---
title: "Copy Key"
slug: "users-guide-copy-key"
updated: 2026-04-01T08:01:17Z
published: 2026-03-18T08:13:35Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Copy Key

## u1.0 Introduction

This article describes the Fortanix-Data-Security-Manager (DSM) copy key operation that can be performed on a security object.

## 2.0 Copy Key

The **Copy Key** feature of Fortanix DSM will allow users to copy a security object from a standard Fortanix DSM group to another standard group.

This feature has the following advantages:

- It maintains a single source of key material by using/importing that key with other Fortanix DSM groups. This allows applications in respective groups to use a single key to meet some business objectives.
- It maintains a link to copies of the original key material for audit and tracking purposes.

The following actions will happen as part of the copy key operation:

- A new key will be created in the target group: The new key will have the same key material as the original key.
- The Source key links to the copied keys: A link will be maintained between all copied keys and the source key.

The Source key will also have basic metadata-based information about the linked keys, such as:

- Copied by <user-name/app id>
- Date of Copy <time stamp>
- Target copy group name

> [!NOTE]
> NOTE
> 
> The name of the copied key is suggested automatically to the user as `[original key name]_[copy1,2,...],` but can be replaced with an alternative unique name.

Perform the following steps to copy a key:

1. Go to the detailed view of a security object and click **COPY KEY** on the right of the screen.

> [!NOTE]
> NOTE
> 
> Fortanix DSM does not allow copying an LMS and XMSS keys.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1768859473328.png)

**Figure 1: Copy key**
2. In the **COPY KEY** window, you may update the name of the key by clicking the edit icon ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (1813)(3).png) . Copy the new key to a group(s) from the **Group** section. To filter only HSM/External KMS groups, select **Import key to HSM/External KMS**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Copy_Key_Dialog_Edit(2).png)

**Figure 2: Edit key name and edit group details**
3. Click **EDIT PERMISSIONS**if you want to modify the permissions of the key.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Copy_Key_Edit_Permissions(2).png)

**Figure 3: Set deactivation date**
4. The **Deactivation date** of the security object can be set to 'Never' or to a specified time in the future. To specify the deactivation date, click **EDIT**.
5. Click **CREATE COPY** to create a copy of the key.

> [!NOTE]
> NOTE
> 
> If there is a Quorum approval policy configured in the source group that contains the original key, then a quorum approval request is created. Only after the request is approved, the copy key operation will be successful.
6. The source key will now appear as a key link in the **KEY LINKS**tab in the detailed view of the copied key.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1768859486112.png)

**Figure 4: Key link created**

## 3.0 Create New AES Key

Perform the following steps to create a new AES key with similar settings to the currently available key:

Perform the following steps:

1. Go to the detailed view of the AES key and click **CREATE NEW AES KEY** on the right of the screen.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1768859496578.png)

**Figure 5: Create new AES key**
2. On the **Add New Security Object** window, enter the name of the security object in****the**Security Object name** field.
3. You can update the existing values in the sections as required.
4. After you have updated the values, click **GENERATE** at the bottom of the screen.

The new AES key is generated in Fortanix DSM.

Similarly, except for LMS and XMSS, you can copy other key types and create a new key of that type from the key detailed view.

## 4.0 Key Attestation

Fortanix DSM allows you to generate and download an attestation certificate of the asymmetric key managed in the DSM UI.

The following can be derived from a Fortanix DSM key attestation statement and certification:

- The security attributes of the Fortanix DSM cluster that houses the key, such as whether it operates on hardware with physical safeguards.
- The permissible uses of the key.
- Confirmation of whether the key was created within the DSM framework.
- Determination of whether the key has ever been made accessible externally.

Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.

## Related

- [Key Move](/users-guide-key-move.md)
- [Fortanix DSM SaaS Overview](/fortanix-dsm-saas-overview.md)
- [DSM REST APIs](/dsm-rest-apis.md)
- [Store Keys Externally - Key Management](/users-guide-store-keys-externally-key-management.md)