[3.25] - March 22, 2021

Fortanix Self-Defending KMS 3.25 comes with some exciting new features and enhancements.

Fortanix Self-Defending KMS will require every Customer to upgrade to the 3.24 version before performing any future upgrades greater than 3.24.

1. New Functionality/Feature(s)

1.1 Subject Alternative Name (SAN) checking for Trusted CA app authentication:

Release 3.25 supports checking SAN such as DNS Name, IP Address, and Directory Name for app authentication of type Trusted CA.


For more details refer https://support.fortanix.com/hc/en-us/articles/360033272171-User-s-Guide-Authentication#1.7.3UsingaClientTLSCertificateIssuedbyaTrustedCA

1.2 Support for hybrid clusters

With Release 3.25, Hybrid clustering of "Series-1 and Series 2", "Azure and Series-1 or Series-2 ", and "AWS and Series-1 or Series-2 running Fortanix Self-Defending KMS in the same (SGX/non-SGX) software mode" is possible. This allows nodes of different types to participate in a single cluster.

For more details refer https://support.fortanix.com/hc/en-us/articles/360020884152-Fortanix-Self-Defending-KMS-Installation-Guide#5.4.1Setupdeployment-specificconfigurationfile

1.3 Audit Logs migrates to Cassandra

With release 3.25, Audit Logs are now migrated from the Elasticsearch database to Cassandra.

For more details refer to https://support.fortanix.com/hc/en-us/articles/360044484051-Fortanix-Self-Defending-KMS-Backup-and-Restore-Guide#4.1Pre-Requisites.

1.4 Azure backup support

With release 3.25, Fortanix Self-Defending KMS supports the backup option to Azure storage in addition to AWS S3 backup.

For more details refer to https://support.fortanix.com/hc/en-us/articles/360044484051-Fortanix-Self-Defending-KMS-Backup-and-Restore-Guide#4.4ConfiguringBackupUsingAzurewhenSettingupFortanixSelf-DefendingKMSCluster

2. Enhancements to Existing Features

2.1 Tokenization enhancements

With the 3.25 release, Fortanix Self-Defending KMS supports the following additional tokenization data types:

  • General:
    • IP Address (v4)
    • Email Address
  • Identification Numbers (USA)
    • Driver’s License
    • Individual Taxpayer ID
    • Employer ID (EIN)
  • Military Service Number (USA)
    • Army and Airforce Service Number
    • Navy Service Number
    • Coast Guard Service Number
    • Marine Cops Service Number
    • Military Offices Service Number


For more details refer https://support.fortanix.com/hc/en-us/articles/360038870452-User-s-Guide-Tokenization#TokenizerDataTypes

2.2 Quorum policy for key rotation

Release 3.25 supports quorum approval for key rotation. Key rotation is now a sensitive operation and will require quorum approval if Quorum policy is enabled in the Fortanix Self-Defending KMS group.



For more details refer to https://support.fortanix.com/hc/en-us/articles/360038354592-User-s-Guide-Fortanix-Self-Defending-KMS-Key-Lifecycle-Management#KeyRotation

2.3 Secret rotation

Release 3.25 supports rotating a key of type “secret” and keeps a history of all previous versions of the same secret. The rotation allows adding a new object value for the secrets.



For more details refer https://support.fortanix.com/hc/en-us/articles/360038354592-User-s-Guide-Fortanix-Self-Defending-KMS-Key-Lifecycle-Management#KeyRotation

2.4 Display HSM node's backend priority number in the UI

Release 3.25 now displays the HSM node’s backend priority number in the UI when there are multiple HSM nodes configured.


For more details refer  https://support.fortanix.com/hc/en-us/articles/360042056431-User-s-Guide-HSM-Gateway#AddConnection

2.5 Ability to add custom AWS URL

Release 3.25 will provide the ability to add a custom AWS URL while configuring the AWS group.


2.6 Mark virtual keys when their mapped keys are deleted from the source

Virtual keys are now detected and marked in a Fortanix Self-Defending KMS HSM/AWS KMS group during a key sync operation when their source keys are deleted from the HSM/AWS KMS.


2.7 Add quick filter to distinguish between Regular groups and HSM/AWS KMS groups in the Groups table view


2.8 KMIP support for Tape Library Profile

Release 3.25 adds KMIP support for Tape Library Profile. This profile specifies the use of the KMIP Application Specific Information (ASI) attribute in the KMIP server

3. Bug Fixes

  • AWS/HSM:
    • Fixed an issue where Test Connection was always successful for AWS KMS group when wrong authentication details are provided.
    • Fixed an issue where the Test Connection status is shown incorrectly on another node when the previous node was removed from the HSM node list.
    • Handled duplicate HSM node ordering value.
    • Fixed an issue where changing an HSM node from Custom CA to Global Root CA was causing the client key to be sent as an empty string instead of null.
    • Fixed issue of two HSMs nodes having the same hsm_order value after one of the HSM nodes is deleted.
    • Copy Key is disabled for AWS KMS virtual keys.
    • Fixed HSM node certificate issues:
      • When Client Certs are added and removed, it does not show a null value.
      • When editing an HSM group’s Certificate Configuration, a user was able to save the certificate configuration by entering only the Client Certificate value without the Client Key (Private Key).
    • Fixed issue where the HSM key scan operation failed when you remove a public key from a key-pair in HSM that also contains a private key.
    • Fixed issue where integrating HSMG with nCipher fails with “pkcs11: 00000000 Error: Module 1 has failed”.
  • Fixed issue when restoring the cluster from backup, if a delete operation is performed on the restored data it was unable to delete the data completely (known issue in release 3.23).
  • Fixed issue where key rotation schedule was drifting by 5 minutes.
  • Fixed error code translation for Google EKMS errors.
  • Fixed issue where sustained throughput was degraded if the Cassandra audit-log feature is enabled (known issue in release 3.23).
  • Fixed UI by showing a clear message in the diff window of changes made in Account quorum approval policy and Crypto policy during the quorum approval process.

4. Security Fixes

  • Disabled weak cipher suites on nginx-proxy.

5. Quality Enhancement/Updates

  • Cassandra upgraded to 3.11.10.

6. Known Issues

  • If a cluster is in read-only mode:
    • The audit logs cannot be read. This will be addressed in a future release.
    • The UI will not load upon refresh. This will be addressed in a future release.

7. Fortanix Self-Defending KMS Performance Statistics

7.1 Series 1

Key Types and Operations Throughput (Operations/second per 3-node cluster)
AES 256: CBC Encryption/Decryption


AES 256: GCM Encryption/Decryption


AES 256: FPE (Format-Preserving Encryption)


RSA 2048 Encryption/Decryption


RSA 2048 Key Generation


RSA 2048 Sign/Verify


EC NISTP256 Sign/Verify


Self-Defending KMS Plugin (Hello world plugin)

2119 (invocations/second)

7.2 Series 2

Key Types and Operations Throughput (Operations/second per 3-node cluster)
AES 256: CBC Encryption/Decryption


AES 256: GCM Encryption/Decryption


AES 256: FPE (Format-Preserving Encryption)


RSA 2048 Encryption/Decryption


RSA 2048 Key Generation


RSA 2048 Sign/Verify


EC NISTP256 Sign/Verify


Self-Defending KMS Plugin (Hello world plugin)

2450 (invocations/second)

8. Installation

To download the DSM SGX (on-prem/Azure) and Software (AWS/Azure/VMWare) packages, click here.


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful