---
title: "Migrating Microsoft SQL Server TDE Keys from Local Environment to Fortanix DSM"
slug: "migrating-mssql-server-tde-keys-from-local-environment-to-fortanix-dsm"
updated: 2026-04-17T15:51:28Z
published: 2026-04-17T15:51:28Z
canonical: "support.fortanix.com/migrating-mssql-server-tde-keys-from-local-environment-to-fortanix-dsm"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Migrating Microsoft SQL Server TDE Keys from Local Environment to Fortanix DSM

## 1.0 Introduction

This article describes the step-by-step procedure to migrate **Microsoft SQL with Transparent Data Encryption (TDE)** from a local environment (certificate) master key protection to protect the master key using **Fortanix-Data-Security-Manager (DSM)**.

## 2.0 Terminology References

- **MEK**: Master Encryption Key
- **DEK**: Database Encryption Key
- **TDE**: Transparent Data Encryption
- **EKM**: Extensible Key Management
- **DSM**: Fortanix Data Security Manager

## 3.0 Configure TDE Using Local Environment

These steps will enable local TDE to demonstrate the migration process. If you have completed these steps, proceed to [*Section 6.0: Migrate TDE from Local Environment to Fortanix DSM*](/v1/docs/migrating-mssql-server-tde-keys-from-local-environment-to-fortanix-dsm#60-migrate-tde-from-local-environment-to-fortanix-dsm).

### 3.1 Create Master Key

Run the following command to create the master key inside the master database:

```bash
USE Master; 
GO 
CREATE MASTER KEY ENCRYPTION 
BY PASSWORD='MyStrongPassword!!!'; 
GO
```

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/1(2).png)

**Figure 1: Master key created**

### 3.2 Create Certificate Protected by Master Key

Run the following command to create a certificate to protect the Database Encryption Key (DEK):

```bash
CREATE CERTIFICATE TDE_Cert_test
WITH 
SUBJECT='Database_Encryption';
GO
```

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Picture2(1).png)

**Figure 2: Certificate protected by master key created**

### 3.3 Create Database Encryption Key (DEK)

Run the following command to switch to the database where encryption needs to be enabled and create a DEK protected by a certificate:

```bash
USE AdventureWorks2012
GO
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_256
ENCRYPTION BY SERVER CERTIFICATE TDE_Cert_test;
GO
```

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Picture3(1).png)

**Figure 3: DEK created**

### 3.4 Enable Encryption

Run the following command to enable encryption on the required database:

```bash
ALTER DATABASE AdventureWorks2012
SET ENCRYPTION ON;
GO
```

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Picture4(1).png)

**Figure 4: Enable encryption**

## 4.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

### 4.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, [https://amer.smartkey.io.](https://amer.smartkey.io.) On-premises customers use the KMS URL, and the SaaS customers can use the URLs as listed [*here*](https://support.fortanix.com/hc/en-us/articles/4406135346068-Fortanix-DSM-SaaS-Global-Availability-Map) based on the application region.

*For more information on how to set up the Fortanix DSM, refer to the*[*User's Guide: Sign Up for Fortanix Data Security Manager SaaS*](https://support.fortanix.com/docs/users-guide-sign-up-for-fortanix-data-security-manager-saas)*.*

### 4.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_SaaS_Login_page(15).png)

**Figure 5: Logging in**

*For more information on how to set up an account in Fortanix DSM, refer to the*[*User's Guide: Getting Started with Fortanix Data Security Manager - UI*](https://support.fortanix.com/docs/users-guide-getting-started-with-fortanix-data-security-manager-ui)*.*

### 4.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the **Groups**menu item, and then click **ADD GROUP** to create a new group.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-Group(60).png)

**Figure 6: Add groups**
2. On the**Adding new group**page:
  1. **Title**: Enter a name for your group.
  2. **Description**(optional): Enter a short description of the group.
3. Click **SAVE**to create the new group.

The new group is added to the Fortanix DSM successfully.

### 4.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the **Apps**menu item, and then click **ADD APP** to create a new app.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-App(59).png)

**Figure 7: Add application**
2. On the **Adding new app**page:
  1. **App name**: Enter the name for your application.
  2. **ADD DESCRIPTION**(optional): Enter a short description of the application.
  3. **Authentication method**: Select the default **API Key**as the authentication method from the drop down menu. *For more information on these authentication methods, refer to the*[*User's Guide: Authentication*](https://support.fortanix.com/docs/users-guide-authentication)*.*
  4. **Assigning the new app to groups**: Select the group created in [*Section 4.3: Creating a Group*](/v1/docs/migrating-mssql-server-tde-keys-from-local-environment-to-fortanix-dsm#43-creating-a-group)**[](/v1/docs/using-data-security-manager-with-idcentral-key-management#43-creating-a-group)from the list.
3. Click **SAVE**to add the new application.

The new application is added to the Fortanix DSM successfully.

### 4.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

1. In the DSM left navigation panel, click the **Apps**menu item, and then click the app created in [*Section 4.4: Creating an Application*](/v1/docs/migrating-mssql-server-tde-keys-from-local-environment-to-fortanix-dsm#44-creating-an-application) to go to the detailed view of the app.
2. In the app’s detailed view, in the **INFO** tab, click **VIEW API KEY DETAILS**.
3. From the **API Key Details** dialog box, copy the **API Key** of the app to use in [*Section 5.1.3: Creating Credentials (SYSadmin)*](/v1/docs/migrating-mssql-server-tde-keys-from-local-environment-to-fortanix-dsm#513-creating-credentials-sysadmin) when creating the credentials to generate the MEK on Fortanix DSM.

## 5.0 Configure TDE Using Fortanix DSM

### 5.1 Standalone Server

#### 5.1.1 Enabling TDE Features

Run the following commands if Extensible Key Management (EKM) is not supported or enabled in the SQL Server Edition:

```bash
sp_configure 'show advanced', 1
GO
RECONFIGURE
GO
sp_configure 'EKM provider enabled', 1
GO
RECONFIGURE
GO
```

![RUN_COMMANDS_FOR_ERROR_SCENARIO.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Picture8.png)

**Figure 8: Run commands for error scenario**

#### 5.1.2 Creating Cryptographic Provider

Run the following commands to use the correct location of the `EKM DLL`:

```bash
CREATE CRYPTOGRAPHIC PROVIDER EKM_Prov
FROM FILE = 'C:\Program Files\Fortanix\KmsClient\FortanixKmsEkmProvider.dll' ;
GO
```

Where, `EKM_Prov` is the name of the provider defined by the user.

![CREATE_CRYPTOGRAPHIC_PROVIDER.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Picture9.png)

**Figure 9: Create cryptographic provider**

#### 5.1.3 Creating Credentials (SYSadmin)

This section describes the steps to create the credentials to generate the MEK on the Fortanix DSM using the MS-SQL administrator.

Perform the following steps:

1. Run the following commands to create a credential in your SQL Server Studio that will be used by the MS-SQL administrators:

```bash
CREATE CREDENTIAL sa_ekm_tde_cred
WITH IDENTITY = 'Identity1',
SECRET = '<DSM API KEY>' 
FOR CRYPTOGRAPHIC PROVIDER EKM_Prov ;
GO
```

Where, `&lt;DSM_API_KEY&gt;` is the Fortanix DSM API key as copied in [*Section 4.5: Copying the API Key*](/v1/docs/migrating-mssql-server-tde-keys-from-local-environment-to-fortanix-dsm#45-copying-the-api-key).

![Create_Credentials.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (882).png)

**Figure 10: Create a credential**
2. Add the credential to a highly privileged user, such as your own domain login, in the format `[DOMAIN\login]`:

```bash
ALTER LOGIN "<Domain>\Administrator"
ADD CREDENTIAL "sa_ekm_tde_cred";
GO
```

Run the following commands in case there is no domain, and the machine is part of a workgroup or standalone:

```bash
ALTER LOGIN "LOCALHOST\Administrator"
ADD CREDENTIAL "sa_ekm_tde_cred";
GO
```

![Command_for_No_Domain.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Picture12.png)

**Figure 11: Command for no domain**

If you are not an administrator and hence unable to alter the login, open the Object Explorer by right-clicking **Properties**from **Security**→ **Logins**→ <login user> and map the credentials as shown in the following image:

![Map_Credentials.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Picture13.png)

**Figure 12: Map credentials**

#### 5.1.4 Creating Asymmetric Key (MEK)

The MS-SQL administrator has the credentials required to create the MEK on the Fortanix DSM. This section describes the steps to create the asymmetric keys.

Run the following commands to create an asymmetric key stored inside the EKM provider:

```bash
USE master;
GO
CREATE ASYMMETRIC KEY ekm_login_key
FROM PROVIDER [EKM_Prov]
WITH ALGORITHM = RSA_2048,
PROVIDER_KEY_NAME = 'SQL_Server_Key';
GO
```

Where,

- `ekm_login_key`: Refers to the master key alias on the MSSQL database.
- `EKM_Prov`: Refers to the Fortanix EKM Provider.
- `SQL_Server_Key`: Refers to the key created on the Fortanix DSM.

> [!NOTE]
> NOTE
> 
> It is recommended to add versions to the Fortanix DSM keys for an easier key rotation process.

For example,

```bash
USE master;
GO
CREATE ASYMMETRIC KEY ekm_login_key_v1
FROM PROVIDER [EKM_Prov]
WITH ALGORITHM = RSA_2048,
PROVIDER_KEY_NAME = 'SQL_Server_Key_v1';
GO
```

![CREATE_Asymmetric_Key.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Picture14.png)

**Figure 13: Create asymmetric key**

#### 5.1.5 Creating Credentials (DB Engine)

Run the following commands to create a credential that will be used by the database engine:

```bash
USE master ;
CREATE CREDENTIAL ekm_tde_cred
WITH IDENTITY = 'Identity2',
SECRET = '<DSM API KEY>'
FOR CRYPTOGRAPHIC PROVIDER EKM_Prov;
```

Where,

- `ekm_tde_cred`: Refers to the name of the credentials.
- `Identity2`: Refers to the identity name. The value can be any name.
- `EKM_Prov`: Refers to the Fortanix EKM Provider.
- `SECRET`: Refers to the Fortanix DSM API key as copied in [*Section 4.5: Copying the API Key*](/v1/docs/migrating-mssql-server-tde-keys-from-local-environment-to-fortanix-dsm#45-copying-the-api-key).

![CREATE_CREDENTIAL_FOR_DB_ENGINE.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (883).png)

**Figure 14: Create credential for DB engine**

#### 5.1.6 Creating Login (DB Engine)

Run the following commands to create a login from an asymmetric key and map credentials to the login:

```bash
CREATE LOGIN EKM_Login
FROM ASYMMETRIC KEY ekm_login_key ;
GO
ALTER LOGIN EKM_Login
ADD CREDENTIAL ekm_tde_cred ;
GO
```

Where,

- `ekm_login_key`: Refers to the master key alias on the MSSQL database. This key is already created in [*Section 5.1.4- Creating Asymmetric Key (MEK)*](/v1/docs/migrating-mssql-server-tde-keys-from-local-environment-to-fortanix-dsm#514-creating-asymmetric-keys-mek).
- `EKM_Login`: Refers to the login name.
- `ekm_tde_cred`: Refers to the key created on the Fortanix DSM. This credential is already created in [*Section 5.1.5- Creating Credentials (DB Engine)*](/v1/docs/migrating-mssql-server-tde-keys-from-local-environment-to-fortanix-dsm#515-creating-credentials-db-engine).

![ADD_NEW_CREDENTIAL_TO_LOGIN.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Picture16.png)

**Figure 15: Add new credential to login**

### 5.2 Always On Group

Perform the following procedures on both the primary and secondary replicas.

#### 5.2.1 Enabling TDE Features

Run the following commands if EKM is not supported or enabled in the SQL Server Edition:

```bash
sp_configure 'show advanced', 1
GO
RECONFIGURE
GO
sp_configure 'EKM provider enabled', 1
GO
RECONFIGURE
GO
```

![RUN_COMMANDS_FOR_ERROR_SCENARIO.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Picture17.png)

**Figure 16: Run commands for error scenario**

#### 5.2.2 Creating Cryptographic Provider

Run the following commands to use the correct location of the `EKM DLL`:

```bash
CREATE CRYPTOGRAPHIC PROVIDER EKM_Prov
FROM FILE = 'C:\Program Files\Fortanix\KmsClient\FortanixKmsEkmProvider.dll' ;
GO
```

Where, `EKM_Prov` is the name of the provider defined by the user.

![CREATE_CRYPTOGRAPHIC_PROVIDER.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Picture18.png)

**Figure 17: Create a cryptographic provider**

#### 5.2.3 Creating Credentials (sysadmin)

This section describes the steps to create the credentials to generate the MEK on the Fortanix DSM using the MS-SQL administrator.

Perform the following steps:

1. Run the following commands to create a credential in your SQL Server Studio that will be used by the MS-SQL administrators:

```bash
CREATE CREDENTIAL sa_ekm_tde_cred
WITH IDENTITY = 'Identity1',
SECRET = '<DSM_API_KEY>' 
FOR CRYPTOGRAPHIC PROVIDER EKM_Prov ;
GO
```

Where, `&lt;DSM_API_KEY&gt;` is the Fortanix DSM API key as copied in [*Section 4.5: Copying the API Key*](/v1/docs/migrating-mssql-server-tde-keys-from-local-environment-to-fortanix-dsm#45-copying-the-api-key).

![CREATE_CREDENTIAL.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (884).png)

**Figure 18: Create credential**
2. Add the credential to a highly privileged user, such as your own domain login, in the format `[DOMAIN\login]`:

```bash
ALTER LOGIN EC2AMAZ-1RDPAEU\Administrator
ADD CREDENTIAL "sa_ekm_tde_cred";
GO
```

Run the following commands in case there is no domain, and the machine is part of a workgroup or standalone:

```bash
ALTER LOGIN LOCALHOST\Administrator
ADD CREDENTIAL "sa_ekm_tde_cred";
GO
```

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Picture21.png)

**Figure 19: Command for no domain**

If you are not an administrator and hence unable to alter the login, open the Object Explorer by right-clicking **Properties**from **Security →** **Logins**→ <login user> and map the credentials as shown in the following image:

![Map_Credentials.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Picture22.png)

**Figure 20: Map credentials**

#### 5.2.4 Creating Asymmetric Key (MEK)

The MS-SQL administrator has the credentials associated with creating the MEK on the Fortanix DSM. This section describes the steps to create the asymmetric key.

**On Primary Replica**

Run the following commands to create an asymmetric key stored inside the EKM provider:

```bash
USE master ;
GO
CREATE ASYMMETRIC KEY ekm_login_key
FROM PROVIDER EKM_Prov
WITH ALGORITHM = RSA_2048,
CREATION_DISPOSITION=CREATE_NEW;
PROVIDER_KEY_NAME = 'SQL_Server_Key' 
GO
```

Where,

- `ekm_login_key`: Refers to the master key alias on the MSSQL database.
- `EKM_Prov`: Refers to the Fortanix EKM Provider.
- `SQL_Server_Key`: Refers to the key created on the Fortanix DSM.

> [!NOTE]
> NOTE
> 
> It is recommended to add versions to the Fortanix DSM keys for an easier key rotation process.

For example,

```bash
USE master;
GO
CREATE ASYMMETRIC KEY ekm_login_key_v1
FROM PROVIDER [EKM_Prov]
WITH ALGORITHM = RSA_2048,
CREATION_DISPOSITION=CREATE_NEW;
PROVIDER_KEY_NAME = 'SQL_Server_Key_v1'
GO
```

![CREATE_ASYMMETRIC_KEY.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Picture23.png)

**Figure 21: Create an asymmetric key**

**On Secondary Replica**

Run the following commands to create an asymmetric key on all the secondary replicas:

```bash
USE master
CREATE ASYMMETRIC KEY ekm_login_key 
FROM PROVIDER EKM_Prov
WITH PROVIDER_KEY_NAME='SQL_Server_Key',
CREATION_DISPOSITION = OPEN_EXISTING; 
GO
```

Where,

- `ekm_login_key`: Refers to the master key alias on the MSSQL database.
- `EKM_Prov`: Refers to the Fortanix EKM Provider.
- `SQL_Server_Key`: Refers to the key created on the Fortanix DSM.

#### 5.2.5 Creating Credentials (DB Engine)

Run the following commands to create a credential that will be used by the database engine:

```bash
USE master;
CREATE CREDENTIAL ekm_tde_cred
WITH IDENTITY = 'Identity2',
SECRET = '<DSM_API_KEY>'
FOR CRYPTOGRAPHIC PROVIDER EKM_Prov;
```

Where,

- `ekm_tde_cred`: Refers to the name of the credentials.
- `Identity2`: Refers to the identity name. The value can be any name.
- `EKM_Prov`: Refers to the Fortanix EKM Provider.
- `SECRET`: Refers to the Fortanix DSM API key as copied in [*Section 4.5: Copying the API Key*](/v1/docs/migrating-mssql-server-tde-keys-from-local-environment-to-fortanix-dsm#45-copying-the-api-key).

![CREATE_CREDENTIAL_FOR_DATABASE_ENGINE.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (885).png)

**Figure 23: Create credential for database engine**

#### 5.2.6 Creating Login (DB Engine)

Run the following commands to add a login used by TDE and add the new credential to the login:

```bash
CREATE LOGIN EKM_Login
FROM ASYMMETRIC KEY ekm_login_key ;
GO
ALTER LOGIN EKM_Login
ADD CREDENTIAL ekm_tde_cred ;
GO
```

Where,

- `ekm_login_key`: Refers to the master key alias on the MSSQL database. This key is already created in [*Section 5.2.4- Creating Asymmetric Key (MEK)*](/v1/docs/migrating-mssql-server-tde-keys-from-local-environment-to-fortanix-dsm#524-creating-asymmetric-keys-mek).
- `EKM_Login`: Refers to the login name.
- `ekm_tde_cred`: Refers to the key created on Fortanix DSM. This credential is already created in [*Section 5.2.5- Creating Credential (DB Engine)*](/v1/docs/migrating-mssql-server-tde-keys-from-local-environment-to-fortanix-dsm#525-creating-credentials-db-engine).

![ADD_NEW_CREDENTIAL_TO_LOGIN.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Picture26(1).png)

**Figure 23: Add new credential to login**

## 6.0 Migrate TDE from Local Environment to Fortanix DSM

This method will migrate the master key from the local environment using a certificate to the master key created on Fortanix DSM without decrypting and re-encrypting the entire database. It is recommended due to the minimal downtime required.

Perform the following steps to migrate the TDE:

1. Ensure to back up the database and transaction logs before changing the TDE configuration.
2. Run the following command to re-encrypt the existing database encryption key with the master key created on Fortanix DSM:

```bash
USE AdventureWorks2012;
ALTER DATABASE ENCRYPTION KEY
ENCRYPTION BY SERVER ASYMMETRIC KEY ekm_login_key
```

Where, `ekm_login_key` is the master key alias on the MSSQL database.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Picture26.png)

**Figure 24: SQL query**

## 7.0 Monitoring TDE Progress

SQL Server keeps track of the encryption progress, and we can pull that information by querying `sys.dm_database_encryption_keys`. Particularly `‘Percent_Complete’` and `‘encryption_state’` are the two columns that are required to understand the progress of TDE. The `‘encryption_state’` column returns an integer value (0-6) which indicates the encryption status of the database and `‘percent_complete’` column tells us the percentage completed of the DB encryption state change.

| **Encryption_state (int)** | **Description** |
| --- | --- |
| 0 | No database encryption key present, no encryption |
| 1 | Unencrypted |
| 2 | Encryption in progress |
| 3 | Encrypted |
| 4 | Key change in progress |
| 5 | Decryption in progress |
| 6 | Protection changes in progress (The certificate or asymmetric key that is encrypting the database encryption key is being changed). |

The following T-SQL statement can be used to monitor TDE progress or status:

```bash
SELECT DB_NAME(database_id) AS DatabaseName, encryption_state,
encryption_state_desc =
CASE encryption_state
WHEN '0' THEN 'No database encryption key present, no encryption'
WHEN '1' THEN 'Unencrypted'
WHEN '2' THEN 'Encryption in progress'
WHEN '3' THEN 'Encrypted'
WHEN '4' THEN 'Key change in progress'
WHEN '5' THEN 'Decryption in progress'
WHEN '6' THEN 'Protection change in progress (The certificate or asymmetric key that is encrypting the database encryption key is being changed.)'
ELSE 'No Status'
END,
percent_complete,encryptor_thumbprint, encryptor_type FROM sys.dm_database_encryption_keys
```

The output of this query comes handy to manage TDE.

Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.