1.0 Introduction
There are several ways to export Fortanix-Data-Security-Manager (DSM) keys to major cloud providers that support BYOK for server-side encryption.
2.0 Prerequisite
Download DSM CLI from here.
3.0 Alibaba
Create an external key in Alibaba.
Create a new key by selecting key material source as “External”.
.png?sv=2022-11-02&spr=https&st=2025-05-11T18%3A43%3A00Z&se=2025-05-11T18%3A55%3A00Z&sr=c&sp=r&sig=F2rHYwsbbFTy4DSUM41AhTa%2BKyHOkoG21AuiUlo5B%2B4%3D "image(26).png")
Newly created key should show up with status as “Pending Import” and key material source as "External".
.png?sv=2022-11-02&spr=https&st=2025-05-11T18%3A43%3A00Z&se=2025-05-11T18%3A55%3A00Z&sr=c&sp=r&sig=F2rHYwsbbFTy4DSUM41AhTa%2BKyHOkoG21AuiUlo5B%2B4%3D "image(27).png")
Download key encryption material.
Download the key encryption material, you will need it for key wrapping in DSM and key importing into Alibaba.Public key
Import Token
.png?sv=2022-11-02&spr=https&st=2025-05-11T18%3A43%3A00Z&se=2025-05-11T18%3A55%3A00Z&sr=c&sp=r&sig=F2rHYwsbbFTy4DSUM41AhTa%2BKyHOkoG21AuiUlo5B%2B4%3D "image(28).png")
Import Alibaba public key into DSM.
Import the public key from previous step into DSM as RSA key..png?sv=2022-11-02&spr=https&st=2025-05-11T18%3A43%3A00Z&se=2025-05-11T18%3A55%3A00Z&sr=c&sp=r&sig=F2rHYwsbbFTy4DSUM41AhTa%2BKyHOkoG21AuiUlo5B%2B4%3D "image(29).png")
Create Customer Master Key in DSM.
Create a new AES key and make sure to select the “exportable” option..png?sv=2022-11-02&spr=https&st=2025-05-11T18%3A43%3A00Z&se=2025-05-11T18%3A55%3A00Z&sr=c&sp=r&sig=F2rHYwsbbFTy4DSUM41AhTa%2BKyHOkoG21AuiUlo5B%2B4%3D "image(30).png")
Authenticate the app.
sdkms-cli app-login --api-endpoint Fortanix Data Security Manager --api-key YOUR_APP_API_KEYWhere,
YOUR_APP_API_KEYis the API key of an app in Fortanix DSM.
Wrap customer master key with Alibaba public key.
Use DSM-Cli to wrap the newly created AES key (customer master key) with imported Alibaba public key.
$ sdkms-cli wrap-key --kid <Taget Key UUID in DSM > --alg RSA --mode OAEP_MGF1_SHA1 --wrapping-kid <UUID of Alibaba Wrapping Public Key > --out alibabawrap.keyWhere,
<Target Key UUID in DSM>is the UUID of the key in Fortanix DSM that you want to copy to Alibaba KMS.<UUID of Alibaba Wrapping Public Key>is the UUID of the public key imported into Fortanix DSM user interface (UI) in Step 3.
Apply base64 encoding on wrap key.
$ openssl enc -e -base64 -A -in alibabawrap.key -out alibabawrapbase64.key
Upload key into Alibaba KMS.
Import the encoded wrap key into Alibaba. You will also need the import token which we downloaded from Alibaba in Step 2..png?sv=2022-11-02&spr=https&st=2025-05-11T18%3A43%3A00Z&se=2025-05-11T18%3A55%3A00Z&sr=c&sp=r&sig=F2rHYwsbbFTy4DSUM41AhTa%2BKyHOkoG21AuiUlo5B%2B4%3D "image(31).png")
Alibaba KMS should have external key enabled now.
With successful import your external key should be "Enabled" now..png?sv=2022-11-02&spr=https&st=2025-05-11T18%3A43%3A00Z&se=2025-05-11T18%3A55%3A00Z&sr=c&sp=r&sig=F2rHYwsbbFTy4DSUM41AhTa%2BKyHOkoG21AuiUlo5B%2B4%3D "image(32).png")