[4.27] - April 11, 2024

Fortanix Data Security Manager (DSM) 4.27 comes with some exciting new features, improvements, and resolved issues.

WARNING
  • You are required to upgrade Fortanix DSM to version 4.19 or 4.23 before upgrading to version 4.27. If you want to upgrade to 4.27 from an earlier version, please reach out to the Fortanix Support team.
  • Downgrade from 4.27 to any version before 4.23 is not supported due to the Kubernetes version upgrade. Please reach out to Fortanix Support for downgrading to version 4.23.
NOTE
  • The Fortanix DSM cluster upgrade must be done with Fortanix Support on call. Please reach out to Fortanix Support if you are planning an upgrade.
  • The customer's BIOS version must be checked by Fortanix Support before the Fortanix DSM software upgrade. If required, the BIOS version should be upgraded to the latest version and verified by Fortanix Support for a smooth upgrade.
  • If your Fortanix DSM version is 4.13 or later, then the HSM gateway version must also be 4.13 or later. Similarly, if the HSM Gateway version is 4.13 or later, then your Fortanix DSM version must be 4.13 or later.
  • In the 4.27 release, performance will slightly decrease for certain cryptographic operations. Fortanix is investigating this.

1. New Features

  1. Added support to verify the client certificate revocation status when using Trusted CA as the application (app) authentication method. (JIRA: PM-176).
    When adding a new app with Trusted CA as the app authentication method, the Certificate Revocation List (CRL) status of the client certificate used to authenticate the app connection can now be configured by the user by selecting the check box labeled Verify client certificate revocation status.

    4.27.png
    For more details, refer to User's Guide: Authentication.
  2. Added ML-KEM Kyber Crystal algorithm support in DSM (JIRA: PM-1).
    With this feature, a user can now select ML-KEM as a post-quantum cryptography method when generating a new security object.
    Screenshot 2024-04-22 171259.png
    For more details, refer to User's Guide: Fortanix Data Security Manager Key Lifecycle Management.

2. Enhancements to Existing Features

  • Removed the toggle to enable or disable the System Administration accounts (JIRA: ES-285).

A system administrator cannot disable an account using the Enable or Disable toggle on the System Administration Accounts page anymore. 

2.png

  • For security objects in an Azure Key Vault-backed DSM group that have audit logging enabled, DSM now logs the following new events (JIRA: PM-143):
    • The security object is soft-deleted.
    • The security object is recovered within the grace period after having been soft-deleted.
    • The corresponding Azure Key Vault entry is soft-deleted or recovered on key sync.
    • The security object is rotated on a rotation policy schedule.
    • The security object is copied.
    • Enabled audit logs for ScheduleDelete and CancelDelete APIs (JIRA: PROD-8251).
  • Added support for rotating a linked key with an AWS policy set up in DSM; the updated key version will now align with the same AWS policy. (JIRA: ES-265).

3. Other Improvements

  • Improved the transition of redundant Fortanix DSM FIPS nodes (JIRA: PM-203).
  • I added the ability to downgrade the kernel in Fortanix DSM (JIRA: DEVOPS-4510).
  • Increased the timeout in the/opt/fortanix/sdkms/bin/dsm_manual_cassandra_backup.sh script file (JIRA: DEVOPS-4583).
  • Updated the Cassandra DC labeling script to display the number of nodes per label before applying the labeling and to perform a request seamlessly on a live cluster (JIRA: DEVOPS-4609).
  • Packaged FX2200 series 2 new BMC firmware version 12.72.02 as part of the Fortanix DSM installer (JIRA: DEVOPS-4634).
  • I removed the Intel Windows Launch Enclaves from the directorycommon/libsenclave-runner/le in the Fortanix DSM container (JIRA: PROD-8279).
  • Added support to remove old DSM restore scripts from /opt/fortanix/sdkms/bin directory (JIRA: DEVOPS-4610).

4. Client Improvements

  • Added support for security object name attribute deletion using KMIP (JIRA: PROD-8230).
    • Replace the name with a placeholder value that is significant only to the KMIP proxy.
    • Added logic to treat it as a security object with no name.
  • Fixed an issue where the KMIP client should be able to preserve the activation date of a security object set in the past (JIRA: PROD-7972).
  • The DSM JCE Provider Client (unbundled) artifacts are now distributed through the Maven repository (JIRA: PM-235). For more details, refer to the DSM JCE Client Downloads.

5. DSM-Accelerator Improvements

6. Quality Enhancements

  • Upgraded the Fortanix DSM kernel to the 5.4 latest version (JIRA: DEVOPS-4626).

7. Bug Fixes

  • Fixed an issue where choosing RAW for decryption did not enable RAW decrypt to work as intended when setting up a Fortanix DSM account or group-level cryptographic policy. (JIRA: ES-253).
  • Fixed an issue caused by when invalid cert_lifetime or serial_bits parameters were passed to csr:sign() or TbsCertificate.new()(JIRA: PROD-8208).
  • Fixed an issue where the Retention period for audit logs configuration had conflicting functionality using the Fortanix DSM user interface (UI) and APIs (JIRA: ES-325).

8. Known Issues

  • API returns a “400 status code and response error” if its short-term access token expires during the synchronization of a group linked to AWS KMS (JIRA: PROD-3903).
    Workaround: Increase the timeout of the temporary session token beyond the expected duration of the sync key operation.
  • excludedoes not work in theproxy configuration for operations such as attestation (JIRA: PROD: 3311).
  • Unable to create an app when a Custom Group Role has the Create Apps permission enabled. This affects users who need to create an app or plugin entry (JIRA: PROD: 5764).
    Workaround: Use the predefined administrative user definition under Settings.
  • Rotating a GCP BYOK key to a pre-existing Fortanix DSM-hosted key (Rotate to DSM key) is not supported (JIRA: PROD: 6722).
    Workaround: You can manually copy the AES 256 key from a normal DSM group to a GCP-backed group. This key automatically becomes the currently active crypto key version in the GCP key ring.
  • The “Rotate linked key” feature fails with an error for keys in an externally backed group where the external entity is a Google Cloud Platform key ring (JIRA: PROD-6828).
    Workaround: You must first manually rotate the source key in the normal DSM group and then copy the rotated key to the GCP group.
  • If an Azure key is rotated and then soft-deleted, only one version of the key is soft-deleted (JIRA: PROD: 6947).
    Workaround: Perform a key scan in DSM to synchronize the key state with Azure.
  • The create operation for security object creation does not work for the Azure Managed HSM plugin (JIRA: PROD-7078).
  • Copying an RSA or EC key from a normal DSM group to an AWS KMS-backed DSM group does not work as expected and results in an error (JIRA: PROD-7787).

    Workaround: Export the RSA or EC key from the normal DSM group and import it into the AWS KMS-backed DSM group.

  • Fortanix DSM does not support the ML-KEM key type in the account and group-level cryptographic policies. Although it is available on the front end (UI), the back end does not support it. (JIRA: PROD-8427)

9. Fortanix Data Security Manager Performance Statistics

9.1 Series 2

Key Types and Operations Throughput (Operations/second on a  3-node cluster)
   
AES 256: CBC Encryption/Decryption

4,498/4,513

AES 256: GCM Encryption/Decryption 4,450/4,462
AES 256: FPE Encryption/Decryption 2,252/2,197
AES 256 Key Generation 1,137
   
RSA 2048 Encryption/Decryption 4,057/1,158
RSA 2048 Key Generation 33
RSA 2048 Sign/Verify 1,146/3,998
EC NISTP256 Sign/Verify 1,048/605
   
Generate Kyber-ML Keys 1,009
Encapsulation 1,082
Decapsulation 1,026
   
LMS Key (Height, Node)  
L1 5, Node 24 20.21
L1 5, Node 32 16.70
L1 10, Node 24 0.54
L1 10, Node 32 0.50
   
Data Security Manager Plugin (Hello world plugin)

1,730 (invocations/second)

________________________________________________________________________________________________________________

 

9.2 Azure Standard_DC8_v2

Key Types and Operations Throughput (Operations/second on a  3-node [Standard_DC8_v2] cluster)
AES 256: CBC Encryption/Decryption 3,494/3,503
AES 256: GCM Encryption/Decryption 3,435/3,444
AES 256: FPE Encryption/Decryption 2,028/2,036
AES 256 Key Generation 964
   
RSA 2048 Encryption/Decryption 3,340/1,184
RSA 2048 Key Generation 43
RSA 2048 Sign/Verify 1,177/3,283
EC NISTP256 Sign/Verify 967/584
   
Data Security Manager Plugin (Hello world plugin)

1,603 (invocations/second)

________________________________________________________________________________________________________________

 

9.3 Series 2 JCE

Key Types and Operations Throughput (Operations/second on a  3-node cluster)
AES 256: CBC Encryption/Decryption 3,962/3,962
AES 256 Key Generation 1134
   
RSA 2048 Key Generation 33
RSA 2048 Sign/Verify 913/1,984
EC NISTP256 Sign/Verify 864/547
   
Data Security Manager Plugin (Hello world plugin)

1,733 (invocations/second)

________________________________________________________________________________________________________________

 

9.4 Azure Standard DC8 JCE

Key Types and Operations Throughput (Operations/second on a  3-node [Standard_DC8 JCE] cluster)
AES 256: CBC Encryption/Decryption 3,346/3,395
AES 256 Key Generation 950
   
RSA 2048 Key Generation 43
RSA 2048 Sign/Verify 912/1,754
EC NISTP256 Sign/Verify 767/514
   
Data Security Manager Plugin (Hello world plugin)

1,587 (invocations/second)

10. Fortanix Data Security Manager-Accelerator Performance Statistics

10.1 Runtime Environment

NOTE
  • The following table lists the standard recommended runtime environment. You can choose a higher configuration for better performance.
  • DSM-Accelerator was run in the runtime environment listed below for performance testing.
Item Specification
Number of Cores

4

CPU

Intel (R) Xeon (R) CPU E5-2673 v4 @ 2.30GHz

RAM

32 GiB

________________________________________________________________________________________________________________

 

10.2 DSM-Accelerator Webservice

NOTE
The performance numbers below are captured with a single node; if you need higher performance or throughput, then we recommend adding multiple nodes.
Key Types and Operations Throughput (Operations/second on a 1-node cluster)
AES 256: CBC Encryption/Decryption 16,874/17,581
AES 256: GCM Encryption/Decryption 16,535/17,025
AES 256: FPE Encryption/Decryption 5,440/5,399

________________________________________________________________________________________________________________

 

10.3 Additional Modes

Key Types and Operations Throughput (Operations/second on a 1-node cluster)
AES 256: CBCNOPAD Encryption and Decryption 16,893/17,291
AES 256: CFB Encryption/Decryption 17,099/17,370
AES 256: CTR Encryption/Decryption 17,140/17,324
AES 256: OFB Encryption/Decryption 17,231/17,289
AES 256: CCM Encryption/Decryption 16,514/17,000

11. Installation

To download the DSM SGX (on-prem/Azure) and Software (AWS/Azure/VMWare) packages, click here.

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful