[3.23] - Dec 31, 2020

This release is superseded by Feb 5, 2021 release.

1. Enhancements to Existing Features

1.1 Support import/export of additional formats for a key of type SECRET.

The 3.23 release allows to define the type of “SECRET” in the import key workflow. The "Secret" object can be used to store and export keys of any format. For easy identification, you can set any string to Attribute field while importing (optional). This filed will be stored as x-format custom attribute on secret object and will be shown in the Info field when viewing the secret.

These values can also be added from the detailed view of a key in the ATTRIBUTES/TAGS tab.


For more details refer to h https://support.fortanix.com/hc/en-us/articles/360038354592-User-s-Guide-Fortanix-Self-Defending-KMS-Key-Lifecycle-Management#ImportSecurityObjects

This release also supports key export operations for “SECRET” type keys.


For more details refer to https://support.fortanix.com/hc/en-us/articles/360049737471-User-s-Guide-Export-Key#EncryptKeyBeforeExport

1.2 Support for LDAP Roles for auditors, administrators, regular apps, and admin apps

This release adds support for LDAP roles for auditors, administrators, regular apps, and administrative apps apart from the existing account member role. These will also be optional, and the value would be the distinguished name of an LDAP role if specified.

If an account member/auditor/administrator does not have the corresponding LDAP role, they will not be able to manage the account.


To learn more about LDAP authorization, refer: https://support.fortanix.com/hc/en-us/articles/360033005052-User-s-Guide-Authorization

1.3 Added support for RSA key export:

The 3.23 release allows an RSA key to be exported.



To learn more about Fortanix Self-Defending KMS Security Objects export operations, refer: https://support.fortanix.com/hc/en-us/articles/360049737471-User-s-Guide-Export-Key#EncryptKeyBeforeExport

1.4 Added verification step for key component and KCV

The 3.23 release allows verifying the KCV and key component combination before importing it.



To learn more about Fortanix Self-Defending KMS key components, refer: https://support.fortanix.com/hc/en-us/articles/360043559332-User-s-Guide-Key-Components

1.5 The 3.23 release adds support for hash algorithm SHA-224. 

1.6 Support for Certificate download

The 3.23 release allows downloading a certificate for a key of type “Certificate”.


2. Client Improvements and Bug Fixes

2.1 CLI

  • Fix TypeError on AES export

3. Quality Enhancements / Updates

  • Password confirmation when creating a cluster
  • Removed unattended upgrade package for Azure/AWS
  • Upgraded Cassandra DB to 3.11.9
  • Included script to run on-demand backup
  • Enhancements in clean up script

4. Security Fixes

  • Disable JMX host port on Cassandra
  • Updated Lodash JavaScript library

5. Known Issue(s)

  • A known issue causes a new node join failure if your cluster configuration includes a custom subnet configuration for POD or service. If you have  serviceSubnet or podSubnet  in your cluster config, please do not upgrade to 3.23.

6. Fortanix Self-Defending KMS Performance Numbers

6.1 Series 1

Key Types and Operations Throughput (Operations/second per 3-node cluster)
AES 128: CBC Encryption/Decryption


AES 128 Key Generation


AES 128: Format Preserving Encryption


AES 256: CBC Encryption/Decryption


AES 256: GCM Encryption/Decryption


RSA 2048 Encryption/Decryption


RSA 2048 Key Generation


RSA 2048 Sign/Verify


EC NISTP256 Sign/Verify


Self-Defending KMS Plugin (Hello world plugin)

2119 (invocations/second)

6.2 Series 2

Key Types and Operations Throughput (Operations/second per 3-node cluster)
AES 128: CBC Encryption/Decryption


AES 128 Key Generation


AES 128: Format Preserving Encryption


AES 256: CBC Encryption/Decryption


AES 256: GCM Encryption/Decryption


RSA 2048 Encryption/Decryption


RSA 2048 Key Generation


RSA 2048 Sign/Verify


EC NISTP256 Sign/Verify


Self-Defending KMS Plugin (Hello world plugin)

2813 (invocations/second)


7. Installation

To download the DSM SGX (on-prem/Azure) and Software (AWS/Azure/VMWare) packages, click here.


Please sign in to leave a comment.

Was this article helpful?
2 out of 2 found this helpful