Using Fortanix Data Security Manager with BeyondTrust Password Safe

1.0 Introduction

This article describes the steps to integrate Fortanix Data Security Manager (DSM) with BeyondTrust Password Safe. The integration is based on PKCS#11.

Password Safe allows users and applications to check out passwords or sessions using passwords. Password Safe is also responsible for rotating the passwords for the privileged accounts it manages. For check-out operations, the passwords stored in Password Safe must be decrypted. The new value must be encrypted when Password Safe rotates or changes a password.  While Password Safe can use self-generated keys to encrypt and decrypt passwords, there are benefits associated with externalizing all encryption and decryption operations to Fortanix Data Security Manager. 

Customers can benefit from the ability to monitor key usage and the ability to invalidate a key, even if they cannot get access to Password Safe. Externalizing Password Safe keys to Fortanix DSM gives customers more security controls and flexibility, opening up use cases like BYOK (Bring Your Own Key) and HOYK (Hold Your Own Key).

This quick, step-by-step guide will show you how to set up a simple integration that will let Password Safe send encryption and decryption operations to Fortanix DSM from the outside. More advanced configuration options, including the configuration of the HSM Gateway to allow the use of third-party on-premise or cloud-based HSM solutions, can be found here:

This integration has been tested and works with Fortanix DSM 4.14 and higher and Password Safe (BeyondInsight) 21.3 and higher.

2.0 Configure Fortanix DSM for Password Safe

  1. Sign up and log in to Fortanix DSM SaaS – and create an account.
  2. Create a new group in Fortanix DSM.
      ConfigureGroup-BeyondTrust.png Figure 1: Create a group in Fortanix DSM
  3. Create a new app and assign it to the same group created in Step 2. Note the API key of the app to use later.
      CreateApp-BeyondTrust.png Figure 2: Create new app
    For more details to create an account and an app, refer to the Getting Started Guide.
  4. Now download the latest Fortanix PKCS#11 Windows 64-bit client on your BeyondInsight server or appliance. Use the following URL:
      PKCS11-BeyondTrust.png Figure 3: PKCS#11 windows 64-bit
  5. After installing the MSI (Microsoft Software Installer) on your BeyondInsight server or appliance, you should be able to find the PKCS#11 driver and a README.txt file.
      PKCS11ReadMe-BeyondTrust.png Figure 4: KMS client folder
  6. Configure the HSM Credentials using the BeyondInsight Configuration tool. The PIN is the API key of the Fortanix DSM app that you noted in Step 3 above.
      ConfigureHSM-BeyondTrust.png Figure 5: Configure HSM credentials
  7. Now in Password Safe, test and change the password for a Managed Account using the Change Password option. You should see a successful message at the bottom for each test and change password action.
      ChangePassword-BeyondTrust.png Figure 6: Change password for managed account
  8. In Fortanix DSM, you should be able to find the new key created by Password Safe, with the name we used in Step 6 above.
      KeyCreatedDSM-BeyondTrust.png Figure 7: Key created
  9. The activity logs for the security object in Fortanix DSM should confirm that Decryption (Test Password) and Encryption (Change Password) operations are performed by Password Safe.
      DSMActivityLogs-BeyondTrust.png Figure 8: Activity logs


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful