[4.13] - Jan 05, 2023

Fortanix Data Security Manager (DSM) 4.13 comes with some exciting new features, general enhancements, improvements, and resolved issues.

This release is superseded by February 15, 2023, release.

  • It is “REQUIRED” to upgrade Fortanix DSM to version 4.9 or 4.11 before upgrading to version 4.13. If you want to upgrade to 4.13 from an older version, please reach out to the Fortanix Support team.
  • Once upgraded to version 4.13, Fortanix DSM can NO LONGER be downgraded to any prior version. This is due to limitations of common infrastructure components such as Docker and Kubernetes.
  • The Fortanix DSM cluster upgrade must be done with Fortanix Support on call. Please reach out to Fortanix Support if you are planning an upgrade.
  • The customer's BIOS version must be checked by Fortanix Support prior to the Fortanix DSM software upgrade. If required, the BIOS version should be upgraded to the latest version and verified by Fortanix Support for a smooth upgrade.
  • The Fortanix DSM Dashboard's performance is significantly improved in this release. With this improvement, the dashboard will take no more than 2-3 seconds to load the last six months of data after aggregation is complete for a specific account. However, you may observe more latency during the account aggregation, which is a one-time activity.
  • If your Fortanix DSM version is 4.13 or later, then the HSM gateway version must also be 4.13 or later. Similarly, if the HSM Gateway version is 4.13 or later, then your Fortanix DSM version must be 4.13 or later.

1. New Functionality/Feature(s)

1.1 Extended Virtual Keys – Key Caching and Automatic Key Scan (JIRA: ROFR-3462)

1.1.1 Added support to specify scheduled scans (JIRA: PROD-5544)

This release adds support to store the cached key material of the DSM source keys in the DSM destination group using DSM-backed group configuration so that the keys are replicated across cloud and on-prem environments. This way applications can fall back to a different cluster if one is down.

  • You can also perform automatic scheduled scans to scan the source group for new keys.


For more details, refer to Fortanix Extended Virtual Keys Guide.

1.2  Added a new sub-section for “Post-Quantum Cryptography (PQC)” key types in the security object form (JIRA: ROFR-3702)

1.2.1 Support for LMS key type (JIRA: ROFR-1616)

This release adds support for generating a new key type called LMS key that can only be used for signature generation and verification.


For more details refer to the User’s Guide: Key Lifecycle Management.

1.3 Show expired Quorum approval requests in the DSM UI (JIRA: ROFR-3755)

This release adds a new feature in the Quorum approval request Account Settings page, that allows you to retain expired approval requests in the Tasks pane and you can also generate audit logs for expired approval requests.



For more details refer to the User’s Guide: Quorum Policy.

1.4  Allow exporting RSA/EC keys as encrypted key material (JIRA: ROFR-3015)

This release adds support to export RSA/EC keys as encrypted key material and wrap with an AES key.


For more details refer to the User’s Guide: Export Key.

1.5 Time-based policy to purge audit logs (JIRA: PROD-4115)

This release adds the ability to set the retention period of audit logs for each account.    Purging older logs will help keep log performance and search functions robust.  Please ensure that any logs needed for long-term retention are off-boarded through the DSM Log Management feature before enabling log purge.


For more details refer to the User’s Guide: Logging

  • The Audit logs list now only shows logs for a 30-day range using the Time filter(JIRA: ROFR-3780)

    • Added support to search audit logs using the “Time” filter in the Search Bar to search audit logs for any 30-day period.
    • Added notifications to show the end of the list and when the audit log table is empty.

1.6 Added new Custom Group Role Security Objects permissions (JIRA: ROFR-3683): 

The Security Objects permissions in a Custom Group Role now include the Derive and Transform permissions.


1.7 Added a new DATA EXPORT page to export all security objects as a CSV (JIRA: ROFR-3491)

This release adds a new tab called DATA EXPORT in the DSM Account settings page to export all the security objects in that DSM account as a CSV file.

This feature exports only the key metadata, not the actual key material.


For more details, refer to the User’s Guide: Data Export.

1.8 Support for AWS External Key Stores (JIRA: PROD-3914)

Support is now generally available for AWS External Key Stores (XKS), enabling DSM to be a Root of Trust for the AWS Key Management Service. Please contact Fortanix support for instructions on how to enable this feature on your installation.

For more details, refer to the AWS External Key Store Concepts.

2. Enhancements to Existing Features

  1. Cryptographic policy improvements for DES3 key (JIRA: ROFR-3715):

    You can now select the key length for DES3 keys in the Cryptographic policy for security objects at the DSM account and group levels.

  2. Google Workspace CSE easy wizard integration improvements (JIRA: ROFR-2815).. You can now configure a new Google Workspace CSE instance using the Integrations tab that supports the following:
    • Auto-generate the Key Service URL using the Add Instance wizard.
    • Auto-generate and Google CSE group and an AES key to encrypt the Google Workspace CSE documents.
    • Ability to edit an instance (JIRA: ROFR-3718).
    • Ability to delete an instance (JIRA: ROFR-3718).
    WorkspaceAddInstance.png For more details, refer to the Integration Guide: DSM with Google Workspace CSE.
  3. VMware Easy Wizard improvements
    • Improved the delete instance message for VMware easy wizard (JIRA: ROFR-3694). VMWareWizard.png
    • Updated the VMware easy wizard interface type to KMIP (JIRA: ROFR-3693). VMwareKMIP.png
  4. Added the ability to copy a secret value without showing the value on screen (JIRA: ROFR-3655): CopySecret.png
  5. Added “Business Email” instead of “Email” in the DSM On-prem Signup and Login form (JIRA: ROFR-3636).

  6. Improvements to the labels for the “mode of operation” when unwrapping a security object with RSA key (JIRA: ROFR-3624)..
  7. Improved the options for Minimum password length in the System Administration Policies settings (JIRA: ROFR-3596). PasswordLength.png For more details, refer to the System Administration Guide: Policies.
  8. Added documentation link for Transparent Encryption Proxy (TEP) in the easy wizard integration for TEP (JIRA: ROFR-3595)..
  9. Implemented a human-readable view for Quorum approval requests related to the Group Key Encryption Key (KEK) feature (JIRA: ROFR-3321).  Group_KEK.png
  10. This release allows updating the app-level Client Configuration KMIP settings using the DSM REST API and after you set it, a read-only view of the setting will be visible in the detailed view of the app in the DSM UI (JIRA: ROFR-3081). ClientcONFIG.png

  11. Improvements to the User Profile page in the DSM UI (JIRA: ROFR-2955)::
    • The User icon is consistent with Fortanix iconography.
    • Added "Created" and "Last login" information.
    • Enabled email confirmation.
    • Ability to view and copy your user ID.
  12. Improved the audit logs section in the DSM app detailed view (JIRA: ROFR-2792):.
    If the audit log list in the DSM app detailed view exceeds more than “N”, you can see the complete logs using the LOAD MORE button which redirects to the Audit logs list page. LogLoadMore.png
  13. Improved the Quorum approval workflow by updating the status of an exported key after it is downloaded (JIRA: PROD-2507). ExportStatus.png
    For more details, refer to the User’s Guide: Export Key.
  14. Improved audit logs for denied key access due to Key Access Justification (KAJ) policy at key level (JIRA: PROD-5069):
    The audit log for denied key access now shows:
    • The Key ID and Key Name of the key that was denied access.
    • The KAJ reason due to which the key access was restricted.
  15. Applied the updated “Pending Changes” text in the System Administration Policies Settings for Sign up email confirmation (JIRA: ROFR-3595).
  16. Added “HIGHVOLUME” in the filter for key operations for Server-Side Table Processing (JIRA: ROFR-3582).
  17. The RSA/ ECB/OAEPADDING is now supported for OAEP_MGF1_SHA256, OAEP_MGF1_SHA384, OAEP_MGF1_SHA512 modes (JIRA: PROD-5576).
  18. Support to show audit logs for scheduled key rotation (JIRA: PROD-5318).
  19. Audit logs are now restricted to the last 30-day range (JIRA: ROFR-3780).
    You can now view audit logs for the last 30-day period. To view older logs you need to use the “Time” filter in the search bar.
  20. Support to wrap an AES key with an RSA key in a FIPS-backed group (JIRA: PROD-5823).
  21. Removed the “Last Run” column for the Plugins list view table (JIRA: ROFR-3654).
  22. Improved the description for purging an Azure soft-deleted key in the section Purge deleted key in Azure key vault in the Azure Key Details tab (JIRA: ROFR-3650).
  23. Added “read-only mode” for all UI screens for a System Operator role in the System Administration settings view (JIRA: ROFR-3711).
    As system operators do not have permissions to add/modify any System Administration settings, a read-only view is created for this role so that they can view but not edit the settings.
  24. DSM SaaS improvements:
    • Improved the Trial Expiration logic for DSM SaaS (JIRA: ROFR-3699).
      The trial expiration logic is now simplified to always use trial_expires_at field instead of expires_at field in account details for information regarding trial expiry.
  25. Improved the signup error message when trying to sign up using a sign-up URL if you are restricted from signing up (JIRA: ROFR-3684). SignUpError.png

3. Client Features and Enhancements

  1. KMIP Client Enhancements:
    1. Added support for modifying custom X attributes (JIRA: PROD-5457).
  2. JCE Client enhancements:
    1. The RSA/ ECB/OAEPADDING is now supported for all the standard combinations of SHA-series hash and MGF1 padding -OAEP_MGF1_SHA256, OAEP_MGF1_SHA384, OAEP_MGF1_SHA512 (JIRA: PROD-4446).
  3. Terraform Client enhancements:
    1. Added support to assign multiple groups to a single app with an authentication method as "Google Service Account" (JIRA: DEVOPS-3299).
    2. Added support to import keys and upload the signed certificate and private key. (JIRA: PROD-4714).
    3. Added support for managing existing groups (JIRA: DEVOPS-3325).
    4. Added support for uploading custom security objects (JIRA: PROD-5983).
    5. Added support to rotate a security object of type "Secret" (JIRA: DEVOPS-2910).
    For more details refer to, https://support.fortanix.com/hc/en-us/sections/10080063172884-Terraform-Provider.

4. Other Improvements

  1. Stackdriver now sends logs in batches for better performance (JIRA: PROD-5890).
  2. Improved sdkms-cli error messages (JIRA: PROD-5183).
  3. REST API improvements:
    1. Improvements to the API for short-term DSM password policies (JIRA: PROD-5742).
    2. Refactored security object creation flow by adding new components:
      • Added new components to refactor security object size (JIRA: ROFR-3666).
      • Added new components to refactor security object creation type (JIRA: ROFR-3666).
      • Added new components to refactor security object group selection (JIRA: ROFR-3664).
      • Added a new component to refactor security object type selection (JIRA: ROFR-3663).
    3. Improved the slowdown caused by the check_access() API (JIRA: PROD-5565).
  4. Added new custom attributes for VMware Vsphere (JIRA: PROD-5709).
  5. Improved the System Administration UI by ignoring the pods that are in the “Completed” state but showing as unhealthy in the UI (JIRA: ROFR-2080).

5. Bug Fixes

  • Fixed a page crash issue when creating security objects in an Azure or HSM-backed group (JIRA: ROFR-3770).
  • Fixed bad templating of the cleanup job that cleans the leftover security objects from deleted accounts (JIRA: PROD-5927).
  • Fixed an issue where the CHANGE GROUP button in the detailed view of a security object flickers on hover (JIRA: ROFR-3759).
  • Fixed an issue where the Use denylist option in the Minimum password length section of the System Administration Policies settings does not get updated when selected (JIRA: ROFR-3757).
  • Fixed an issue where Quorum approval API requests were failing and returning a 500 error code (JIRA: PROD-5888).
  • Fixed an issue where the backend changes for PKCS#11 client configuration variable  prevent_duplicate_opaque_objects was not reflecting on the DSM UI (JIRA: ROFR-3748).
  • Fixed an issue where the System Administration tab on the DSM UI was getting disabled when navigating to the Settings page (JIRA: ROFR-3747).
  • Fixed an issue where exporting a Secret key shows AS ENCRYPTED KEY MATERIAL option on the modal window in a disabled state (JIRA: ROFR-3743).
  • Fixed wrong text in the Key deactivation tooltip in the Copy key modal window when copying a key from a normal group to an AWS-backed group (JIRA: ROFR-3741).
  • Fixed a UI crash in the Tasks->Pending tab when importing an AES using Key Components (JIRA: ROFR-3732).
  • Removed an extra character present in the Client Configuration (Advanced) section in the group detailed view (JIRA: ROFR-3729).
  • Fixed the label for the CANCEL CHANGES button in the Pending Changes box in the System Administration Policies page (JIRA: ROFR-3717).
  • Fixed an issue where the create security object flow shows additional key types even though the account-level Cryptographic policy was updated to support only certain keys (JIRA: ROFR-3716).
  • Fixed an issue that did not allow users to create a group quorum policy when Derive and Transform operations were present (JIRA: ROFR-3710).
  • Fixed an issue where the user was unable to create Admin Apps with a Custom account role (JIRA: ROFR-3709).
  • Fixed an issue where removing key permission using the Restrict Key Permissions dialog box resulted in some buttons being enabled even before the permission update operation was completed (JIRA: ROFR-3707).
  • Fixed a panic in the account selection page when an invited user logs in and tries to select an account that still shows as “pending” (JIRA: ROFR-3706).
  • Fixed an issue where the COPY KEY modal window does not filter external and normal groups (JIRA: ROFR-3705).
  • Fixed styling issue on the DSM homepage (JIRA: ROFR-3703).
  • Fixed an issue where the Cryptography intersectTypes function was missing the logic for new key types (JIRA: ROFR-3701).
  • Fixed an issue that allowed a user to click the Delete button multiple times to delete a Cryptographic policy (JIRA: ROFR-3698).
  • Fixed a font issue on the Cryptographic policy page (JIRA: ROFR-3697).
  • Fixed missing Audit Log breadcrumb on the Audit Log list page (JIRA: ROFR-3695).
  • Fixed unnecessary characters getting appended to the AWS alias in the response of the POST API call during the import key operation (JIRA: PROD-5792).
  • Fixed unnecessary characters getting appended to the AWS alias in the response of the GET call during the scan key operation (JIRA: PROD-5784).
  • Fixed an issue where users were not able to log in using the Microsoft Edge browser when U2F is enabled (JIRA: ROFR-3685).
  • Fixed missing icon to identify an AWS multi-region key (JIRA: ROFR-3681).
  • Fixed an issue that shows an error notification when you double-click the Save button when creating a plugin from the Plugin library (JIRA: ROFR-3679).
  • Fixed an issue where the values in the Select Value drop down were cut off in the Custom Attribute section of a security object (JIRA: ROFR-3678).
  • Fixed a mismatch in the Trial Expiration enforcement setting between the UI and backend in the DSM SaaS System Administration account (JIRA: ROFR-3674).
  • Fixed issues in the BIP32 index boundary values and derive hard child index value (JIRA: ROFR-3671).
  • Fixed an issue that does not send “GCPBYOK” in the payload when a System Administrator updates the subscription from Trial to Custom (JIRA: ROFR-3661).
  • Fixed broken service topology specification for redistributeExternalTraffic during Kubernetes to version 1.19 (JIRA: DEVOPS-3268).
  • Fixed the label for the check box “List previous versions” when publishing a public key (JIRA: ROFR-3653).
  • Fixed an issue where the URL of a public key has spaces (JIRA: ROFR-3652).
  • Fixed the validation for AWS Aliases (JIRA: ROFR-3643).
  • Fixed an issue for BIP32 keys where deriving hard and weak child results in error (JIRA: ROFR-3644).
  • Fixed an issue where the CUSTOM ACCOUNT ROLES tab was missing on some pages (JIRA: ROFR-3615).
  • Fixed an issue in the PKCS#11 Client Configuration settings where, updating a specific feature to true converts all features to true (JIRA: ROFR-3614).
  • Fixed an issue where AWS aliases allowed invalid characters (JIRA: PROD-5620).
  • Fixed an issue that now validates if the image uploaded for an Account logo is a valid base64-encoded image (JIRA: ROFR-3611).
  • Fixed an issue where custom attributes of the source key were not added to a DSM-backed group (JIRA: ROFR-3610).
  • Fixed an issue where the keytool cert request was not working as expected in Java (JIRA: PROD-5562).
  • Fixed an issue where the Credentials column component for an AWS XKS app was inconsistent in the detailed app view and app table view (JIRA: ROFR-3600).
  • Fixed a broken documentation link in the app detailed view (JIRA: ROFR-3599).
  • Fixed an issue where Key compromise action sends an incorrect request body (JIRA: ROFR-3598).
  • Fixed missing option to enter AWS alias in the dialog box for AWS virtual key rotate to DSM key (JIRA: ROFR-3594).
  • Fixed an issue where the GCP Key Ring name was not visible when you create a KEY in a GCP-backed group (JIRA: ROFR-3591).
  • Fixed an issue where the Home dashboard on DSM SaaS required a hard refresh to update data (JIRA: ROFR-3571).
  • Removed key deactivation and activation option from the DSM UI for AWS KMS virtual keys (JIRA: ROFR-3566).
  • Fixed an issue that now handles null UUIDs for the audit log entries gracefully (JIRA: ROFR-3538).
  • Fixed an issue where a user was created even when the invite user flow was canceled (JIRA: ROFR-3506).
  • Added warning in the UI when a compromised key is enabled and copied to a new group (JIRA: ROFR-3498).
  • Fixed an issue where the Key undo policy and Key custodian policy icons were not visible on the security object detailed view next to the Group name (JIRA: ROFR-3498).
  • Fixed an issue where the Key Management permissions for a group Quorum policy were displayed in an incorrect format (JIRA: ROFR-3490).
  • Fixed following issues for a BIP32 key (JIRA: ROFR-3463):
    1. Detailed view of a BIP32 key must not have CREATE NEW BIP32 KEY option in the NEW OBJECT drop down.
    2. The Path field must not have commas and spaces.
  • Fixed an incorrect error message when a security object is deleted from a group that has a Quorum approval policy configured (JIRA: ROFR-3431).
  • Fixed alignment of the plus icon for the ADD SCHEMA option in the Configure Schema section in the Add TEP instance screen (JIRA: ROFR-3408).
  • Fixed an issue where a disabled check box could be selected in the Quorum approval policy group settings (JIRA: ROFR-3407).
  • Fixed an issue where the check box for the entries in the USERS, APPS, or PLUGINS tab was disabled when you click MANAGE from the TEP instance table (JIRA: ROFR-3405).
  • Fixed an issue where TEP supports limited cipher modes, but the error message lists all cipher modes (JIRA: ROFR-3402).
  • Fixed an issue where more than one Quorum approval request gets generated for enabling or disabling plugins (JIRA: ROFR-3401).
  • Fixed an issue that did not allow navigating back to the TEP instance from the DSM KEY (JIRA: ROFR-3391).
  • Fixed an issue that lists only AES for selecting the wrapping key (JIRA: ROFR-3294).
  • Fixed an issue in which double-clicking the Enable option for Two-step Authentication on the user’s profile page does not create the U2F key (JIRA: ROFR-3280).
  • Fixed an issue where even if the Key metadata policy is added to a group, the Key metadata icon is not displayed next to the group name (JIRA: ROFR-3149).
  • Fixed an issue where the System Administrator Operator role shows extra privileges (JIRA: ROFR-3119).
  • Fixed a page crash issue due to getAwsRegionFromSobject failure to parse the region from the URL (JIRA: ROFR-3808).

6. Quality Enhancements/Updates

  • Created a Cron job for audit log purge (JIRA: DEVOPS-3472).
  • Updated the Docker CE version from 18.06.3 to 19.03.11 (JIRA: DEVOPS-3148).

7. Known Issues

  • An account could be lost if account tables are inconsistent between nodes. Make sure a backup is successful before proceeding with ANY upgrade (JIRA: PROD-4234).
  • When a node is removed from a 3-node cluster with build 4.2.2087, and the 2-node cluster is upgraded with build 4.3.xxxx, it is possible that the deploy job is exited and marked completed before cluster upgrade (JIRA: DEVOPS-2068). Workaround: If all the pods are healthy, you can deploy the version again.
  • The sync key API returns a “400 status code and response error” due to the short-term access token expiry during the sync key operation of a group linked to AWS KMS (JIRA: PROD-3903).
  • exclude does not work in the proxy config for operations such as attestation (JIRA: PROD: 3311).
  • Unable to perform Local encrypt/decrypt operation in Fortanix DSM-Accelerator using DES3 algorithm in CBC/ECB mode with the key size 112 (JIRA: PROD-5598).
  • When a quorum approval is generated and the request expires, clicking the group that triggered the quorum approval results in a 500 error if the "Retain expired requests"toggle is enabled in the Account quorum policy settings (JIRA: PROD-6038).
  • In the Google Workspace CSE easy wizard integration, the Review page has the Key Service URL hardcoded to the AMER cluster by error (JIRA: ROFR-3810).
    Workaround: Copy the correct Key Service URL from the security objects detailed view page. CSE-KnownIssue.png

8. Fortanix Data Security Manager Performance Statistics

8.1 Series 2

Key Types and Operations Throughput (Operations/second on a  3-node cluster)
AES 256: CBC Encryption/Decryption


AES 256: GCM Encryption/Decryption


AES 256: FPE Encryption/Decryption


AES 256 Key Generation


RSA 2048 Encryption/Decryption


RSA 2048 Key Generation


RSA 2048 Sign/Verify


EC NISTP256 Sign/Verify


Data Security Manager Plugin (Hello world plugin)

1700 (invocations/second)



8.2 Azure Standard_DC8_v2

Key Types and Operations Throughput (Operations/second on a  3-node [Standard_DC8_v2] cluster)
AES 256: CBC Encryption/Decryption


AES 256: GCM Encryption/Decryption


AES 256: FPE Encryption/Decryption


AES 256 Key Generation


RSA 2048 Encryption/Decryption


RSA 2048 Key Generation


RSA 2048 Sign/Verify


EC NISTP256 Sign/Verify


Data Security Manager Plugin (Hello world plugin)

 1639 (invocations/second)



8.3 Series 2 JCE

Key Types and Operations Throughput (Operations/second on a  3-node cluster)
AES 256: CBC Encryption/Decryption


AES 256 Key Generation


RSA 2048 Key Generation


RSA 2048 Sign/Verify


EC NISTP256 Sign/Verify


Data Security Manager Plugin (Hello world plugin)

1678 (invocations/second)



8.4 Azure Standard_DC8 JCE

Key Types and Operations Throughput (Operations/second on a  3-node [Standard_DC8 JCE] cluster)
AES 256: CBC Encryption/Decryption


AES 256 Key Generation


RSA 2048 Key Generation


RSA 2048 Sign/Verify


EC NISTP256 Sign/Verify


Data Security Manager Plugin (Hello world plugin)

1597 (invocations/second)

9. Fortanix Data Security Manager-Accelerator Performance Statistics

9.1 Runtime Environment

  • The following table lists the standard recommended runtime environment. You can choose a higher configuration for better performance.
  • DSM-Accelerator was run in the runtime environment listed below for performance testing.
Item Specification
Number of Cores



Intel(R) Xeon(R) CPU E5-2673 v4 @ 2.30GHz


32 GiB



9.2 DSM-Accelerator Webservice

The performance numbers below are captured with a single node; if you need higher performance or throughput, then we recommend adding multiple nodes.
Key Types and Operations Throughput (Operations/second on a 1-node cluster)
AES 256: CBC Encryption/Decryption


AES 256: GCM Encryption/Decryption


AES 256: FPE Encryption/Decryption




9.3 Additional Modes

Key Types and Operations Throughput (Operations/second on a 1-node cluster)
AES 256: CBCNOPAD Encryption/Decryption


AES 256: CFB Encryption/Decryption


AES 256: CTR Encryption/Decryption


AES 256: OFB Encryption/Decryption


10. Installation

To download the DSM SGX (on-prem/Azure) and Software (AWS/Azure/VMWare) packages, click here.


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful