Using Fortanix Data Security Manager for NGINX TLS Keys

1.0 Introduction

NGINX is a popular open-source HTTP server and reverse proxy. Fortanix-Data-Security-Manager (DSM) can be used to protect the TLS private key for your NGINX server, keeping the private key secure even if the host running NGINX is compromised.

This page describes how to set up your NGINX server to use a TLS private key stored in Fortanix DSM. To get started quickly, you can use a Fortanix-provided docker image. Retrieve the image by running docker pull fortanix/sdkms-nginx.

2.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

2.1 Signing Up

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

2.2 Creating an Account

Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

2.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

Click the Groups menu item in the DSM left navigation bar and click the + button on the Groups page to add a new group.
Figure 2: Add Groups
On the Adding new group page, enter the following details:
- Title: Enter a title for your group.
- Description (optional): Enter a short description for the group.
Click the SAVE button to create the new group.

The new group has been added to the Fortanix DSM successfully.

2.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

Click the Apps menu item in the DSM left navigation bar and click the + button on the Apps page to add a new app.
Figure 3: Add Application
On the Adding new app page, enter the following details:
- App name: Enter the name of your application.
- ADD DESCRIPTION (optional): Enter a short description for the application.
- Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.
- Assigning the new app to groups: Select the group created in Section 2.3: Creating a Group from the list.
Click the SAVE button to add the new application.

The new application has been added to the Fortanix DSM successfully.

2.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

Click the Apps menu item in the DSM left navigation bar and click the app created in Section 2.4: Creating an Application to go to the detailed view of the app.
On the INFO tab, click the VIEW API KEY DETAILS button.
From the API Key Details dialog box, copy the API Key of the app to be used in Section 4.0: Installing the TLS Key and Certificate.

3.0 Obtaining a TLS Key and Certificate

The Managing Fortanix Data Security Manager Keys With OpenSSL article describes several ways of generating or importing a TLS key and certificate. If you aren’t sure which flow to use and just want to test things out, you can use the section titled “Generating a TLS key and self-signed certificate”.

4.0 Installing the TLS Key and Certificate

Create a file docker.env to configure the container. In the template below, change the API key and the key and certificate labels. The PKCS11 label and Fortanix DSM Security-object description are the same. You can obtain this either from the commands you used to import the key or from the web interface in the security object detail view.

The API key is sensitive, so for production deployments, this file should be protected appropriately.

FORTANIX_API_ENDPOINT=https://<FORTANIX_DSM_URL>
FORTANIX_API_KEY=<API key from web UI>
FORTANIX_PKCS11_LIBRARY=/usr/lib/x86_64-linux-gnu/pkcs11/fortanix-sdkms-pkcs11.so
FORTANIX_PRIVATE_KEY_LABEL=<label of private key>
FORTANIX_CERTIFICATE_LABEL=<label of certificate>

5.0 Running the Container

Run the container:

docker run -p 8443:443 --env-file docker.env fortanix/sdkms-nginx

Open the URL:https://localhost:8443 in your browser.
1. If you used a self-signed certificate, your browser will display a certificate warning, but regardless, the server’s private key is now protected by Fortanix DSM.

Using Fortanix Data Security Manager for NGINX TLS Keys

1.0 Introduction

2.0 Configure Fortanix DSM

2.1 Signing Up

2.2 Creating an Account

2.3 Creating a Group

2.4 Creating an Application

2.5 Copying the API Key

3.0 Obtaining a TLS Key and Certificate

4.0 Installing the TLS Key and Certificate

5.0 Running the Container

PLATFORM

Key Insight

Data Security Manager™

Confidential Computing Manager

Enclave Development Platform®

Request A demo

Contact Us

Free Trial

SOLUTIONS

AWS KMS External Key Store (XKS)

Google External Key Manager

Bring Your Own Key (BYOK)

HSM Modernization

Multicloud Key Management

Post Quantum Cryptography

Code Signing

Secrets Management

Tokenization Transparent

Database Encryption

Filesystem Encryption

Confidential Data Search

Confidential AI

Healthcare

Banking & Financial Services

Fintech

Manufacturing

Web 3.0

Federal Government

RESOURCES

Blog

Whitepapers

Datasheets

Solution Briefs

Ebooks

Reports

Case Studies

Webinars

University

Media Kit

Newsletters

COMPANY

About

Careerswe’re hiring

Customers

Partners

Awards

Events

Press

News

Services

Support

FAQ

4.6