This article describes the Fortanix Data Security Manager (DSM) Copy Key operation that can be performed on a Security Object.
The copy key feature will copy a security object from a standard Fortanix DSM group to another standard group. This feature has the following advantages:
- It maintains a single source of key material by using/importing that key with other Fortanix DSM groups. This allows applications in respective groups to use a single key to meet some business objectives.
- It maintains a link to copies of the original key material for audit and tracking purposes.
The following actions will happen as part of the copy key operation:
- A new key will be created in the target group: The new key will have the same key material as the original key.
- The Source key links to the copied keys: A link will be maintained between all copied keys and the source key.
The Source key will also have basic metadata-based information about the linked keys such as:
- Copied by <user-name/app id>
- Date of Copy <time stamp>
- Target copy group name
To copy a key:
- Go to the detailed view of a key and click the Add NEW OBJECT button on the far right of the screen. Figure 1: Initiate Copy key
- In the menu that opens, click the COPY KEY button. Figure 2: Click copy key
- In the COPY KEY window, you may update the name of the key by clicking on the pencil icon. Copy the new key to a group/groups from the GROUP section. To filter only HSM/External KMS groups, select Import key to HSM/External KMS option. Figure 3: Edit key name and edit group details
- Click EDIT PERMISSIONS if you want to modify the permissions of the key. Figure 4: Set deactivation date
- Add Deactivation Date: The deactivation date of the security object can be set to 'Never' or to a specified time in the future. To specify the deactivation date, click EDIT.
- Click CREATE COPY to create a copy of the key as shown in the figure above.
- If there is a Quorum policy configured in the source group that contains the original key, then a quorum approval request is created. Only after the request is approved the copy key operation will be successful.
- The source key will now appear as a key link in the KEY LINKS tab in the detailed view of the copied key. Figure 5: Key link created