[3.27] - April 16, 2021

This release is superseded by May 19, 2021 release

Fortanix Data Security Manager (DSM) 3.27 comes with some exciting new features and enhancements.

Fortanix DSM was formerly called Fortanix Self-Defending Key Management Service (KMS).

  • Fortanix DSM must be upgraded to the 3.24 version before performing any future upgrades greater than 3.24. Open a ticket with Fortanix Customer Success to request the 3.24 upgrade. (support.fortanix.com)
  • It is “REQUIRED” to upgrade to the Fortanix DSM 3.27 version before performing any future upgrades greater than 3.27.


  • After the 3.24 version upgrade, customers can directly upgrade to the 3.27 version.
  • The expected time to upgrade for a 3-node cluster (after the software package is uploaded) upgrading from:
    • Version 3.24 to 3.27 will take about 45 minutes.
    • Version 3.25 to 3.27 will take about 30 minutes.

1. Enhancements to Existing Features

1.1 Allow API Key rotation or change an App authentication method with zero downtime (JIRA: PROD-3117):

With release 3.27, the following actions for an App will have zero downtime:

  • Regenerating an app API Key such that the old API key can continue to work for a configurable period.

  • Changing between app authentication methods such that the previous authentication method will continue to work for a configurable period.


The configurable period can be set using the Expiration Setting section.

For more details refer https://support.fortanix.com/hc/en-us/articles/360033272171-User-s-Guide-Authentication#1.7ApplicationAuthentication

1.2 Read-Only mode improvements:

  • Old audit logs should be readable in read-only mode (JIRA: PROD-3258).
  • Web-UI now works even under read-only mode and read-only mode banner is displayed if the Fortanix DSM cluster has lost global quorum (JIRA: PROD-3230):


2. Improvements

2.1 Connection throughput improvements (JIRA: PROD-1581):

Each FX2200 appliance supported a maximum of 400 concurrent connections. Fortanix DSM does not have this limit anymore. There can be a large number of concurrent connections per node and the number of connections that a node can handle is now limited by the hardware resources available and the kind of operations these connections are doing. For example, each node has been tested to support 6000 connections doing a sustained 700 QPS of AES encryption.

2.2 Batch API support for HMAC (JIRA: PROD-3166):

This release adds a new batch API in the ‘Digest’ section of REST API for Mac and MacVerify. For more details refer to the REST API

2.3 Proxy support for all outbound connections (JIRA: PROD-3113):

This release adds support for adding cluster-wide proxy for all outbound connections. There is flexibility to exclude certain outbound connections from skipping proxy. Global proxy functionality is only available in SGX based deployments (FX2200 and Azure CC VMs).

For more details refer to https://support.fortanix.com/hc/en-us/articles/360020884152#5.4.2ProxySupportforOutboundConnections

2.4 Added support for encrypted PKCS#8 format (API) (JIRA: PROD-1953).

2.5 Amazon Simple Email Service (SES) signature migrated to version 4 (JIRA: PROD-3265):

The Amazon SES signature that is used for sending an email using Amazon SES is migrated to the latest version (version 4) which offers enhanced security for authentication and authorization of Amazon SES users.

3. Bug Fixes

  • Individual Taxpayer Identification Number (ITIN) tokenization not working as expected (JIRA: ROFR-2527).
  • Cryptographic policy (JIRA: ROFR-2462): When there are no non-compliant keys, selecting “Limit Usage” causes confusion when all the key operations are permitted in the policy. This is resolved by adding more context to the description of the Limit Usage option, changing the order of the section by moving “Handling existing non-compliant keys” above the “Restrict key operations” section.
  • Cryptographic policy (JIRA: PROD-2559):
    It was possible to create keys with “App Manageable” permission even when it was in the Cryptographic policy.
  • Quorum approval email bad link (JIRA: PROD-3245): Bad link in Approval request emails has been fixed.

4. Security Fixes

  • Internal NTP docker image updated to Ubuntu 20.04 (JIRA: DEVOPS-1284) to address security issues in the previous version.

5. Quality Enhancements/Updates

  • Improvements and fixes in restore scripts (JIRA: DEVOPS-1259).
  • Fixes to etcd certificate renewal (JIRA: DEVOPS-1279).
  • UI/Proxy containers updated to NGINX 1.19.8 (JIRA: DEVOPS-1288).

6. Known Issues

  • UI will not load in read-only mode if the NGINX proxy cache is not warmed up (JIRA: DEVOPS-1312).
  • When a proxy is configured, the IAS proxy will always be accessed through the proxy. (JIRA: PROD-3311)
  • Restore fails on some clusters with large data. The restore script can be modified to resolve this. (JIRA: DEVOPS-1269).

7. Addendum

[3.27] Patch 3.27.1459 – April 29, 2021


  • Audit-log migration times-out after 15 minutes (JIRA: PROD-3339).
  • Sessions are reported as expired using the bearer token from a previous API key (JIRA: PROD-3323).

8. Fortanix Self-Defending KMS Performance Statistics

8.1 Series 1

Key Types and Operations Throughput (Operations/second per 3-node cluster)
AES 256: CBC Encryption/Decryption


AES 256: GCM Encryption/Decryption


AES 256: FPE (Format-Preserving Encryption)


AES 256 Key Generation


RSA 2048 Encryption/Decryption


RSA 2048 Key Generation


RSA 2048 Sign/Verify


EC NISTP256 Sign/Verify


Data Security Manager Plugin (Hello world plugin)

1293 (invocations/second)

8.2 Series 2

Key Types and Operations Throughput (Operations/second per 3-node cluster)
AES 256: CBC Encryption/Decryption


AES 256: GCM Encryption/Decryption


AES 256: FPE (Format-Preserving Encryption)


AES 256 Key Generation


RSA 2048 Encryption/Decryption


RSA 2048 Key Generation


RSA 2048 Sign/Verify


EC NISTP256 Sign/Verify


Data Security Manager Plugin (Hello world plugin)

1856 (invocations/second)

9. Installation

To download the DSM SGX (on-prem/Azure) and Software (AWS/Azure/VMWare) packages, click here.


Please sign in to leave a comment.

Was this article helpful?
1 out of 1 found this helpful