Welcome to the Fortanix-Data-Security-Manager (DSM) Cryptographic Policies User Guide. This article describes the cryptographic policies of the Fortanix DSM.
It also contains the information related to Fortanix DSM group-level cryptographic policies.
1.1 Fortanix DSM Cryptographic Policy Definition
The Fortanix DSM supports cryptographic policies that can be set on accounts or groups to restrict what kind of keys can be created and the permitted operations. The policies are specified at the account or group level.
2.0 Fortanix DSM Cryptographic Policy Structure
The Fortanix DSM Cryptographic Policy defines how cryptographic keys are managed. It allows administrators to control key types, sizes, and operations to maintain security.
2.1 Allowed Keys
By default, all types of keys are selected in the policy, including AES, DES, DES3, RSA, EC, HMAC, SECRET, CERTIFICATE, OPAQUE, LMS, ML-KEM, Tokenization, ML-DSA, XMSS, BIP32, EC-KCDSA, KCDSA, SEED, ARIA, and BLS.
EC: Supported curves include SecP192K1, SecP224K1, SecP256K1, NistP192, NistP224, NistP256, NistP384, NistP521, Gost256A, X25519, Ed25519, and X448.
Tokenization: 128, 192, or 256 bits.
ML-KEM: 512, 768, or 1024 bits.
ML-DSA: 44, 65, or 87 bits.
EC-KCDSA: Supported curve include SecP192K1, SecP224K1, SecP256K1, NistP192, NistP224, NistP256, NistP384, or NistP521 and hashing algorithm include SHA1, SHA224, SHA256, SHA384, or SHA512.
KCDSA: Key size: 2048 bits and Subgroup size: 224 or 256 bits.
SEED: 128 bits.
ARIA: 128, 192, or 256 bits.
2.3 Key Operations
The default key operations allowed for any given key are:
When setting a Cryptographic Policy, users can restrict the key operations allowed for a group. By default, all operations are permitted.
3.0 Managing a Cryptographic Policy
You can manage cryptographic policies by creating, editing, or deleting them to control key types, sizes, and operations across the groups.
3.1 At the Group Level
You can create, edit, and delete the Cryptographic policy at group-level for more specific control, letting each group customize its own key settings.
3.1.1 Creating a Policy
A group-level cryptographic policy defines which types of security objects can be added to the group and sets restrictions on key parameters such as size, curve, padding, and permissions.
The groups with a cryptographic policy applied will be indicated by an icon in the group’s table view.
Figure 1: Group having cryptographic policy
Perform the following steps to add a cryptographic policy at the group level:
Navigate to the Groups menu item in the DSM UI left navigation bar. You can either create a new group or click the existing group from the list.
Figure 2: Create new/open existing group
In the INFO tab in the group detailed view, click ADD POLICY in the cryptographic policy section.
Figure 3: Add cryptographic policy for group
In the Allowed object types for the account section, select the key types that you want to allow for this group.
In the Allowed key sizes section, add the required allowed key size(s) for the keys.
In the Handling existing non-compliant keys section, select the required radio button to handle the existing non-compliant keys. For more information, refer to Section 4.0: Policy Enforcement.
Click the RESTRICT KEY OPERATIONS button to select the permitted key operations that will be allowed for the keys.
In the Audit Log section, enable the toggle button to store the detailed audit logs for all the groups in the account.
Click the SAVE POLICY button to save the policy settings.
Figure 4: Group level cryptographic policy
NOTE
If a cryptographic policy was set at the account-level before the group-level, then the account-level cryptographic policy takes precedence over a group-level cryptographic policy.
A cryptographic policy set at the account-level can be narrowed for each group in the account to further restrict security object parameters.
Figure 5: Account policy pre-applied
In this example, some of the key types and key operations are unavailable when creating a cryptographic policy at the group level. This is because an account-level cryptographic policy was applied before the group-level policy.
If a group already contains keys that are not compliant with the Cryptographic policy being added, an error message is displayed in the policy section as seen below.
Figure 6: Error message for non-compliance
There is also an indication next to the group name in the table view of the Groups page as seen below.
Figure 7: Error message for non-compliance
3.1.2 Editing or Deleting a Policy
Perform the following steps to edit or delete a group level cryptographic policy:
Navigate to the Groups menu item in the DSM left navigation bar to go to the detailed view of a group.
In the INFO tab, under the Cryptographic policy section, click the EDIT POLICY button.
Figure 8: Edit group cryptographic policy
On the redirected page, you can make the required updates. Click the SAVE POLICY button to keep the changes.
Click the DELETE POLICY button to delete the cryptographic policy.
Figure 9: Delete group cryptographic policy
NOTE
If an account-level cryptographic policy was set, then the account cryptographic policy rules will still be applicable for the group, even after deleting the group cryptographic policy.
4.0 Policy Enforcement
All new keys will be allowed/denied based on the cryptographic policy rules.
Any existing keys that are not compliant with the policy will still exist in the group. However, these keys will be marked separately as policy-violating keys. For these keys the following conditions are applicable:
Cryptographic Operations that are classified as “protect operations” will not be allowed: For example: Sign, Encrypt, Wrapkey, Derivekey, MacGenerate, AgreeKey.
Cryptographic Operations which are classified as “process operations” will still be allowed: For example: Verify, Decrypt, UnwrapKey, MacVerify.
If a group contains keys that are not compliant with the policy being added, an error message is displayed where the key can either be grandfathered, forbidden, or partially grandfathered. When a cryptographic policy is created at an account or group level, there are 3 options provided to handle non-compliant keys. These options are detailed in the section Handling existing non-compliant keys:
Figure 10: Handling Non-Compliant Keys
Forbid to use: Forbid any use of non-compliant objects. If this option is selected, you are forbidden from using the non-compliant keys for any operation.
Accept: Accept non-compliant objects even though they violate the current policy. If this option is selected, you may continue to use existing non-compliant keys, but you may not generate or import new non-compliant objects.
Limit usage: Restrict non-compliant objects so that they may only be used for “process operations” such as Decrypt, Unwrap, Verify, and MacVerify operations. The “protect operations” such as Encrypt, Wrap, Sign, and Mac are forbidden.
NOTE
If the non-compliance setting for account-level Cryptographic policy is different from the group-level Cryptographic policy, then the more restrictive setting is applied for the existing keys.
Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.
Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.