object name of any key in the Keys list to view its properties, supported operations, HSM/Cloud KMS configurations, and automatic key rotation policy details.
The KEY DETAILS tab includes the following:
Key Properties: This section displays key specifications, such as the security object name, current status, KCV, group, object type, export status, key size, key curve, key description, key source, HSM gateway status, expiry date, and creation timestamp.
Key Operations: This section displays the total number of supported key operations, along with a list of the specific operations available.
Ownership: This section is available if owner details have been added to the key. It displays the primary and secondary owners’ names or employee ID, email ID, and description.
You can update the key details using EDIT DETAILS. For more information, refer to Section 4.5: Edit Key Details.
HSM/Cloud KMS Configurations: This section displays information on whether the HSM/Cloud gateway is enabled, the type of HSM/Cloud KMS in use, and the host IP address.
Automatic Key Rotation Policy: This section includes key rotation details, such as the auto rotation status.
Figure 7: View key properties
Click VIEW IN DSM to view the key details in your Fortanix DSM account. You will be redirected to the View security object page in the Fortanix DSM UI, where you can access detailed information about the key. For more information, refer to Key Management Service.
The ATTRIBUTES tab displays any custom attributes associated with the key. These are user-defined metadata elements that can be added to a key. For more information, refer to the User's Guide: Fortanix Data Security Manager Key Lifecycle Management.
Figure 8: View custom attributes
5.0 Scanned Data Export
This feature allows you to export the external key source-scanned key data from Fortanix Key Insight in Comma-Separated Values (CSV) format. Also, it provides flexibility, enabling you to download data for detailed analysis, audits or reporting, and to access real-time status.
In the external key source Keys list view, you can click EXPORT to export the scanned data using any of the available options:

Figure 9: Access export feature
Export current page: Use this option to export all column data from the current page in CSV format.
NOTE
You can download a maximum of 100 items at a time, based on the settings specified in the Items per page drop down.
Export all raw data: Use this option to export all scanned data shown in the key tables in CSV format. If you select this option, you can read the details on the Export All Raw Data dialog box and click PROCEED to export all the data.
After the export process begins, you can track its progress, and the export status will be logged with a message under the Activities tab in Fortanix Key Insight. For more information, refer to Section 5.1: Manage Export Activities.
Export selected rows: This option is disabled by default. You can select the checkbox (
) next to the required rows on the current page and export them in CSV format using this option.
NOTE
Users with the Account Administrator and Group Administrator roles can only perform the scanned data export.
Within the same account, you can have multiple exports running simultaneously from different cloud, on-premises, and external key source connections.
5.1 Manage Export Activities
After you initiate the export process using Export All Raw Data, you can track the export status in the Activities tab located in the left navigation pane of Fortanix Key Insight.
You can see the following details for each export:
Name of the activity. For example, the activity would be named Export_all_keys if you had exported all the external key source keys.
Name of the file. For example, Keys.csv.
Activity status: It provides the current status of the data export. This can be,
Completed: The data export has been completed, and the CSV file will automatically download to the location specified on your local machine.
In Progress: The data export is in progress, and you can cancel it using
if required.
Cancelled: The data export has been cancelled due to switching accounts or manually cancelling it while it was in progress.
Failed: The data export was not completed and failed due to errors.
Name of the connection
Export creation date and time
NOTE
If you switch to a different account during export, the export will be canceled and logged in the Activities tab.
If you navigate to a different solution (for example, Identity and Access Management), the export will continue, but no logs will appear in the Activities tab. The export status will be confirmed using a toast message.
If you refresh the web page during the export, the confirmation dialog box will appear. If you refresh, the export will be canceled, and all entries in the Activities tab will be removed. Therefore, it is recommended not to refresh the page during the export.