[3.27] - April 16, 2021

This release is superseded by May 19, 2021 release

Fortanix Data Security Manager (DSM) 3.27 comes with some exciting new features and enhancements.

Fortanix DSM was formerly called Fortanix Self-Defending Key Management Service (KMS).

WARNING
  • Fortanix DSM must be upgraded to the 3.24 version before performing any future upgrades greater than 3.24. Open a ticket with Fortanix Customer Success to request the 3.24 upgrade. (support.fortanix.com)
  • It is “REQUIRED” to upgrade to the Fortanix DSM 3.27 version before performing any future upgrades greater than 3.27.

 

NOTE
  • After the 3.24 version upgrade, customers can directly upgrade to the 3.27 version.
  • The expected time to upgrade for a 3-node cluster (after the software package is uploaded) upgrading from:
    • Version 3.24 to 3.27 will take about 45 minutes.
    • Version 3.25 to 3.27 will take about 30 minutes.

1. Enhancements to Existing Features

1.1 Allow API Key rotation or change an App authentication method with zero downtime (JIRA: PROD-3117):

With release 3.27, the following actions for an App will have zero downtime:

  • Regenerating an app API Key such that the old API key can continue to work for a configurable period.

      APPAPIKey.png
     
  • Changing between app authentication methods such that the previous authentication method will continue to work for a configurable period.

    APPAuthenticationChange.png

The configurable period can be set using the Expiration Setting section.

For more details refer https://support.fortanix.com/hc/en-us/articles/360033272171-User-s-Guide-Authentication#1.7ApplicationAuthentication

1.2 Read-Only mode improvements:

  • Old audit logs should be readable in read-only mode (JIRA: PROD-3258).
  • Web-UI now works even under read-only mode and read-only mode banner is displayed if the Fortanix DSM cluster has lost global quorum (JIRA: PROD-3230):

Readonlymode.png

2. Improvements

2.1 Connection throughput improvements (JIRA: PROD-1581):

Each FX2200 appliance supported a maximum of 400 concurrent connections. Fortanix DSM does not have this limit anymore. There can be a large number of concurrent connections per node and the number of connections that a node can handle is now limited by the hardware resources available and the kind of operations these connections are doing. For example, each node has been tested to support 6000 connections doing a sustained 700 QPS of AES encryption.

2.2 Batch API support for HMAC (JIRA: PROD-3166):

This release adds a new batch API in the ‘Digest’ section of REST API for Mac and MacVerify. For more details refer to the REST API

2.3 Proxy support for all outbound connections (JIRA: PROD-3113):

This release adds support for adding cluster-wide proxy for all outbound connections. There is flexibility to exclude certain outbound connections from skipping proxy. Global proxy functionality is only available in SGX based deployments (FX2200 and Azure CC VMs).

For more details refer to https://support.fortanix.com/hc/en-us/articles/360020884152#5.4.2ProxySupportforOutboundConnections

2.4 Added support for encrypted PKCS#8 format (API) (JIRA: PROD-1953).

2.5 Amazon Simple Email Service (SES) signature migrated to version 4 (JIRA: PROD-3265):

The Amazon SES signature that is used for sending an email using Amazon SES is migrated to the latest version (version 4) which offers enhanced security for authentication and authorization of Amazon SES users.

3. Bug Fixes

  • Individual Taxpayer Identification Number (ITIN) tokenization not working as expected (JIRA: ROFR-2527).
  • Cryptographic policy (JIRA: ROFR-2462): When there are no non-compliant keys, selecting “Limit Usage” causes confusion when all the key operations are permitted in the policy. This is resolved by adding more context to the description of the Limit Usage option, changing the order of the section by moving “Handling existing non-compliant keys” above the “Restrict key operations” section.
      Non-Compliant-Keys.png
     
  • Cryptographic policy (JIRA: PROD-2559):
    It was possible to create keys with “App Manageable” permission even when it was in the Cryptographic policy.
  • Quorum approval email bad link (JIRA: PROD-3245): Bad link in Approval request emails has been fixed.

4. Security Fixes

  • Internal NTP docker image updated to Ubuntu 20.04 (JIRA: DEVOPS-1284) to address security issues in the previous version.

5. Quality Enhancements/Updates

  • Improvements and fixes in restore scripts (JIRA: DEVOPS-1259).
  • Fixes to etcd certificate renewal (JIRA: DEVOPS-1279).
  • UI/Proxy containers updated to NGINX 1.19.8 (JIRA: DEVOPS-1288).

6. Known Issues

  • UI will not load in read-only mode if the NGINX proxy cache is not warmed up (JIRA: DEVOPS-1312).
  • When a proxy is configured, the IAS proxy will always be accessed through the proxy. (JIRA: PROD-3311)
  • Restore fails on some clusters with large data. The restore script can be modified to resolve this. (JIRA: DEVOPS-1269).

7. Addendum

[3.27] Patch 3.27.1459 – April 29, 2021

Fixes:

  • Audit-log migration times-out after 15 minutes (JIRA: PROD-3339).
  • Sessions are reported as expired using the bearer token from a previous API key (JIRA: PROD-3323).

8. Fortanix Self-Defending KMS Performance Statistics

8.1 Series 1

Key Types and Operations Throughput (Operations/second per 3-node cluster)
AES 256: CBC Encryption/Decryption

3565/3540

AES 256: GCM Encryption/Decryption

3567/3443

AES 256: FPE (Format-Preserving Encryption)

2052

AES 256 Key Generation

820

   
RSA 2048 Encryption/Decryption

2888/797

RSA 2048 Key Generation

27

RSA 2048 Sign/Verify

789/2911

EC NISTP256 Sign/Verify

665/357

   
Data Security Manager Plugin (Hello world plugin)

1293 (invocations/second)

8.2 Series 2

Key Types and Operations Throughput (Operations/second per 3-node cluster)
AES 256: CBC Encryption/Decryption

4860/5289

AES 256: GCM Encryption/Decryption

3818/5285

AES 256: FPE (Format-Preserving Encryption)

1995

AES 256 Key Generation

1208

   
RSA 2048 Encryption/Decryption

3746/1212

RSA 2048 Key Generation

48

RSA 2048 Sign/Verify

1193/4576

EC NISTP256 Sign/Verify

692/364

   
Data Security Manager Plugin (Hello world plugin)

1856 (invocations/second)

9. Installation

To download the DSM SGX (on-prem/Azure) and Software (AWS/Azure/VMWare) packages, click here.

Comments

Please sign in to leave a comment.

Was this article helpful?
1 out of 1 found this helpful