Using Fortanix Data Security Manager with ShardSecure

  • Updated on Mar 12, 2025
  • Published on Jun 26, 2024
  • 3 minute(s) read

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with ShardSecure.

2.0 Prerequisites

Download and Install Fortanix DSM PKCS#11 library. For detailed steps, refer to the PKCS#11 Library.

3.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

3.1 Signing Up

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

3.2 Creating an Account

Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

Figure 1: Logging In

3.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

  1. Click the Groups menu item in the DSM left navigation bar and click the + button on the Groups page to add a new group.

    Figure 2: Add Groups

  2. On the Adding new group page, enter the following details:

    • Title: Enter a title for your group.

    • Description (optional): Enter a short description for the group.

  3. Click the SAVE button to create the new group.

The new group has been added to the Fortanix DSM successfully.

3.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

  1. Click the Apps menu item in the DSM left navigation bar and click the + button on the Apps page to add a new app.

    Figure 3: Add Application

  2. On the Adding new app page, enter the following details:

    • App name: Enter the name of your application.

    • Interface (optional): Select the PKCS#11 option as interface type from the drop down menu.

    • ADD DESCRIPTION (optional): Enter a short description for the application.

    • Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.

    • Assigning the new app to groups: Select the group created in Section 3.3: Creating a Group from the list.

  3. Click the SAVE button to add the new application. 

The new application has been added to the Fortanix DSM successfully.

3.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

  1. Click the Apps menu item in the DSM left navigation bar and click the app created in Section 3.4: Creating an Application to go to the detailed view of the app.

  2. On the INFO tab, click the VIEW API KEY DETAILS button.

  3. From the API Key Details dialog box, copy the API Key of the app to use it later. This key will be used for the shardsecure.cluster.encryption.hsm.password parameter in the application.properties configuration.

3.6 Creating a Security Object

Perform the following steps to generate an AES key in the Fortanix DSM:

  1. Click the Security Objects menu item in the DSM left navigation bar and click the + button on the Security Objects page to add a security object.

    Figure 5: Add Security Object

  2. On the Add New Security Object page, enter the following details:

    • Security Object name: Enter the name of your security object. For example, cluster.master.key.

    • Group: Select the group as created in Section 3.3: Creating a Group.

    • Select the GENERATE radio button.

    • Choose a type: Select the AES key type.

    • Key Size: Indicates the size of the key in bits. Keep it as 256 bits.

    • Key operations permitted: Select all the operations to define the actions that can be performed with the cryptographic keys, except Export.

  3. Click the GENERATE button to create the new security object.

The new security object has been added to the Fortanix DSM successfully.

4.0 Create a Configuration File for PKCS#11

  1. Create a new configuration file for the Fortanix DSM PKCS#11 configuration.

  2. Place the configuration file in the ShardSecure configuration directory.

  3. Add the name of this file to properties as the parameter shardsecure.cluster.encryption.hsm.configfile.
    For example, shardsecure.cluster.encryption.hsm.configfile=fortanix.cfg.
    In this example, the Fortanix PKCS#11 module has been installed at the path /opt/fortanix/pkcs11/fortanix_pkcs11.so.

The slot number is not critical in the Fortanix configuration, and you may leave it as displayed in the example below.

name = FortanixHSM
library = /opt/fortanix/pkcs11/fortanix_pkcs11.so
slot = 0
attributes(generate, *, *) = {
   CKA_TOKEN = true
}
attributes(*, CKO_CERTIFICATE, *) = {
   CKA_PRIVATE = false
}
attributes(*, CKO_PUBLIC_KEY, *) = {
   CKA_PRIVATE = false
}

Related articles