--- title: "Store Keys Externally - Setup" slug: "users-guide-store-keys-externally-setup" updated: 2026-04-01T07:57:16Z published: 2026-03-23T16:23:16Z --- > ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # Store Keys Externally - Setup ## 1.0 Introduction This document describes how to connect a group in a Fortanix-Data-Security-Manager (DSM) account (secondary group) with a group in another Fortanix DSM account (primary group) in the same/different cluster such that the new keys are physically generated and stored in the primary group. The document also describes the following: - Creating and configuring a Fortanix DSM-linked primary group (on-premises/cloud/SaaS DSM) in the Fortanix DSM secondary group (on-premises/cloud/SaaS DSM). - Testing the connection between the primary and secondary groups. - Syncing the keys from the DSM primary group into the DSM secondary group as Virtual-Keys. - Optionally caching key material from the DSM primary group in the DSM secondary group for Extended Virtual Keys. - Enabling auto scan on the source group. ## 2.0 Extended Virtual Keys Concepts *Refer to the*[*Extended Virtual Keys - Concepts*](/v1/docs/extended-virtual-keys-concepts). ## 3.0 Terminology References - **DSM –** Data Security Manager - **Fortanix DSM secondary group** – This is the Fortanix DSM-backed group. - **Fortanix DSM primary group –** This is the External DSM group that is going to be configured in the Fortanix DSM secondary group. - **Fortanix DSM primary key –** This is the actual key present in the Fortanix DSM primary group containing the key material. - **Fortanix DSM secondary key –** This is the virtual representation of the Fortanix DSM primary key. ## 4.0 Obtaining Access to Fortanix DSM Create an account in Fortanix DSM if you do not have one already. *For more information, refer to the*[*User's Guide: Getting Started with Fortanix Data Security Manager - UI*](https://support.fortanix.com/docs/users-guide-getting-started-with-fortanix-data-security-manager-ui)*.* ## 5.0 Store Keys Externally - Group Setup This section describes the steps to configure a Fortanix DSM secondary group to interact with the Fortanix DSM primary group. A Fortanix DSM secondary group is created in the secondary Fortanix DSM cluster, and this group is configured to interact with the Fortanix DSM primary cluster that contains the actual keys. ### 5.1 Prepare the Source Fortanix DSM Cluster This step must be done on the Fortanix DSM primary cluster. 1. Create an account in the DSM primary cluster, then set up account administrators. 2. Create a group in the DSM primary cluster. 3. Create an application (app) in the DSM primary cluster. Make a note of the API Key of this application as it will be required when configuring the group in the Fortanix DSM secondary cluster. > [!NOTE] > NOTE > > - For the Extended Virtual Keys use case, the app must have **Export** permission. > - The app must belong to the group from which the keys are to be replicated. > - To further secure the use of this app from the cloud, you can add an IP whitelisting policy on this app and mention the IP address(es) or CIDR of your Fortanix DSM secondary cluster. This will ensure the API key cannot be used from anywhere else. ### 5.2 Configure the Primary DSM Cluster on the Secondary DSM Cluster 1. In the DSM left navigation panel, click the **Groups******menu item, and then click **ADD GROUP******to create a new group. 2. In the **Add new group** form: 1. Enter a title and description for your group. 2. In the **Configure as HSM/External KMS Group** section, click **LINK HSM/EXTERNAL KMS**. 3. In the drop down menu, select **Fortanix DSM** as the type of HSM/External KMS group. 4. Select the **Store keys externally** option to generate, manage, and use keys in an external DSM primary cluster (on-premises/cloud/SaaS) and store the virtual keys locally in the DSM secondary cluster (on-premises/cloud/SaaS). 5. In the **Authentication** section: - The DNS name of **DSM**. For example, **amer.smartkey.io** > [!NOTE] > NOTE > > Do not add “https” before the DNS name. - The API key of the application that was created in the primary DSM cluster. *For more information, refer to*[*Section 5.1: Prepare the Source DSM Cluster*](/v1/docs/users-guide-store-keys-externally-setup#51-prepare-the-source-fortanix-dsm-cluster). 3. Add a certificate. *For more information, refer to*[*Section 5.3: Add Certificate*](/v1/docs/users-guide-store-keys-externally-setup#53-add-certificate-optional). 4. Click **TEST CONNECTION**to test your primary group connection. If the Fortanix DSM secondary group can connect to your primary group using your connection details, then it shows the status as “Connected” with a green tick ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360082238652(7).png). Otherwise, it shows the status as “**Not Connected**” with a yellow warning sign ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (1811)(9).png). 5. For enabling Extended Virtual Keys, select **Fetch key material** to cache the key material of the keys from the Fortanix DSM primary group in the Fortanix DSM secondary group during a key sync operation. The keys in the Fortanix DSM primary group must be exportable in order to be cached in the Fortanix DSM secondary group. However, if they are not exportable, then you can select one of the following options: > [!WARNING] > WARNING > > Clearing the Fetch Key Material check box will cause the key material of existing Extended Virtual Keys in the secondary group to be removed on the next key scan operation. - **Ignore non-exportable keys** – Select this option to ignore all the non-exportable primary keys during key sync so that the virtual keys will not be created in the secondary group for these non-exportable keys. > [!NOTE] > NOTE > > LMS keys are considered to be non-exportable for Extended Virtual Keys. - **Create uncached keys** – Select this option if you want to keep all the non-exportable primary keys during key sync so that the virtual keys will be created in the secondary group without the cached key material. 6. Click **Enable auto scan** and set a duration in hours to automatically scan the primary group for new keys. The default scan duration is set to 1 hour. 7. Click **Show warnings** to display API warnings that occur during the Fortanix DSM primary group scan. 8. Click **SAVE**to save the group. ### 5.3 Add Certificate (optional) 1. Click **+ ADD CONFIGURATION** to add a certificate for authenticating your DSM primary cluster. 1. There are two certificate options to choose from: - **Global Root CA** - Use this certificate if you are using a certificate that is signed by a well-known public CA. By default, every DSM-backed group is configured with a Global Root CA Certificate. - **Custom CA Certificate** – Use this certificate if you as an enterprise want to self-sign the certificate using your own internal CA. You can override the default Global CA Certificate with a Custom CA Certificate for the DSM primary group. You can either upload the certificate file or copy the contents of the certificate in the textbox provided. 2. Select the **Validate Host** check box to check if the certificate that the primary DSM provided has the same subjectAltName or Common Name (CN) as the hostname that the server certificate is coming from. 2. **+ ADD CLIENT CERTIFICATE** (optional): The Custom CA Certificate also has a Client Certificate section where you can configure a client certificate and a private key (Fortanix DSM Certificate and Key). This allows the Fortanix DSM secondary cluster to authenticate itself to the Fortanix DSM primary cluster and vice versa. ### 5.4 The HSM/KMS Tab The **HSM/KMS**tab shows the connection details of the Fortanix DSM primary cluster. You can also edit the connection details here. After you edit the connection details and save it, click **TEST CONNECTION**to test the connection. Click **SYNC KEYS** to sync keys from the configured Fortanix DSM primary group to the Fortanix DSM secondary group. For Extended Virtual Keys, you can also **Fetch key material**, **Enable auto scan**, and **Show warnings** as explained in *Step 5 in*[*Section 5.2: Configure the Source DSM Cluster on the Destination DSM Cluster*](/v1/docs/users-guide-store-keys-externally-setup#52-configure-the-primary-dsm-cluster-on-the-secondary-dsm-cluster). Click **Save Changes** to save the new settings. Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface. Virtual keys are keys for which Fortanix has the key metadata but not the key material itself in a specific group. Virtual keys are created when Fortanix inventories, generate local CSP keys or “CNKM Keys” (Cloud Native Key Management) or have a linked key to a CDC group. You can tell if a key is a virtual key or linked key by the color of the icon![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Glossary/image-1716981258616.png)in Fortanix DSM. ## Related - [Data Center Labeling](/fortanix-data-security-manager-data-center-labeling.md) - [Security Controls for Fortanix DSM Applications](/users-guide-security-controls-for-fortanix-data-security-manager-applications.md) - [Store Keys Externally - Key Management](/users-guide-store-keys-externally-key-management.md) - [Extended Virtual Keys - Concepts](/extended-virtual-keys-concepts.md)