---
title: "Fortanix DSM for Hewlett Packard Enterprise (HPE) Morpheus Cypher Module"
slug: "using-fortanix-data-security-manager-for-hewlett-packard-enterprise-hpe-morpheus"
updated: 2026-04-01T08:43:00Z
published: 2026-03-16T18:42:28Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Fortanix DSM for Hewlett Packard Enterprise (HPE) Morpheus Cypher Module

## 1.0 Introduction

The **Fortanix-Data-Security-Manager (DSM) Morpheus Plugin** delivers secure, seamless integration between **Hewlett Packard Enterprise (HPE) Morpheus** and **Fortanix DSM** for centralized management, retrieval, and lifecycle control of sensitive secrets - including passwords, API keys, certificates, and other credentials. The plugin supports both the Morpheus Cypher module and the Credential Provider interface, enabling secure, dynamic injection of secrets into automation workflows, provisioning tasks, and application deployments.

By leveraging Fortanix DSM as a central source of truth, Morpheus benefits from externalized secret storage and strict governance. Sensitive values are created, stored, and managed entirely within Fortanix DSM, ensuring they never reside within the Morpheus environment. This architecture enhances security posture, reduces operational risk, and simplifies compliance.

Through the DSM Plugin Client, the Morpheus Cypher module interacts with Fortanix DSM to create, retrieve, and manage secrets required for automation and cloud provisioning. Each secret defined in Morpheus is provisioned as a secure object in Fortanix DSM. Likewise, the Credential Provider integration securely retrieves credentials - such as passwords, tokens, and API keys from Fortanix DSM through authenticated API calls, ensuring these values are tightly controlled and never stored in the Morpheus database.

At runtime, Fortanix DSM enforces fine-grained access controls, provides detailed audit logging for all secret interactions, and delivers centralized visibility and governance across environments. This integration ensures that every secret and credential used by Morpheus is externally managed, securely handled, and aligned with enterprise-grade security and compliance requirements.

## 2.0 Prerequisites

Ensure the following:

- Fortanix DSM must be accessible. *For more information, refer to*[*Section 5.0: Configure Fortanix DSM*](/v1/docs/using-fortanix-data-security-manager-for-hewlett-packard-enterprise-hpe-morpheus#50-configure-fortanix-dsm)*.*
- Administrator access to the Morpheus console.
- Network connectivity between Morpheus and Fortanix DSM endpoint.

## 3.0 Product Version Tested

The following product versions were tested:

- Fortanix DSM version 5.2 or later
- Java versions 11 and 17
- Morpheus version 8.0.x or later

## 4.0 Architecture Workflow

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/FTX DSM Morpheus Cypher Module.png)

**Figure 1: Architecture diagram**

This figure presents a high-level view of the Fortanix DSM–HPE Morpheus integration workflow. The integration is enabled through the `dsm-hpe-morpheus-plugin-x.x.x-all.jar`, which establishes a secure, authenticated communication channel between the Morpheus platform and Fortanix DSM.

As shown, the Morpheus Cypher module and the Credential Provider interface both interact with Fortanix DSM using the DSM Plugin Client. These components request secrets and credentials on demand during automation workflows, provisioning operations, and application deployments.

The Morpheus Cypher module communicates with Fortanix DSM through the DSM Plugin Client to create, retrieve, and manage secrets for automation tasks, provisioning, and cloud integrations. Each secret created in Morpheus is provisioned as a security object in Fortanix DSM.

All secret and credential operations are executed through authenticated API calls to Fortanix DSM, which acts as the authoritative control plane for access enforcement, auditing, and lifecycle management. This design ensures that Morpheus consumes sensitive values dynamically at runtime while Fortanix DSM maintains centralized visibility, policy enforcement, and governance across all environments.

## 5.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

### 5.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, [https://amer.smartkey.io.](https://amer.smartkey.io.) On-premises customers use the KMS URL, and the SaaS customers can use the URLs as listed [*here*](https://support.fortanix.com/hc/en-us/articles/4406135346068-Fortanix-DSM-SaaS-Global-Availability-Map) based on the application region.

*For more information on how to set up the Fortanix DSM, refer to the*[*User's Guide: Sign Up for Fortanix Data Security Manager SaaS*](https://support.fortanix.com/docs/users-guide-sign-up-for-fortanix-data-security-manager-saas)*.*

### 5.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_SaaS_Login_page(15).png)

**Figure 2: Logging in**

*For more information on how to set up an account in Fortanix DSM, refer to the*[*User's Guide: Getting Started with Fortanix Data Security Manager - UI*](https://support.fortanix.com/docs/users-guide-getting-started-with-fortanix-data-security-manager-ui)*.*

### 5.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the **Groups**menu item, and then click **ADD GROUP** to create a new group.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-Group(14).png)

**Figure 3: Add groups**
2. On the**Adding new group**page:
  1. **Title**: Enter a name for your group.
  2. **Description**(optional): Enter a short description of the group.
3. Click **SAVE**to create the new group.

The new group is added to the Fortanix DSM successfully.

### 5.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the **Apps**menu item, and then click **ADD APP** to create a new app.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_Add_App(1).png)

**Figure 4: Add application**
2. On the **Adding new app**page:
  1. **App name**: Enter the name for your application.
  2. **ADD DESCRIPTION**(optional): Enter a short description of the application.
  3. **Authentication method**: Select the default **API Key** as the authentication method from the drop down menu. *For more information on these authentication methods, refer to the*[*User's Guide: Authentication*](https://support.fortanix.com/docs/users-guide-authentication)*.*
  4. **Assigning the new app to groups**: Select the group created in [*Section 5.3: Creating a Group*](/v1/docs/using-fortanix-data-security-manager-for-hewlett-packard-enterprise-hpe-morpheus#53-creating-a-group)**[](/v1/docs/using-data-security-manager-with-idcentral-key-management#43-creating-a-group)from the list.
3. Click **SAVE**to add the new application.

The new application is added to the Fortanix DSM successfully.

### 5.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

1. In the DSM left navigation panel, click the **Apps**menu item, and then click the app created in**[*Section 5.4: Creating an Application*](/v1/docs/using-fortanix-data-security-manager-for-hewlett-packard-enterprise-hpe-morpheus#54-creating-an-application) [](/v1/docs/using-data-security-manager-with-idcentral-key-management#44-creating-an-application)to go to the detailed view of the app.
2. On the **INFO**tab, click **VIEW API KEY DETAILS** .
3. From the **API Key Details** dialog box, copy the **API Key** of the app to use in [*Section 6.2: Configuring the Fortanix DSM Plugin*](/v1/docs/using-fortanix-data-security-manager-for-hewlett-packard-enterprise-hpe-morpheus#62-configuring-fortanix-dsm-plugin).

## 6.0 Fortanix DSM Plugin

This section describes how to install and configure the Fortanix DSM plugin in Morpheus.

### 6.1 Installing the Fortanix DSM Plugin Client

Perform the following steps to install the plugin:

1. Download the plugin source code from the [*GitHub repository*](https://github.com/fortanix/dsm-hpe-morpheus-plugin).
2. Run the following command in the local project directory to generate the bundled JAR:

```bash
./gradlew shadowJar
```
3. After the build completes successfully, the `dsm-hpe-morpheus-plugin-x.x.x-all.jar` file is generated in the `build/libs` directory.
4. In the Morpheus console, navigate to **Administration** → **Integrations**→ **Plugins**tab and click **ADD**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/PluginJar-Morpheus.png)

**Figure 5: Upload Fortanix DSM Plugin JAR**
5. In the **ADD PLUGIN** dialog box, upload the `dsm-hpe-morpheus-plugin-x.x.x-all.jar` file that is generated in *Step 3*.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/PluginListed0-Morpheus.png)

**Figure 6: Fortanix DSM Plugin listed in Morpheus**
6. Click **SAVE**.
7. After a successful upload, verify that the Fortanix DSM plugin appears in the list.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/PluginListed-Morpheus.png)

**Figure 7: Fortanix DSM Plugin is listed**

### 6.2 Configuring the Fortanix DSM Plugin

Perform the following steps to configure the plugin:

1. Click the **Edit**![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/EditIcon-Morpheus.png)****icon corresponding to the Fortanix DSM plugin.
2. In the **EDIT PLUGIN** dialog box, provide the following mandatory fields:

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/EditPluginConfig-Morpheus.png)

**Figure 8: Edit plugin configuration**
  1. **DSM API URL**: Enter the Fortanix DSM endpoint.
  2. **DSM API KEY**: Enter the Fortanix DSM app API key of the Fortanix DSM created in [*Section 5.4: Creating an Application*](/v1/docs/using-fortanix-data-security-manager-for-hewlett-packard-enterprise-hpe-morpheus#54-creating-an-application).
  3. Select the**CLEAR SECRET ON DELETION** check box to ensure that when a Cypher entry is deleted in Morpheus, the corresponding security object in Fortanix DSM is also deleted.
  4. **Lease Timeout** (optional): The Lease Timeout parameter is applicable only when creating a Cypher object, not during plugin configuration. *Refer to Figure 7 for all available plugin configuration options.*
  5. Click **SAVE**to update the configuration.

## 7.0 Using the Cypher Module with Fortanix DSM

This section describes how to use the Cypher module in Morpheus with Fortanix DSM to create, validate, and manage secrets.

### 7.1 Creating a Cypher Entry

Perform the following steps to create a Cypher entry in Morpheus and store the secret in Fortanix DSM:

1. In the Morpheus console, navigate to **Tools** → **Cypher**and click **ADD**to create a new Cypher entry.
2. In the **ADD KEY** dialog box, provide the following details:
  1. **KEY**: Use the `dsm` mount point prefix to indicate that the secret will be managed in Fortanix DSM.

The expected naming convention is `dsm/{name_of_the_security_object_in_DSM}`. For example, `dsm/db-password`.

> [!NOTE]
> NOTE
> 
> The syntax after `dsm/` must exactly match the security object name created in Fortanix DSM.
  2. **VALUE**: Enter the secret in plain text. For example, a password or API key.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/AddKeyConfig-Morpheus.png)

**Figure 9: Add key configuration**
3. Click **SAVE**to confirm.

When you save the Cypher entry, Morpheus automatically creates a **SECRET** type of security object in Fortanix DSM. The security object is imported into the default Fortanix DSM group associated with the app as configured in [*Section 6.2: Configuring the Fortanix DSM Plugin*](/v1/docs/using-fortanix-data-security-manager-for-hewlett-packard-enterprise-hpe-morpheus#62-configuring-the-fortanix-dsm-plugin). When you delete the key in Morpheus, the associated Fortanix DSM security object will be deleted based on the Fortanix DSM plugin configuration.

> [!NOTE]
> NOTE
> 
> The Cypher module always uses the Fortanix DSM plugin configuration. Even if additional credential stores are created under **Infrastructure**→ **Trust**→ **Integrations**, the Cypher module does not use them.

### 7.2 Validating the Secret

- In Morpheus,

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DecryptKey-Morpheus.png)

**Figure 10: Viewing a DSM-backed Cypher entry and using decrypt**
  - After saving, the secret appears in the Cypher table.
  - Click **DECRYPT** next to the entry to view the value in base64 format. You can decrypt the base64 to obtain the raw secret.
- In Fortanix DSM,

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/SecretSO-Morpheus.png)

**Figure 11: Secret type security object**
  1. Log in to your Fortanix DSM account.
  2. Navigate to **Groups**→**Security Objects**for the group linked to your Morpheus app as configured in[*Section 6.2: Configuring the Fortanix DSM Plugin*](/v1/docs/using-fortanix-data-security-manager-for-hewlett-packard-enterprise-hpe-morpheus#62-configuring-the-fortanix-dsm-plugin).
  3. Confirm that a new security object of type **SECRET**exists with the same name added after `dsm/` in *Step 2*of [*Section 7.1: Creating a Cypher Entry*](/v1/docs/using-fortanix-data-security-manager-for-hewlett-packard-enterprise-hpe-morpheus#71-creating-a-cypher-module).

> [!NOTE]
> NOTE
> 
> Updating an existing Cypher secret is **not supported** in the current release of the plugin. To change any value, delete the old entry and create a new one. Additionally, the Update **Secret feature** is not implemented for the plugin.

### 7.3 Deleting a Cypher Entry

Perform the following steps to remove a Cypher entry and (optionally) the corresponding Fortanix DSM security object:

1. In Morpheus, navigate to **Tools** → **Cypher**and locate the entry and delete it.
2. The outcome depends on the plugin configuration set in [*Section 6.2: Configuring the Fortanix DSM Plugin*](/v1/docs/using-fortanix-data-security-manager-for-hewlett-packard-enterprise-hpe-morpheus#62-configuring-the-fortanix-dsm-plugin):
  - If the **CLEAR SECRET ON DELETION** check box is selected, the associated Fortanix DSM security object is also deleted.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DeleteKey-Morpheus.png)

**Figure 12: Deleting a Cypher entry in Fortanix DSM**
  - If the **CLEAR SECRET ON DELETION** check box is **not** selected, the Fortanix DSM security object remains in Fortanix DSM.

## 8.0 Use the Credential Provider

This section describes how to configure and use the Credential Provider in Morpheus with Fortanix DSM.

### 8.1 Configuring Fortanix DSM as a Credential Store

Perform the following steps to configure Fortanix DSM as a Credential Store in Morpheus

1. In the Morpheus console, navigate to **Infrastructure**→ **Trust** → **Integrations**and click **ADD**.
2. From the **Secret Stores**drop down menu, select **DSM**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/AddDSMInteg-Morpheus.png)

**Figure 13: Adding new DSM integration**
3. In the **ADD INTEGRATION**dialog box, provide the following details:

> [!NOTE]
> NOTE
> 
> If a Fortanix DSM Endpoint or API Key is provided here, it overrides the plugin-level configuration. If left blank, Morpheus uses the plugin settings as defined in [*Section 6.2: Configuring the Fortanix DSM Plugin*](/v1/docs/using-fortanix-data-security-manager-for-hewlett-packard-enterprise-hpe-morpheus#62-configuring-the-fortanix-dsm-plugin).
  - **NAME**(mandatory): Enter a title for your integration. For example, **Fortanix-DSM**.
  - **API URL**(optional): Enter the Fortanix DSM service URL. For example, `https://smartkey.io/` or regional endpoint.
  - **API KEY**(optional): Enter the Fortanix DSM app API key as copied in [*Section 5.5: Copying an API Key*](/v1/docs/using-fortanix-data-security-manager-for-hewlett-packard-enterprise-hpe-morpheus#55-copying-the-api-key).
4. Click **SAVE CHANGES** to add the DSM credential store in the Integrations list.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/AddDSMCred-Morpheus.png)

**Figure 14: Adding DSM as credential store**

### 8.2 Adding a Credential

Perform the following steps to add and manage a credential in Fortanix DSM:

1. In the Morpheus console, navigate to **Infrastructure**→ **Trust**→ **Credentials**.
2. Click **ADD** and select a credential option from the drop down menu. In this example, the **Access Key and Secret Key**credential type is selected.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/AddNewCred-Morpheus.png)

**Figure 15: Adding new credentials**
3. In the**ADD CREDENTIALS**dialog box,

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/ConfigDSMCred-Morpheus(1).png)

**Figure 16: Configuring DSM-backed credential details**
  1. **CREDENTIAL STORE**: Select Fortanix DSM from the drop down menu as created in [*Section 8.1: Configuring Fortanix DSM as Credential Store*](/v1/docs/using-fortanix-data-security-manager-for-hewlett-packard-enterprise-hpe-morpheus#81-configuring-fortanix-dsm-as-a-credential-store).
  2. **NAME**: Unique identifier for the credential. For example, **my-creds-aws**.
  3. **DESCRIPTION**(optional): Description of the credential.
  4. **ENABLED**: Select this check box to activate the credential.
  5. **ACCESS KEY**: Enter the access key value.
  6. **SECRET KEY**: Enter the secret key value.
4. Click **ADD CREDENTIALS** to update the configuration.

> [!NOTE]
> NOTE
> 
> - You can create multiple Fortanix DSM credential stores with different app API keys to maintain granular access control across applications or teams.
> - The Cypher plugin provides a fallback mechanism. If the Credential Provider configuration is missing, the plugin retrieves the configuration details from the Cypher plugin configuration.

**Outcome**: In Morpheus, the credential appears under **Infrastructure**→ **Trust**→ **Credentials**. In Fortanix DSM, the credential is created as a **SECRET**type of security object within the default group linked to the app defined in the credential store (unlike Cypher, which always uses the plugin configuration). The value is stored in Fortanix DSM as a base64-encoded JSON string.

### 8.3 Configuration in a Private Network

When Fortanix DSM and HPE Morpheus are deployed within a private network, the Morpheus server must trust the DSM root Certificate Authority (CA) to establish secure communication. To enable this, the DSM server root CA certificate must be added to the Morpheus server.

Perform the following steps to add the DSM server root CA certificate:

1. Download the root CA certificate from the Fortanix DSM instance.
2. Run the following command to copy the certificate to the following directory on the Morpheus server:

```bash
/etc/morpheus/ssl/trusted_certs
```
3. Run the following command to reconfigure the Morpheus service to apply the certificate changes:

```bash
morpheus-ctl reconfigure
```
4. Run the following command to restart the Morpheus service to complete the configuration:

```bash
morpheus-ctl restart
```

After completing the configuration, perform the required sanity tests to verify that Morpheus can successfully communicate with Fortanix DSM.

Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.