[3.23] - Dec 31, 2020

This release is superseded by Feb 5, 2021 release.

1. Enhancements to Existing Features

1.1 Support import/export of additional formats for a key of type SECRET.

The 3.23 release allows to define the type of “SECRET” in the import key workflow. The "Secret" object can be used to store and export keys of any format. For easy identification, you can set any string to Attribute field while importing (optional). This filed will be stored as x-format custom attribute on secret object and will be shown in the Info field when viewing the secret.

These values can also be added from the detailed view of a key in the ATTRIBUTES/TAGS tab.

ImportFormatSecret.png

For more details refer to h https://support.fortanix.com/hc/en-us/articles/360038354592-User-s-Guide-Fortanix-Self-Defending-KMS-Key-Lifecycle-Management#ImportSecurityObjects

This release also supports key export operations for “SECRET” type keys.

ExportSecret.png

For more details refer to https://support.fortanix.com/hc/en-us/articles/360049737471-User-s-Guide-Export-Key#EncryptKeyBeforeExport

1.2 Support for LDAP Roles for auditors, administrators, regular apps, and admin apps

This release adds support for LDAP roles for auditors, administrators, regular apps, and administrative apps apart from the existing account member role. These will also be optional, and the value would be the distinguished name of an LDAP role if specified.

If an account member/auditor/administrator does not have the corresponding LDAP role, they will not be able to manage the account.

LDAP.pngLDAP2.png

To learn more about LDAP authorization, refer: https://support.fortanix.com/hc/en-us/articles/360033005052-User-s-Guide-Authorization

1.3 Added support for RSA key export:

The 3.23 release allows an RSA key to be exported.

RSAKeyExport1.png

RSAKeyExport2.png

To learn more about Fortanix Self-Defending KMS Security Objects export operations, refer: https://support.fortanix.com/hc/en-us/articles/360049737471-User-s-Guide-Export-Key#EncryptKeyBeforeExport

1.4 Added verification step for key component and KCV

The 3.23 release allows verifying the KCV and key component combination before importing it.

KCV_Verify.png

 

To learn more about Fortanix Self-Defending KMS key components, refer: https://support.fortanix.com/hc/en-us/articles/360043559332-User-s-Guide-Key-Components

1.5 The 3.23 release adds support for hash algorithm SHA-224. 

1.6 Support for Certificate download

The 3.23 release allows downloading a certificate for a key of type “Certificate”.

DownloadCert.png

2. Client Improvements and Bug Fixes

2.1 CLI

  • Fix TypeError on AES export

3. Quality Enhancements / Updates

  • Password confirmation when creating a cluster
  • Removed unattended upgrade package for Azure/AWS
  • Upgraded Cassandra DB to 3.11.9
  • Included script to run on-demand backup
  • Enhancements in clean up script

4. Security Fixes

  • Disable JMX host port on Cassandra
  • Updated Lodash JavaScript library

5. Known Issue(s)

  • A known issue causes a new node join failure if your cluster configuration includes a custom subnet configuration for POD or service. If you have  serviceSubnet or podSubnet  in your cluster config, please do not upgrade to 3.23.

6. Fortanix Self-Defending KMS Performance Numbers

6.1 Series 1

Key Types and Operations Throughput (Operations/second per 3-node cluster)
AES 128: CBC Encryption/Decryption

4078/4040

AES 128 Key Generation

1191

AES 128: Format Preserving Encryption

2218

AES 256: CBC Encryption/Decryption

4054/3993

AES 256: GCM Encryption/Decryption

4024/3984

   
RSA 2048 Encryption/Decryption

1462/573

RSA 2048 Key Generation

28

RSA 2048 Sign/Verify

584/1506

EC NISTP256 Sign/Verify

691/373

   
Self-Defending KMS Plugin (Hello world plugin)

2119 (invocations/second)

6.2 Series 2

Key Types and Operations Throughput (Operations/second per 3-node cluster)
AES 128: CBC Encryption/Decryption

5469/5220

AES 128 Key Generation

1501

AES 128: Format Preserving Encryption

3356

AES 256: CBC Encryption/Decryption

5410/5409

AES 256: GCM Encryption/Decryption

5125/5430

   
RSA 2048 Encryption/Decryption

1870/885

RSA 2048 Key Generation

49

RSA 2048 Sign/Verify

890/2024

EC NISTP256 Sign/Verify

615/773

   
Self-Defending KMS Plugin (Hello world plugin)

2813 (invocations/second)

 

7. Installation

To download the DSM SGX (on-prem/Azure) and Software (AWS/Azure/VMWare) packages, click here.

Comments

Please sign in to leave a comment.

Was this article helpful?
2 out of 2 found this helpful