1.0 Introduction
This article describes how to manually import Fortanix-Data-Security-Manager (DSM) keys into supported cloud providers. If you need automated or orchestrated key management, refer to the Cloud Data Control.
This guide explains multiple ways to export Fortanix DSM keys for use with server-side encryption in major cloud platforms.
2.0 Prerequisite
Ensure the following:
Download the DSM CLI from here.
3.0 Google Cloud
3.1 GCS (Cloud Storage)
Perform the following steps to use Fortanix DSM keys with Google Cloud Storage (GCS), provide the base64-encoded customer-supplied encryption key (CSEK) for every object upload and download:
Run the following command to create a 256-bit AES key in Fortanix DSM with the
EXPORT
key operation enabled:$ python sdkms-cli create-key --obj-type AES --key-size 256 --name Google-Cloud-Master-Key --exportable
Run the following command to export this key on your application environment:
$ python sdkms-cli export-object --name Google-Cloud-Master-Key
Run the following command to add the following option to the
GSUtil
section of GSUtil boto configuration file:encryption_key = [YOUR_ENCRYPTION_KEY] decryption_key1 = [YOUR_ENCRYPTION_KEY]
Run the following command to upload and download objects in GCS with encryption with your own keys:
$ gsutil cp [LOCAL_OBJECT_LOCATION] gs://[DESTINATION_BUCKET_NAME]/ $ gsutil cp gs://[BUCKET_NAME]/[OBJECT_NAME] [OBJECT_DESTINATION]
GCS browser shows that the object is customer encrypted.
.png?sv=2022-11-02&spr=https&st=2025-06-17T08%3A33%3A47Z&se=2025-06-17T08%3A49%3A47Z&sr=c&sp=r&sig=YvrZxH9SRBWXmXY61O9vfObdjHLQUCEegSF9SMRDWv4%3D)
Figure 1: Customer encrypted screen
3.2 GCE (Compute Engine)
Perform the following steps to use GCE with Fortanix DSM. GCE supports the import of customer keys wrapped with a Google public key.
NOTE
Since Fortanix DSM supports native key wrapping, it ensures that the raw key material is never exposed.
Run the following steps to create a 256-bit AES key in Fortanix DSM with the
EXPORT
key operation enabled:$ python sdkms-cli create-key --obj-type AES --key-size 256 --name Google-Cloud-Master-Key --exportable
Run the following steps to fetch Google public key:
$ curl "https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem" -o google-cloud-csek-ingress.pem $ openssl x509 -pubkey -noout -in google-cloud-csek-ingress.pem > google-cloud-csek-public.pem
Run the following steps to import the Google public key in Fortanix DSM:
$ python sdkms-cli import-key --obj-type RSA --in google-cloud-csek-public.pem --name Google-Cloud-Public-Key
Run the following steps to wrap Fortanix DSM master key with Google public key, using Fortanix DSM:
$ sdkms-cli wrap-key --kid (kid of master key) --alg RSA --mode OAEP_MGF1_SHA1 --wrapping-kid (kid of the Google public key) --out rsawrappedkey.txt $ openssl enc -base64 -in rsawrappedkey.txt | tr -d '\n' | sed -e '$a\' > rsawrappedbase64key.txt
Set the key data in GCE as a wrapped key
Figure 2: Paste the values
6. The disk says that it's encrypted with customer keys.
.png?sv=2022-11-02&spr=https&st=2025-06-17T08%3A33%3A47Z&se=2025-06-17T08%3A49%3A47Z&sr=c&sp=r&sig=YvrZxH9SRBWXmXY61O9vfObdjHLQUCEegSF9SMRDWv4%3D)
Figure 3: Encryption
4.0 AWS
Run the following steps to create a 256-bit AES key in Fortanix DSM with
EXPORT
key operation enabled.$ python sdkms-cli create-key --obj-type AES --key-size 256 --name AWS-Master-Key --exportable
Run the following steps to initiate creation of key of external origin in KMS.
Figure 4: Create alias
Download the zip containing the wrapping key and import token.
Figure 5: Download wrapping key
Run the following steps to import the AWS wrapping key in Fortanix DSM.
$ python sdkms-cli import-key --obj-type RSA --in wrappingKey_fcb572d3-6680-449c-91ab-ac3a5c07dc09_080410435 --name AWS-Wrapping-Key
Run the following steps to wrap DSM master key with AWS wrapping key, using Fortanix DSM.
$ sdkms-cli wrap-key --kid (kid of master key) --alg RSA --mode OAEP_MGF1_SHA256 --wrapping-kid (kid of the AWS wrapping key) --out rsawrappedkey.txt
AWS KMS supports importing raw value of a key. If you require base-64 encoded value of the key, use the following command:
$ openssl enc -base64 -in rsawrappedkey.txt | tr -d '\n' | sed -e '$a\' > rsawrappedbase64key.txt
Upload this wrapped key and the downloaded token to complete the import.
Figure 6: Enter the details
Use this imported key for server-side encryption in AWS Services. In S3 for example, one can enable this during bucket creation itself.
For more information, refer to the Exporting Fortanix Data Security Manager keys to Cloud Providers for BYOK - Google Cloud.
5.0 AWS Automated
Run the following steps to use the following script to automate BYOK in AWS:
#!/bin/bash
# Install aws cli, sdkms-cli before running this script
# Setup environment variable and temporary files for storing key material
export FORTANIX_API_ENDPOINT=<FORTANIX_DSM_URL> #For example: https://amer.smrtkey.io
wrappingkey_file=$(mktemp)
import_token_file=$(mktemp)
wrapped_blob=$(mktemp)
# run aws configure and enter your access key, secret key, region, and default output format (text)
aws configure
# Create external key in AWS
aws_kid=$(aws kms create-key --origin EXTERNAL | awk '{print $6}')
# Get description of key
aws kms describe-key --key-id $aws_kid
# Get import parameters for external key created in AWS
params=$(aws kms get-parameters-for-import --key-id $aws_kid --wrapping-algorithm RSAES_OAEP_SHA_256 --wrapping-key-spec RSA_2048)
echo $params | awk '{print $4}' | base64 -D > $wrappingkey_file
echo $params | awk '{print $1}' | base64 -D > $import_token_file
# Login to DSM
sdkms-cli app-login
# Generate Key in DSM
key_name="AWS Key"$RANDOM
kid=$(sdkms-cli create-key --name "$key_name" --obj-type AES --key-size 256 --exportable -f)
# Import public key to DSM
wrapping_key_name="AWS wrapping key"$RANDOM
wrapping_kid=$(sdkms-cli import-key --in $wrappingkey_file --der --name "$wrapping_key_name" --obj-type RSA)
# Wrap DSMkey with wrapping key obtained from DSM
blobfile=$(mktemp)
sdkms-cli wrap-key --wrapping-kid $wrapping_kid --kid $kid --alg RSA --mode OAEP_MGF1_SHA256 --out $wrapped_blob
# Logout from DSM
sdkms-cli app-logout
# Import key to AWS
aws kms import-key-material --key-id $aws_kid --encrypted-key-material fileb://$wrapped_blob --import-token fileb://$import_token_file --expiration-model KEY_MATERIAL_DOES_NOT_EXPIRE
# Get description of key
aws kms describe-key --key-id $aws_kid
# Cleanup
rm $wrappingkey_file $import_token_file $wrapped_blob
For more information, refer to the Fortanix Data Security Manager with AWS Key Management Service for BYOK.
6.0 Azure
Azure Key Vault supports the direct import of key material. Generate an exportable AES key in Fortanix DSM and export its value to upload the key to Azure.
Run the following command to create a 256-bit AES key in Fortanix DSM with the
EXPORT
key operation enabled.$ python sdkms-cli create-key --obj-type AES --key-size 256 --name Azure-Cloud-Master-Key --exportable
Run the following command to export this key on your application environment.
$ python sdkms-cli export-object --name Azure-Cloud-Master-Key
You have to choose to upload your key either as a software or hardware key depending on your requirement.
Figure 7: Create a key
7.0 Alibaba
Use Fortanix DSM to securely wrap and import a customer-managed key into Alibaba Cloud Key Management Service (KMS). This process leverages Alibaba’s external key capability, ensuring that your key material remains protected and never leaves the Fortanix DSM environment in plaintext.
For detailed information, refer to the Exporting DSM keys to Cloud Providers for BYOK - Alibaba.
8.0 Salesforce
Salesforce supports Bring Your Own Key (BYOK) using customer-managed key material hosted outside the Salesforce platform. Fortanix DSM enables secure generation and management of these keys, ensuring that the raw key material remains protected and never leaves the DSM environment.
For more information, refer to the Exporting Fortanix Data Security Manager Keys to Cloud Providers for BYOK - Salesforce.
9.0 Salesforce (Cache Only Keys)
Salesforce's Shield Platform Encryption is introducing a new pilot feature called Cache-Only Keys. This capability enhances the existing Bring Your Own Key (BYOK) capability by allowing customers to host their key material in a wrapped format, which Salesforce fetches as required. While this is cached in an encrypted form, Salesforce does not retain or persist the key material in any system of record or backups.
Fortanix DSM can be used as an HSM-backed Software-as-a-service (SAAS) for Fortanix - Salesforce Cache-Only BYOK solution. This article explains how to use Fortanix DSM to securely generate encryption keys and configure it in Salesforce’s Shield Platform.
Shield Platform Encryption requires additional licensing and may not be supported for all Salesforce apps. For more information, refer to the Salesforce documentation.
For more information, refer to the Exporting Fortanix Data Security Manager keys to Cloud Providers for BYOK - Salesforce (Using Cache-Only Keys).