---
title: "Fortanix DSM with Scality S3C"
slug: "using-fortanix-data-security-manager-with-scality-s3c"
updated: 2026-04-01T08:41:23Z
published: 2026-03-18T08:03:00Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Fortanix DSM with Scality S3C

## 1.0 Introduction

This article describes how to integrate **Fortanix-Data-Security-Manager (DSM)** with**Scality SC3** for**Transparent Bucket Encryption**using generic **Key Management Interoperability Protocol (KMIP)**.

It also contains the information that a user requires to:

- Set up Fortanix DSM
- Grab the Fortanix CA and generate a certificate
- Apply the certificate to the Fortanix DSM Application Object
- Enable audit logging in Fortanix DSM
- Configure S3C and
- Create an encrypted bucket

## 2.0 Prerequisites

The key management cloud service needs to be set up using `https://sdkms.fortanix.com/` before configuring Scality for bucket encryption.

This article assumes that access to the Fortanix DSM user interface (UI) and licensing has been established.

## 3.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

### 3.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, [https://amer.smartkey.io.](https://amer.smartkey.io.) On-premises customers use the KMS URL, and the SaaS customers can use the URLs as listed [*here*](https://support.fortanix.com/hc/en-us/articles/4406135346068-Fortanix-DSM-SaaS-Global-Availability-Map) based on the application region.

*For more information on how to set up the Fortanix DSM, refer to the*[*User's Guide: Sign Up for Fortanix Data Security Manager SaaS*](https://support.fortanix.com/docs/users-guide-sign-up-for-fortanix-data-security-manager-saas)*.*

### 3.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_SaaS_Login_page(15).png)

**Figure 1: Logging in**

*For more information on how to set up an account in Fortanix DSM, refer to the*[*User's Guide: Getting Started with Fortanix Data Security Manager - UI*](https://support.fortanix.com/docs/users-guide-getting-started-with-fortanix-data-security-manager-ui)*.*

## 4.0 Using SaaS Deployment

Perform the following steps to configure Scality wizard in Fortanix DSM SaaS:

1. Sign up at [https://smartkey.io/](https://smartkey.io/). This opens DSM SaaS for the AMER region. DSM SaaS supports multiple regions, as listed [*here*](https://support.fortanix.com/docs/fortanix-dsm-saas-global-availability-map).
2. In the DSM left navigation panel, click the **Integrations**menu item, and then click the select the**Storage Encryption** check box. Click **ADD INSTANCE** on the **Scality**tile.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Storage-Encryption-Instances(1).png)

**Figure 2: Add instance**
3. On the **Add Instance** page:
  1. **Title**: Enter a name for your instance.
  2. **Authentication method**: Select **API Key**.
    1. **API Key**:****This authenticates the application with the API Gateway.
    2. **Client Certificate**: This authenticates the application with Fortanix DSM using a Client Certificate.*For more information, refer to*[*Section 7.0: Generating a Certificate*](/v1/docs/using-fortanix-data-security-manager-with-scality-s3c#70-generating-a-certificate)*.*
  3. **Set app secret key size**: Select the application (app) key size from the available options in bytes.
4. Click**SAVE INSTANCE**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1768771445775.png)

**Figure 3: Add scality instance**

With saving an instance a new group, an app, and keys are created within Fortanix DSM.

### 4.1 Scality Instance Detailed View

Navigate to the **Integrations**menu item → **Scality wizard** → Scality instances table. In the instance detailed view page, the following information is represented:

- **CREDENTIALS**: Indicates the method used for app authentication.
  - Click **CERTIFICATE**to download the Client Certificate. This is applicable only if the app authentication method is Client Certificate.
  - Click **VIEW API KEY DETAILS** to view the details of API key, such as username and password. This is applicable only if the app authentication method is API Key.
- **MANAGE KEYS**: Click **MANAGE**to oversee the keys created.
- **INSTANCE STATUS**: To disable the created instance, toggle **Disabled**.
- **DELETE**: To delete the instance, click the overflow menu ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (1342)(6).png) and select **DELETE**. Note that deleting an instance will result in the removal of the app, group, and all security objects associated with the instance, rendering all key material inaccessible.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1768771429058.png)

**Figure 4: Instance detailed view**

## 5.0 Using On-premises Deployment

### 5.1 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the **Groups**menu item, and then click **ADD GROUP** to create a new group.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-Group(21).png)

**Figure 5: Add groups**
2. On the**Adding new group**page:
  1. **Title**: Enter a name for your group. For example, **Scality S3C**.
  2. **Description**(optional): Enter a short description of the group.
3. Click **SAVE**to create the new group.

The new group is added to the Fortanix DSM successfully.

### 5.2 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the **Apps**menu item, and then click **ADD APP** to create a new app.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-App(20).png)

**Figure 6: Add application**
2. On the **Adding new app**page:
  1. **App name**: Enter the name for your application. For example, **Scality S3C Bucket Encryption**.
  2. **ADD DESCRIPTION**(optional): Enter a short description of the application.
  3. **Authentication method**: Select the default **API Key**as the authentication method from the drop down menu. *For more information on these authentication methods, refer to the*[*User's Guide: Authentication*](https://support.fortanix.com/docs/users-guide-authentication)*.*
  4. **Assigning the new app to groups**: Select the group created in [*Section 5.1: Creating a Group*](/v1/docs/using-fortanix-data-security-manager-with-scality-s3c#51-creating-a-group)**[](/v1/docs/using-data-security-manager-with-idcentral-key-management#43-creating-a-group)from the list.
3. Click **SAVE**to add the new application.

The new application is added to the Fortanix DSM successfully.

## 6.0 Copying the App UUID

Perform the following steps to copy the app UUID from the Fortanix DSM:

1. In the DSM left navigation panel, click the **Apps**menu item, and then click the app created in [*Section 5.2: Creating an Application*](/v1/docs/using-fortanix-data-security-manager-with-scality-s3c#52-creating-an-application)**[](/v1/docs/using-data-security-manager-with-idcentral-key-management#44-creating-an-application)to go to the detailed view of the app.
2. From the top of the app’s page, click the copy icon ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1747062862398.png) next to the app **UUID**to copy it to use in [*Section 7.0: Generating the Certificate*](/v1/docs/using-fortanix-data-security-manager-with-scality-s3c#70-generating-a-certificate) as the value of Common Name (CN) to generate a certificate.

## 7.0 Generating a Certificate

On a host with OpenSSL create the certificates that you need to authenticate to the KMIP service you just created.

```bash
# openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem \
-out cert.pem -days 365 \
-subj "/CN=<UUID you copied from the app>"
```

For example,

```bash
openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 
365 -subj "/CN=c6ad2ad7-4948-4b60-8cd6-f33c00a01428"
```

You should now have the following:

- The Fortanix CA certificate (`fortanix_ca_cer`).
- A private (`key.pem`).
- A certificate (`cert.pem`).

## 8.0 Updating the Authentication Method

Perform the following steps to change the authentication method:

1. Go to the detailed view of the app created in**[*Section 5.2: Creating an Application*](/v1/docs/using-fortanix-data-security-manager-with-scality-s3c#52-creating-an-application) and click **Change authentication method** and select **Certificate**to change the authentication method to Certificate.
2. Click **SAVE**.
3. On the **Add certificate**dialog box, click **UPLOAD NEW CERTIFICATE** to upload the certificate file or paste the content of the certificate generated in previous section.
4. Select both check boxes to confirm your understanding of the action.
5. Click **UPDATE**to save the changes.

## 9.0 Retrieve Fortanix Certificate Authority (CA)

1. Go to the URL: https://<fortanix_dsm_url>.
2. In the URL address bar, click the padlock icon, then select **Certificate**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Scality_Certificate_Download(1).png)

**Figure 7: Get Certificate**
3. Select the certification path and then highlight the root **DST Root CA X3**.
4. Click **View Certificate**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/view_certificate(1).png)

**Figure 8: View certificate**
5. Select the **Details** tab and then click **Copy to File**.

![Scality4.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360092568711.png)

**Figure 9: Copy to file**
6. Click **Next** and then select **Base-64 encoded X.509 (.CER)** before saving it and choosing a filename. For example, `fortanix_ca.cer`.

![Scality5.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360092568911.png)

**Figure 10: Base64 Encoded**

## 10.0 Upload Certificate to Fortanix DSM App

Perform the following steps to **apply the new client certificate for app authentication**:

1. In the DSM left navigation panel, click the **Apps** menu item, and click the app created in [*Section 5.2: Creating an Application*](/v1/docs/using-fortanix-data-security-manager-with-scality-s3c#52-creating-an-application) to go to the detailed view of the app.
2. In the **INFO** tab, click **UPDATE** in the **App Certificate** section.
3. In the dialog box, click **UPLOAD NEW CERTIFICATE** to browse and upload the `cert.pem` file.
4. Select both check boxes to confirm your understanding of the action.
5. Click **UPDATE**.

## 11.0 Enable Audit Logging in Fortanix DSM

Audit logging verifies the operations, such as key creation, retrieval, encryption, decryption, or deletion, are being properly executed. It also helps in troubleshooting issues by offering visibility into what actions were attempted and whether they succeeded or failed.

1. In the DSM left navigation panel, click the **Apps**menu item, and then click the app created in [*Section 5.2: Creating an Application*](/v1/docs/using-fortanix-data-security-manager-with-scality-s3c#52-creating-an-application)**[](/v1/docs/using-data-security-manager-with-idcentral-key-management#44-creating-an-application)to go to the detailed view of the app.
2. In the **INFO**tab, under the **Groups**section click the grid for **App permissions** to edit the app permissions.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Scality_Permissions.png)

**Figure 11: App permissions**
3. In the **Set app permissions for objects in the group** dialog box, select **Allow access to audit log**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1768771501398.png)

**Figure 12: Enable audit logging**
4. Click **SAVE CHANGES**.

## 12.0 Configure Scality S3C

This section describes how to integrate Fortanix DSM as a Key Management Server (KMS) with Scality S3 Connector (S3C).

*For the latest instructions on configuring a KMS, refer to the*[*Scality documentation*](https://documentation.scality.com/)*.*

- Select your **RING version**.
- Navigate to the **S3 documentation** section.

In your deployment's `group_vars/all` file, include the following KMIP configuration under `env_s3`:

```bash
env_s3:
 kmip:
  port: 5696
  host: <fortanix_dsm_url>
  compoundCreate: false
  bucketAttributeName: x-zenko-bucket
  pipelineDepth: 8
  key: kmip_key.pem
  cert: kmip_cert.pem
  ca:
   - fortanix_CA.cer
```

Replace, `&lt;fortanix_dsm_url&gt;` with the actual Fortanix DSM host URL. For example, `amer.smartkey.io`.

All certificates must be placed in the appropriate `kmip`****directory for your environment:

```bash
s3/federation/env/<your_environment>/kmip/
```

Where,

- `kmip_key.pem` refers to the KMIP client private key.
- `kmip_cert.pem` refers to the KMIP client certificate.
- `fortanix_CA.cer` refers to the Fortanix DSM CA certificate.

At the time of writing, there is:

- No default boilerplate `kmip` section in the `group_vars/all` file.
- No pre-created `kmip` directory under the environment path.

You must **manually create** both:

- The `kmip` section in the YAML configuration file.
- The `kmip` directory under your environment path to store the certificates.

## 13.0 Create an Encrypted Bucket

Encrypted buckets with S3C cannot be created using the standard Amazon API call. Instead, a special header must be included during bucket creation. A script for this is available in any CloudServer (S3) container. *For more information, refer to the Using Bucket Encryption in the*[*S3 Connector Operation*](https://aws.amazon.com/blogs/storage/encrypting-objects-with-amazon-s3-batch-operations/)*documentation.*

If an issue occurs (for example, you receive a 50x error when attempting to create the bucket) relevant errors will appear in the S3 log on the host you are using. For example, `/var/log/s3/scality-s3-1/logs/s3-0.log`. If you did not get an error, congratulations! You have successfully created an encrypted bucket.

You will see a new security object in the Fortanix DSM UI confirming successful communication.

Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.