Java Cryptography Extension (JCE)


This requires Java 8.


Alternatively, add dependency in pom.xml



Check JCE provider developer guide for more details.

Change Details


  1. Improved Fortanix Data Security Manager (DSM) implementation of Java Cryptographic Key and Key Pair interfaces to support initialization using Name of the key, besides Key ID.
    • Old constructor (Deprecated from 3.19 onwards):
      SdkmsAESKey key = new SdkmsAESKey("<Key-UUID>", 128, null)
    • New constructor: Initialize by Key ID
      SdkmsAESKey key = new SdkmsAESKey(new SobjectDescriptor().kid("<Key-UUID>"))
    • New constructor: Initialize by Key Name, for example:
      SdkmsAESKey key = new SdkmsAESKey(new SobjectDescriptor().name("MyKeyName"))
    - Above changes apply to other Key implementations: SdkmsDESKey, SdkmsDESedeKey, RSAPrivateKeyImpl, RSAPublicKeyImpl, ECPrivateKeyImpl, ECPublicKeyImpl, SDKMSKmacKey
    - No changes in the KeyGenerator, KeyPairGenerator, Cipher, Signatureusage.
  2. Optimized to Cipher implementation, which eliminates extra API requests, thus improving client-side throughput by two times.
  3. Added support for Multipart Cipher operations for AES GCM mode. This is supported for Fortanix DSM server version 3.19 or higher only.
    • AES GCM Cipher will still behave as Non Multipart Cipher for DSM server version < 3.19. in Non -Multipart mode, Cipher.update() returns empty and Cipher.final() will return the full cipher bytes.
    • With Fortanix DSM version >= 3.19 and JCE Client version >=3.19, AES GCM Cipher will behave as Multipart by default.
    • If AES GCM Cipher is being used before 3.19, upgrade of both server and client to 3.19 will break the behavior due to change from Non Multipart to Multipart implementation. If Non-Multipart behavior is still desired, then add this environment variable to force Non-Multipart behavior for AES GCM Cipher:
  4. Added support for Elliptic Curve Ed25519 for ECDSA operations.
  5. Fortanix DSM JCE provider is published to Maven from this release onwards. See the section Maven for updated install instructions.
  6. Added support for using Local Sun implementation for MessageDigest operations using env variable export FORTANIX_USE_LOCAL_DIGEST=true . This optimizes signing operations of large files and is helpful in jar signing use-cases.
  7. Added support for importing public key by default as a transient key (which are not persisted in Fortanix DSM and lives only during a session lifetime) using env variable export FORTANIX_PUBKEY_IMPORT_TRANSIENT=true. This is helpful in jar signing use-cases, where jarsigner requires to use the public key in a temporary manner.
  8. Added support for Fortanix DSM JCE initialization with API Endpoint and API Key in provider constructor. Thus, reducing the requirement of using the env variable for the same. This is helpful in environments, where setting the env variable is not possible. For example: initialize(<apiEndpoint>, <apiKey>).


Connection Pooling

Fortanix DSM version 3.21 and above supports a new feature called Connection Pooling.

Connection pooling allows restriction and reuse of connections with a maximum limit specified.
This allows setting some safe limits on each JCE application so that no single application
can overwhelm the server.

With JCE Connection Pooling

The environment variable FORTANIX_CONN_MAX is set to the maximum number of connections from that instance of the JCE application.

Without JCE Connection Pooling

When the environment variable FORTANIX_CONN_MAX is not exported or is set to `0`, JCE will behave without any connection pooling/limit. This is similar to JCE behavior prior to version 3.21.


    • Existing behavior: number of sockets is equal to the number of concurrent threads.
  • FORTANIX_CONN_MAX = X, Concurrent threads less than X.
    • Behavior: Less than X sockets open at a time.
    • Observation: The sockets are also being reused.
  • FORTANIX_CONN_MAX = X, Concurrent threads greater than X.
    • Behavior: Maximum X sockets open with reuse.
    • Observation: higher latency, which is expected since threads are now waiting for connections to get free.

JCE logging

With the 3.21 release, by default the logging option is disabled, and in order to enable it export the following environment variables:

  • To enable debug logs, set the environment variable:
    export FORTANIX_LOG_DEBUG=true
  • To enable only API logs, set the environment variable:
    export FORTANIX_LOG_API=true
  • To set a file location for local logs, set the environment variable:
    export FORTANIX_LOG_FOLDER="/path/to/logfile-folder"
    This will create a log file /path/to/logfile-folder/sdkms-jce.log


Article is closed for comments.

Was this article helpful?
0 out of 0 found this helpful