1.0 Introduction
This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with Nutanix for storage encryption.
Nutanix offers support for Fortanix DSM to manage the encryption keys for encrypting sensitive data at rest. Fortanix DSM is a specialized device/service that provides secure key management and cryptographic operations through industry-standard API's.
Nutanix uses Fortanix DSM to generate, store, and provide authorized access to data encryption keys. Nutanix communicates with the Fortanix DSM using the KMIP standard to allow authorized use of these keys.
Using Fortanix DSM with Nutanix provides additional security for your data, ensuring that the data encryption keys can only be used with authorized access.
It also contains the information that a user requires for:
Facilitating the communication and authentication between Fortanix DSM and Nutanix using KMIP and Certificates.
Setting up Fortanix DSM.
Creating a client certificate.
Configuring Nutanix Key Management settings.
2.0 KMIP and Certificate Requirements
The Key Management Interoperability Protocol (KMIP) is used to facilitate communication between the Nutanix cluster and Fortanix DSM. KMIP uses Transport Layer Security (TLS) to provide a secure connection and Fortanix DSM also uses this to authenticate a KMIP client to successfully create, retrieve, and use the keys stored inside Fortanix DSM.
X.509 certificates are used to facilitate the communication and authentication for both Fortanix DSM and the Nutanix Cluster. Fortanix DSM is deployed with a server certificate that is signed by the internal Certificate Authority (CA). You will need to create a client certificate for the Nutanix cluster using tools such as OpenSSL. The certificate may be signed externally or can be self-signed.
3.0 Prerequisites
Ensure the following:
Nutanix GA version of LTS 6.5.X and 6.10.X.
Fortanix DSM version 4.4 or later.
Fortanix DSM is installed and operational and is accessible by the Nutanix cluster on port 5696 (for default) or a custom KMIP port.
You have access to OpenSSL or some other tool for generating a client certificate and private key in the Privacy Enhanced Mail (PEM) format.
4.0 Configure Fortanix DSM
A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:
4.1 Signing Up
To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.
For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.
4.2 Creating an Account
Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.
.png?sv=2022-11-02&spr=https&st=2025-05-28T22%3A56%3A25Z&se=2025-05-28T23%3A13%3A25Z&sr=c&sp=r&sig=he0erReZSzoi0w7wOBVLbHEkgBEetLRWrma0%2F8s2bzc%3D)
Figure 1: Logging in
For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.
4.3 Creating a Group
Perform the following steps to create a group in the Fortanix DSM:
In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.
Figure 2: Add groups
On the Adding new group page, do the following:
Title: Enter a name for your group.
Description (optional): Enter a short description of the group.
Click SAVE to create the new group.
The new group is added to the Fortanix DSM successfully.
4.4 Creating an Application
NOTE
You must create three applications for each node in the Nutanix Cluster. For example: 3 nodes = 3 applications.
Perform the following steps to create an application (app) in the Fortanix DSM:
In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.
Figure 3: Add application
On the Adding new app page, do the following:
App name: Enter the name for your application.
ADD DESCRIPTION (optional): Enter a short description of the application.
Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.
Assigning the new app to groups: Select the group created in Section 4.3: Creating a Group from the list.
Click SAVE to add the new application.
The new application is added to the Fortanix DSM successfully.
4.5 Copying the App UUID
Perform the following steps to copy the app UUID from the Fortanix DSM:
In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 4.4: Creating an Application to go to the detailed view of the app.
From the top of the app’s page, copy the app UUID to be used in Section 5.0: Configure Nutanix Nodes with Fortanix UUIDs as the Common Name (CN) when generating the client certificate.
For example:
Node 1 =
3030a8c0-c520-4f0f-912a-d3bff6a272fd
Node 2 =
99d5cafd-95e0-4898-b93d-f46ce9550287
Node 3 =
c0b83293-ae04-4735-90af-9b4f406f884e
4.6 Updating the Account Settings
Perform the following steps:
In the Fortanix DSM left navigation panel, click Settings → CLIENT CONFIGURATION → KMIP.
Select the Allow secrets with unknown operations check box.
Click SAVE.
5.0 Configure Nutanix Nodes with Fortanix UUIDs
Perform the following steps to generate an RSA key for authenticating to Fortanix DSM for each Nutanix node:
Use the SSH protocol to log into the Nutanix cluster.
Run the following command to identify all nodes in the cluster:
svmips
Each IP address returned will represent your cluster nodes.
Log in to each cluster node and run the following command:
genesis --use_legacy_csr_generation=False --san_list_for_csr_generation="dns=<APP_UUID>" restart
Replace the
<APP_UUID>
with the Fortanix app UUID for each node as copied in Section 4.5: Copying an App UUID. Execute the above command for each node in the cluster, where the<APP_UUID>
should match the node.
Sample output:nutanix@NTNX-17SM6B050002-A-CVM:10.16.0.135:~$ genesis --use_legacy_csr_generation=False --san_list_for_csr_generation="dns=5bf6acc7-ebe3-4e6e-a88a-70572b18c96a" restart 2022-11-01 07:45:23.042344: Stopping genesis (pids [15503, 15561, 15585, 15586, 30032, 30033]) 2022-11-01 07:45:27.540170: Genesis started on pids [2948]
6.0 Configure Encryption Settings
Perform the following steps:
Log in to Nutanix Prism.
Figure 4: Log in to Nutanix
Using the drop down menu, select Settings.
On the left pane, select Data-at-rest Encryption.
Figure 5: Data at rest encryption
Select An External KMS.
Fill in the Certificate Signing Request information and click Save CSR Info.
Click Add New Key Management Server.
Name the key management server.
Provide the address to your Fortanix DSM deployment (On-premises or SaaS).
Click Save.
Click Back.
Click Add New Certificate Authority.
NOTE
This will be the root CA certificate for the Fortanix DSM environment to which you will be connecting. Download a copy and have it ready for the next section.
Name the Certificate Authority.
Click Upload CA Certificate.
Browse for the CA Certificate.
Click Save.
Click Back.
7.0 Issue Certificate for Each Node
Perform the following steps:
From the Data-at-rest Encryption settings, under the Certificate Signing Request section.
Click Download CSRs for all nodes.
Figure 6: Download CSR for all nodes
Save these to any location.
Submit these to your organization's team that handles Certificates or PKI.
Depending on the size of your organization and processes, you may need to return to the procedure at a later time. After you have obtained your signed certificates, they will need to be added to the Key Management Server configuration and in Fortanix DSM.
8.0 Install Node Certificates in Nutanix Prism
Perform the following steps:
In the Data-at-rest Encryption settings, under Key Management Server, click Manage Certificates.
Figure 7: Manage certificates
Click Upload Files.
Find and select your certificate files and click Submit.
Click Test all nodes. If successful, click Back.
Figure 8: Testing Successful
9.0 Updating the Authentication Method
Perform the following steps to change the authentication method:
Go to the detailed view of the app created in Section 4.4: Creating an Application and click Change authentication method and select the Certificate option to change the authentication method to Certificate.
Click SAVE.
On the Add certificate dialog box, click UPLOAD NEW CERTIFICATE to upload the certificate file or paste the content of the certificate generated in Section 7.0: Issue Certificate for Each Node.
Select both check boxes to confirm your understanding of the action.
Click UPDATE to save the changes.
10.0 Enable Encryption
After all the above steps have been completed, you must enable encryption.
Perform the following steps:
Log in to Nutanix Prism.
Go to Data-at-rest Encryption settings and scroll to the bottom of the page.
Click Enable Encryption.
At the prompt, type ENCRYPT and click Encrypt.
If done properly, you will be presented with a screen that states success and that the system is encrypted.
Figure 9: Encryption Enabled
11.0 Verification
There are two places to verify the encryption.
In Nutanix Prism:
Click the Recent Tasks drop down menu to see the current encryption progress per container.
In Fortanix DSM:
Observe the contents of your Nutanix group. You should see that the security objects have been created.
Figure 10: Security object created
Also observe the activity logs for each of the apps. You should see that the apps are authenticating and retrieving keys.
Figure 11: App activity logs
Verify the logs from Nutanix CLI, go to
cat ~/data/logs/mantle.INFO
.Figure 12: Nutanix logs
NOTE
Fortanix suggests being highly available to make sure no interruption in the services. Fortanix calculates the same using the formula N/2 + 1 where N= Number of Nodes. The minimum no of Fortanix deployment has to be three nodes.