User's Guide: Copy Key

1.0 Introduction

This article describes the Fortanix Data Security Manager (DSM) Copy Key operation that can be performed on a Security Object.

2.0 Copy Key

The copy key feature will copy a security object from a standard Fortanix DSM group to another standard group. This feature has the following advantages:

  • It maintains a single source of key material by using/importing that key with other Fortanix DSM groups. This allows applications in respective groups to use a single key to meet some business objectives.
  • It maintains a link to copies of the original key material for audit and tracking purposes.

The following actions will happen as part of the copy key operation:

  • A new key will be created in the target group: The new key will have the same key material as the original key.
  • The Source key links to the copied keys: A link will be maintained between all copied keys and the source key.

The Source key will also have basic metadata-based information about the linked keys such as:

  • Copied by <user-name/app id>
  • Date of Copy <time stamp>
  • Target copy group name
The name of the copied key is suggested automatically to the user as [original key name]_[copy1,2,...], but can be replaced with an alternative unique name.

Perform the following steps to copy a key:

  1. Go to the detailed view of a key and click the Copy Key  copy_key.png  button on the right of the screen.
    Fortanix DSM does not allow to copy an LMS key.
  2. In the COPY KEY window, you may update the name of the key by clicking on the pencil pencil.png icon. Copy the new key to a group/groups from the GROUP section. To filter only HSM/External KMS groups, select Import key to HSM/External KMS option. Figure3-Edit_key_name_and_edit_group_details.pngFigure 1: Edit key name and edit group details
  3. Click EDIT PERMISSIONS if you want to modify the permissions of the key. Figure4-Assign_new_key_to_a_group.pngFigure 2: Set deactivation date
  4. Add Deactivation Date: The deactivation date of the security object can be set to 'Never' or to a specified time in the future. To specify the deactivation date, click EDIT.
  5. Click CREATE COPY to create a copy of the key.
  6. If there is a Quorum policy configured in the source group that contains the original key, then a quorum approval request is created. Only after the request is approved the copy key operation will be successful.
  7. The source key will now appear as a key link in the KEY LINKS tab in the detailed view of the copied key. Figure5-key_link_created.pngFigure 3: Key link created

3.0 Create New AES Key

Fortanix DSM allows you to create a new AES key with the similar settings as the currently available key.

Perform the following steps:

  1. Go to the detailed view of a key and click the CREATE_AES_KEY.png button on the right of the screen.
  2. On the Add New Security Object window, enter the name of the security object in New Security Object field.
  3. You can make update the existing values in the sections as required.
  4. After you have updated the values, click the Generate button at the bottom of the screen.

The new AES key is generated in Fortanix DSM.



  • The quorum approval policy needs to be configured for Cryptographic Operations. Otherwise no approval will be required.


Please sign in to leave a comment.

Was this article helpful?
0 out of 1 found this helpful