--- title: "Key Operations" slug: "key-operations" updated: 2025-09-26T00:53:25Z published: 2025-09-26T00:53:25Z --- > ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # Key Operations ## 1.0 Introduction This article describes the various key operations supported by **Fortanix-Data-Security-Manager (DSM)**. These include Encrypt, Decrypt, WrapKey, UnwrapKey, DeriveKey, MacGenerate, MacVerify, AppManageable, Sign, Verify, Encapsulate, Decapsulate, AgreeKey, and Export key operations. ## 2.0 Key Operations Key operations are cryptographic and management operations that can be performed on a Security-object. Generally, key operations are defined at the time of the creation of a security object. *For more information on key creation, refer to*[*Creating a Security Object*](/v1/docs/creating-a-security-object). By default, all key operations except for ‘Export’ that are implemented for that type of key will be enabled. These may be overridden by requesting specific operations in the key creation request. Note that the key operations restricted for a security object on creation cannot be re-enabled after creation. If none of the operations are selected all key operations will be disabled. > [!NOTE] > NOTE > > Certain operations may be disabled due to Cryptographic-policy. *For more information on cryptographic policy, refer to* [*User's Guide: Account Cryptographic Policy*](/v1/docs/users-guide-account-cryptographic-policy). ### 2.1 Key Operations Definitions ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Key Operations Section.png) **Figure 1: Key operations** - **Encrypt** – This operation allows the key to be used for encryption. Encryption involves the process of converting data in plain text format to an encoded format called ciphertext using a key generated by an algorithm. Both asymmetric and symmetric keys can be used to perform the ‘Encrypt’ operation. - **Decrypt** - This operation allows the key to be used for decryption. Decryption involves the process of converting ciphertext into plain text using a key. Both asymmetric and symmetric keys can be used to perform the ‘Decrypt’ operation. > [!NOTE] > NOTE > > Security objects of type Opaque, EC, or HMAC may not be used for encryption or decryption. - **WrapKey**- This operation allows a key to be wrapped (encrypted) by another key for export from Fortanix DSM, so they can be later imported into Fortanix DSM or another key management system. The key being wrapped must have the ‘Export’ operation enabled and the wrapping key must have the ‘WrapKey’ operation enabled. The following wrapping operations are supported: - Symmetric keys, HMAC keys, opaque objects, and secret objects may be wrapped with symmetric or asymmetric keys. - Asymmetric keys may be wrapped with symmetric keys. Wrapping an asymmetric key with an asymmetric key is not supported. *For more information on the ‘WrapKey’ operation, refer to*[*Wrapping a key*](/v1/docs/wrapping-a-key). - **UnwrapKey**- This operation allows the key to be used to unwrap (decrypt) a wrapped key. This allows securely importing security objects into Fortanix DSM, that were previously wrapped by Fortanix DSM, or another key management system. A new security object will be created in Fortanix DSM with the unwrapped data. The key used for unwrapping must have the ‘UnwrapKey’ operation enabled. - **DeriveKey**- This operation allows the key to be used to derive another key. Fortanix DSM can generate new keys by deriving them from existing keys and some additional data. Currently, the only supported mechanism for deriving keys is by encrypting some data with a key. *For more information, refer to*[*Deriving Security Object*](/v1/docs/deriving-security-objects)*.* - **MacGenerate and MacVerify** - These operations allow the key to be used to compute and verify Message Authentication Code (MAC) on a message using symmetric keys. The symmetric key must have the ‘MacGenerate’ operation enabled to generate a MAC and the ‘MacVerify’ operation enabled to verify a MAC. In addition, the key must be enabled. - **AppManageable**- This operation enables applications (App) to perform management operations such as `delete`,` destroy`,` rotate`,` activate`, `restore`, `revoke`,` revert`,` update`,`remove_private`(removes the private half of an asymmetric key), and so on, on the security object. A user with access or an admin app can still perform these operations. This option is only relevant for cryptographic applications. *For more information, refer to the*[*User's Guide: Security Controls for Fortanix Data Security Manager Applications*](/v1/docs/users-guide-security-controls-for-fortanix-data-security-manager-applications). - **Sign**- This operation enables the key to be used for generating a digital signature. The signing key must be an asymmetric key such as RSA, DSA, or elliptical key, with the private part present. Symmetric keys may not be used to sign data. They can be used only with the ‘MacGenerate’ and ‘MacVerify’ operations. - **Verify**- This operation enables the key to be used for verifying a signature. The verifying key must be an asymmetric key such as RSA, DSA, or elliptical curve key, with the ‘Verify’ operation enabled. Symmetric keys may not be used to verify data. They can be used only with the ‘MacGenerate’ and ‘MacVerify’ operations. - **Encapsulate**– This operation protects the key for transit or storage, ensuring confidentiality during communication or archival. - **Decapsulate**– This operation retrieves the encapsulated key to be used by an authorized entity. - **AgreeKey-**This operation enables the key to be used for key agreement. The cryptographic key agreement operation is between public and private keys. Both keys must have been generated from the same parameters (such as the same elliptic curve) and must have enabled the ‘AgreeKey’ operation. - **Transform** – This operation is applicable for BIP32 and SLIP10 keys. It accepts an index input and creates a non-hardened child in the same network as the parent key. - **Export-**This operation enables the value of the key to be retrieved with an authenticated request. By default, the ‘Export ‘operation is disabled for all key types. The operation should not be enabled unless required. It is more secure to keep the key's value inside Fortanix DSM only. - **Highvolume-** This operation is enabled only when the audit logs for the key are disabled. It is used only for scenarios where a key is used for cryptographic operations with very high usage. *For more information on disabling audit logs*,*refer to the*[*User's Guide: Logging*](/v1/docs/users-guide-logging). > [!NOTE] > NOTE > > Audit logs related to only cryptographic operations are disabled. Logs related to key management operations such as updating, rotating, and activating/deactivating the security object are still enabled. Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface. A security object is any datum stored in DSM (for example a key, a certificate, a password, or other security objects). Each security object is assigned to exactly one group. users and applications assigned to the group have permission to see the security object and to perform operations on it. The Fortanix DSM supports cryptographic policies that can be set on accounts or groups to restrict what kind of keys can be created and the permitted operations. Policies are specified at the Account or Group level. ## Related - [Fortanix DSM with MinIO (KES Server)](/using-fortanix-data-security-manager-with-minio-kes-server.md) - [Creating a Security Object](/creating-a-security-object.md) - [Fortanix DSM SaaS Architecture](/fortanix-dsm-saas-architecture.md) - [Encryption](/encryption.md) - [Deriving Security Objects](/deriving-security-objects.md)