User's Guide: Copy Key


This article describes the Fortanix Data Security Manager (DSM) Copy Key operation that can be performed on a Security Object.

Copy Key

The copy key feature will copy a security object from a standard Fortanix DSM group to another standard group. This feature has the following advantages:

  • It maintains a single source of key material by using/importing that key with other Fortanix DSM groups. This allows applications in respective groups to use a single key to meet some business objectives.
  • It maintains a link to copies of the original key material for audit and tracking purposes.

The following actions will happen as part of the copy key operation:

  • A new key will be created in the target group: The new key will have the same key material as the original key.
  • The Source key links to the copied keys: A link will be maintained between all copied keys and the source key.

The Source key will also have basic metadata-based information about the linked keys such as:

  • Copied by <user-name/app id>
  • Date of Copy <time stamp>
  • Target copy group name
The name of the copied key is suggested automatically to the user as [original key name]_[copy1,2,...], but can be replaced with an alternative unique name.

To copy a key:

  1. Go to the detailed view of a key and click the Add plus.png NEW OBJECT button on the far right of the screen. Initiate_copy_key.pngFigure 1: Initiate Copy key
  2. In the menu that opens, click the COPY KEY button. Figure2-click_copy_key.pngFigure 2: Click copy key
  3. In the COPY KEY window, you may update the name of the key by clicking on the pencil pencil.png icon. Copy the new key to a group/groups from the GROUP section. To filter only HSM/External KMS groups, select Import key to HSM/External KMS option. Figure3-Edit_key_name_and_edit_group_details.pngFigure 3: Edit key name and edit group details
  4. Click EDIT PERMISSIONS if you want to modify the permissions of the key. Figure4-Assign_new_key_to_a_group.pngFigure 4: Set deactivation date
  5. Add Deactivation Date: The deactivation date of the security object can be set to 'Never' or to a specified time in the future. To specify the deactivation date, click EDIT.
  6. Click CREATE COPY to create a copy of the key as shown in the figure above.
  7. If there is a Quorum policy configured in the source group that contains the original key, then a quorum approval request is created. Only after the request is approved the copy key operation will be successful.
  8. The source key will now appear as a key link in the KEY LINKS tab in the detailed view of the copied key. Figure5-key_link_created.pngFigure 5: Key link created


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful