---
title: "Fortanix DSM with AWS External Key Store (XKS)"
slug: "using-fortanix-dsm-with-aws-external-key-store-xks"
updated: 2026-04-01T08:25:39Z
published: 2026-03-21T15:45:13Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Fortanix DSM with AWS External Key Store (XKS)

## 1.0 Introduction

This article describes how to integrate **Fortanix-Data-Security-Manager (DSM)**with**AWS External Key Store (XKS)** to protect the data in AWS using keys stored in Fortanix DSM that users can use to perform cryptographic operations*.*

When using Fortanix DSM as an external key store for AWS Key Management Service, AWS allows two ways of communication:

- **Public Endpoint Connectivity** - AWS KMS connects to the external key store proxy (XKS proxy) over the internet using a public endpoint.
- **Using Amazon VPC endpoint service** - AWS KMS connects to the XKS proxy by creating an interface endpoint to an Amazon VPC endpoint service. This method uses AWS PrivateLink, which enables AWS KMS to privately connect to your Amazon VPC and your XKS proxy without using the public internet.

This article describes how to successfully integrate Fortanix DSM as an external keystore for AWS KMS using the public endpoint connectivity method. You can follow the article – [*Fortanix DSM with AWS External Key Store (XKS) - Concepts*](https://support.fortanix.com/docs/fortanix-dsm-with-aws-external-key-store-xks-concepts) and[*Data Security Manager with Amazon XKS Using Virtual Private Cloud*](https://support.fortanix.com/docs/data-security-manager-with-amazon-xks-using-virtual-private-cloud) using Amazon VPS Integration Guide for the Amazon VPC endpoint service method.

## 2.0 Prerequisites

- Fortanix DSM version 4.9 and above: Fortanix introduced XKS support in DSM version 4.9 but requires the feature to be enabled through Fortanix Support. This feature became available by default starting with DSM version 4.16.
- AWS Console
- AES 256 key – For the initial implementation, only AES 256 keys are supported. This key is created in Fortanix DSM.

> [!NOTE]
> NOTE
> 
> The AES key can either be imported or created in Fortanix DSM.

## 3.0 Using Fortanix DSM with AWS XKS

With AWS XKS, administrators use Fortanix DSM to store cryptographic keys for encrypting and decrypting data in AWS. In this method, cryptographic operations are performed inside Fortanix DSM. This differs from the import-key (known as Bring Your Own Key, or BYOK) functionality, where the key material for a key in Fortanix DSM (external HSM) is imported into AWS KMS, optionally with an expiration period, and cryptographic operations occur within an AWS data center.

## 4.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

### 4.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, [https://amer.smartkey.io.](https://amer.smartkey.io.) On-premises customers use the KMS URL, and the SaaS customers can use the URLs as listed [*here*](https://support.fortanix.com/hc/en-us/articles/4406135346068-Fortanix-DSM-SaaS-Global-Availability-Map) based on the application region.

*For more information on how to set up the Fortanix DSM, refer to the*[*User's Guide: Sign Up for Fortanix Data Security Manager SaaS*](https://support.fortanix.com/docs/users-guide-sign-up-for-fortanix-data-security-manager-saas)*.*

### 4.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_SaaS_Login_page(15).png)

**Figure 1: Logging in**

*For more information on how to set up an account in Fortanix DSM, refer to the*[*User's Guide: Getting Started with Fortanix Data Security Manager - UI*](https://support.fortanix.com/docs/users-guide-getting-started-with-fortanix-data-security-manager-ui)*.*

### 4.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the **Groups**menu item, and then click **ADD GROUP**to create a new group.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-Group(72).png)

**Figure 2: Add groups**
2. On the**Adding new group**page:
  1. **Title**: Enter a name for your group.
  2. **Description**(optional): Enter a short description of the group.
3. Click **SAVE**to create the new group.

The new group is added to the Fortanix DSM successfully.

### 4.4 Creating or Importing an AES Key

Perform the following steps to generate an AES key in the Fortanix DSM:

1. In the DSM left navigation panel, click the **Security Objects**menu item, and then click **ADD SECURITY OBJECT******to create a new security object.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-SO(27).png)

**Figure 3: Adding security object**
2. On the **Add new Security Object**page:
  1. **Security Object name**: Enter the name for your security object.
  2. **Group**: Select the group as created in [*Section 4.3: Creating a Group*](/v1/docs/using-fortanix-dsm-with-aws-external-key-store-xks#43-creating-a-group).
  3. Select **GENERATE**.
  4. In the **Choose a type** section, select the **AES** key type.
  5. In the **Key Size**section, select the size of the key in bits.
  6. In the **Key operations permitted**section, select the required operations to define the actions that can be performed with the cryptographic keys, such as encryption, decryption, signing, and verifying.

> [!NOTE]
> NOTE
> 
> Ensure that the new key has **Encrypt**and **Decrypt**key operations allowed.
3. Click **GENERATE** to create the new security object.

The new security object is added to the Fortanix DSM successfully.

You can also import an AES encryption key. *For more information on how to import a key, refer to the*[*User's Guide: Fortanix Data Security Manager Key Lifecycle Management*](/v1/docs/users-guide-fortanix-data-security-manager-key-lifecycle-management#111-import-security-objects)*.*

### 4.5 Copying the UUID of the AES Key

Perform the following steps to copy the security object UUID from the Fortanix DSM:

1. In the DSM left navigation panel, click the**Security Objects**menu item, and then click the security object created in [*Section 4.4: Creating a Security Object*](/v1/docs/using-fortanix-dsm-with-aws-external-key-store-xks#44-creating-a-security-object)**[](/v1/docs/using-data-security-manager-with-idcentral-key-management#44-creating-an-application)to go to the detailed view of the security object.
2. From the top of the security object’s page, click the **COPY ID** drop down menu and then select **COPY UUID** to copy it to use later.

### 4.6 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the **Apps**menu item, and then click **ADD APP**to create a new app.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-App(71).png)

**Figure 4: Add application**
2. On the **Adding new app**page:
  1. **App name**: Enter the name for your application.
  2. **ADD DESCRIPTION**(optional): Enter a short description of the application.
  3. **Authentication method**: Select **AWS XKS**as the authentication method from the drop down menu. *For more information on these authentication methods, refer to the*[*User's Guide: Authentication*](https://support.fortanix.com/docs/users-guide-authentication)*.*
  4. **Assigning the new app to groups**: Select the group created in [*Section 4.3: Creating a Group*](/v1/docs/using-fortanix-dsm-with-aws-external-key-store-xks#43-creating-a-group)**[](/v1/docs/using-data-security-manager-with-idcentral-key-management#43-creating-a-group)from the list.
3. Click **SAVE**to add the new application.

The new application is added to the Fortanix DSM successfully.

### 4.7 Updating the Authentication Method

You can also change the authentication method for an existing app to **AWS XKS** from the detailed view of an app.

> [!WARNING]
> WARNING
> 
> Updating an authentication method causes the services relying on the app to stop working.

Perform the following steps to change the authentication method:

1. Go to the detailed view of the app created in**[*Section 4.6: Creating an Application*](/v1/docs/using-fortanix-dsm-with-aws-external-key-store-xks#46-creating-an-application)**and then click **Change authentication method**and select **AWS XKS**to change the authentication method to AWS XKS.
2. Click **SAVE**.

### 4.8 Copying the App Configuration File

Perform the following steps to copy the app configuration file from the Fortanix DSM to configure DSM as an XKS in AWS:

1. In the DSM left navigation panel, click the **Apps**menu item, and then click the app created in[*Section 4.6: Creating an Application*](/v1/docs/using-fortanix-dsm-with-aws-external-key-store-xks#46-creating-an-application) to go to the detailed view of the app.
2. In the **INFO**tab and the **AWS XKS** section, click **VIEW INSTRUCTIONS**.
3. In the**AWS XKS** modal window, click **COPY CONFIG FILE** to copy all the configuration details at once to the clipboard in JSON format or copy the URI and the configuration info individually and make a note of it.

The following are the configuration values:
  - **Path prefix**: A fixed path containing the Fortanix DSM app UUID.
  - **Access key ID and Secret access key**: The access key and secret access key are used by AWS to access Fortanix DSM.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1769073891117.png)

**Figure 5: Copy the AWS XKS app configuration**

> [!NOTE]
> NOTE
> 
> "amer.smartkey.io" opens DSM SaaS for the AMER region. DSM SaaS supports multiple regions, as listed [here](/v1/docs/fortanix-dsm-saas-global-availability-map).

## 5.0 Configure DSM as an XKS with AWS

Perform the following steps:

1. Go to the AWS Console.
2. Click **Services** → **Key Management Service**.

![XKS_KMSSelect.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/11202184943892.png)

**Figure 6: Select AWS KMS**
3. From the left menu, select **Custom key stores** → **External key stores**.
4. On the **External key stores** page, click **Create external key store**.

![XKS_createXKS.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Using_Fortanix_DSM_with_AWS_External_Key_Store_XKS_.png)

**Figure 7: Create an external key store**
5. In the **Create external key store** form:
  1. **Key store name**: Enter a name for your key store. For example, **XKS Test**.

![XKS_createXKS1.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_Create XKS.png)

**Figure 8: Create XKS**
  2. In the **Proxy Connectivity** section:
    1. Select the **Public endpoint** to communicate with the Fortanix DSM proxy.
    2. In the **Proxy URI endpoint** field, enter the URI that you copied in *Step 2*. For example, `https://&lt;fortanix_dsm_url&gt;`.

![XKS_createXKS2.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/24751443310100.png)

**Figure 9: Create XKS**
  3. In the **Proxy configuration** section:
    1. Paste the individual configuration values that you copied in *Step 2* in the **Proxy URI path prefix**, **Access key ID**, and **Secret access key** fields, respectively **OR**
    2. Click **Upload configuration file** and paste the JSON configuration details that you copied in *Step 2*.

![XKS_UploadConfig.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/11202352244116.png)

**Figure 10: Upload configuration file**
  4. If you selected option (ii) above, then paste the JSON Configuration in the text box and click **Use this proxy configuration** to save the configuration.

![XKS_UploadConfig1.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/11202354375060.png)

**Figure 11: Proxy configuration**
  5. Click **Create external key store** to complete the XKS creation process.

![XKS_createXKSPress.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/11202356203540.png)

**Figure 12: Create XKS**
  6. Click the **Connect key store** to connect the XKS with Fortanix DSM so that you can start creating the keys in this key store.

![XKS_connect.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_XKS Connect Key Store.png)

**Figure 13: Connect keystore**

## 6.0 Create Keys in the External Key Store

After the connection between AWS XKS and Fortanix DSM is successful, you can start creating keys in this key store using the following steps:

1. Click **Create a KMS key in this key store** to create a key.

![XKS_createKey.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_XKS Create a Key.png)

**Figure 14: Create a key**
2. In the **External key ID** section, enter the UUID of the AES 256 key as copied in [*Section 4.5: Copying the Security Object UUID*](/v1/docs/using-fortanix-dsm-with-aws-external-key-store-xks#45-copying-the-security-object-uuid).
3. Select the check box to **Confirm use of external key store**.
4. Click **Next**.

![XKS_pasteSOUUID.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/11202564126740.png)

**Figure 15: External key ID**
5. In the **Add labels** page, enter the key **Alias**.
6. Click **Next**.

![XKS_SOAlias.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/11202583730068.png)

**Figure 16: Add alias**
7. Next, select the key administrators who can administer this key using the KMS API and click **Next**.

![XKS_keyAdmins.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/11202600611092.png)

**Figure 17: Key administrators**
8. Select the users who will use the key for cryptographic operations and click **Next**.

![XKS_keyCryptoUsers.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/11202602053652.png)

**Figure 18: Key usage permissions**
9. Review the updates and click **Finish**.
10. The AWS KMS key is now successfully created in the XKS.

![XKS_KeyCreationSuccess.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/11202588136212.png)

**Figure 19: Key created in XKS**

Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.

Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.