[4.1] - Aug 10, 2021

Fortanix Data Security Manager (DSM) 4.1 comes with some exciting new features and enhancements.

This release is superseded by the August 12, 2021, release.

  • It is “REQUIRED” to upgrade Fortanix DSM to version 4.0 before upgrading to version 4.1.
  • After the software package is uploaded, the expected time to upgrade a 3-node cluster is about 1 hour.

1. New Functionality/Feature(s)

1.1 Group based on external Azure Key Vault and Bring Your Own Key (BYOK) for Azure Key Vault. (JIRA: PROD-2141):

With the Fortanix DSM 4.1 release, Azure Key Vault is added to the list of supported Key Management Systems in HSM/external KMS groups. This release supports the management of keys only in the software perimeter of standard/premium key vaults. Fortanix DSM now allows to:

  • Configure the Azure Key Vault group in Fortanix DSM.
  • Import and copy key (Bring Your Own Key - BYOK) into Azure Key Vault.
  • Rotate keys in the Azure Key Vault group. This allows users to rotate keys natively in Azure Key Vault.
  • Soft delete key deletion in Azure Key Vault.
  • Enable/Disable keys in Azure Key Vault directly.


For more details refer to Azure Key Vault user guide.

1.2 Support for Custom Logo (JIRA: PROD-3234):

The Fortanix DSM System Administrators can now customize the Fortanix DSM UI by uploading custom logo on the UI header across all the accounts.



For more details refer to the Sysadmin Settings – Customization user guide.

1.3 HSM Key Segregation (JIRA: PROD-3116):

Users can configure multiple Fortanix DSM groups to map to the same HSM (slot) and manage keys from these groups using the Key Scan options that allow them to do one of the following:

  • Only manage the keys that were created from within the respective Fortanix DSM group.
  • Manage all the keys in the HSM (slot).


For more details refer to the HSM Gateway user guide.

1.4 Custom Tokenization (JIRA: ROFR-2612):

Allow users to create tokenization patterns as a combination of other patterns. The custom token can be a combination of 2 more components with or without delimiters.


For more details refer to the Tokenization user guide.

2. Enhancements to Existing Features

  • Mark the virtual keys when their mapped keys are deleted from the source (AWS/Azure Key Vault) (JIRA: ROFR-2425):

    When virtual keys that are synced from external AWS/Azure Key Vault are deleted from the source, they must also be detected and marked in the Fortanix DSM UI.


  • Security Object UX improvements (JIRA: ROFR-2682):
    1. Added subtitle to the SO tab and SO table. SOTitle.png

  • Prevent expired certificate upload (JIRA: ROFR-2670).
  • UX improvements to importing Opaque objects, Secrets, and Certificates.
  • Sysadmin account provides all logging integrations supported by Fortanix DSM accounts. (JIRA: ROFR-2629).


  • Human readable changes to quorum approval window (JIRA: ROFR-2573):
    The quorum approval for:
    • Enabling “Mandatory two-factor authentication” in the Authentication tab generates human-readable quorum approval details in the Existing and New columns. QuorumApp1.png

    • Editing Log Management integration in the Log Management tab generates human-readable quorum approval details in the Existing and New columns. QuorumApp2.png

  • The minimum waiting period for Key Undo Policy is set to 7 days (JIRA: ROFR-2519): The minimum waiting period for Key Undo policy is set to 7 days during the policy creation/edit to protect against accidental changes. KeyUndo.png

  • Avoid fetching opaque object's value in list (JIRA: PROD-3178): Every API that can return an Sobject should have an optional GET parameter that can redact the `value` field to avoid large data transfers.

3. Bug Fixes

  • This release fixes a panic in the backend while installing the software version (JIRA: PROD-3451).
  • This release fixes the app role update failure (JIRA: PROD-3452): When you update the role to the same role in the Key access justification policy for a Google EKMS app, the request fails.
  • Restrict an Auditor/Member role from accessing Administrative App credentials (JIRA: PROD-3399).
  • Fix panic during the approval of account creation (JIRA: PROD-2560).
  • Reversible time-period not showing for "Destroy key from table view" (JIRA: ROFR-2614).
  • Fix failure to rotate already rotated key (JIRA: ROFR-2748).
  • Handle logging and deactivation in key undo policy (JIRA: ROFR-2721).
  • Intermittent failure on node join (JIRA: DEVOPS-1221).
  • Unable to download the certificate from security object table view (ROFR-2656).

4. Quality Enhancements/Updates

  • Updated RotationPolicy in API documentation.
  • Updated AWS APIs in the documentation.
  • The swdist container uses a 20.04 based image.

5. Known Issues

  • When doing operations such as scan on groups linked to Azure Key Vault, you may receive a “not enough memory” error when the key vault has more than 100 keys (JIRA: PROD -3568).

6. Fortanix Self-Defending KMS Performance Statistics

6.1 Series 1

Key Types and Operations Throughput (Operations/second on a 3-node cluster)
AES 256: CBC Encryption/Decryption


AES 256: GCM Encryption/Decryption


AES 256: FPE (Format-Preserving Encryption)


AES 256 Key Generation


RSA 2048 Encryption/Decryption


RSA 2048 Key Generation


RSA 2048 Sign/Verify


EC NISTP256 Sign/Verify


Data Security Manager Plugin (Hello world plugin)

1487 (invocations/second)



6.2 Series 2

Key Types and Operations Throughput (Operations/second on a3-node cluster)
AES 256: CBC Encryption/Decryption


AES 256: GCM Encryption/Decryption


AES 256: FPE (Format-Preserving Encryption)


AES 256 Key Generation


RSA 2048 Encryption/Decryption


RSA 2048 Key Generation


RSA 2048 Sign/Verify


EC NISTP256 Sign/Verify


Data Security Manager Plugin (Hello world plugin)

2153 (invocations/second)



6.3 Azure Standard_DC8_v2

Key Types and Operations Throughput (Operations/second on a 3-node [Standard_DC8_v2] cluster)
AES 256: CBC Encryption/Decryption

4256 / 3871

AES 256: GCM Encryption/Decryption


AES 256: FPE (Format-Preserving Encryption)


AES 256 Key Generation


RSA 2048 Encryption/Decryption


RSA 2048 Key Generation


RSA 2048 Sign/Verify


EC NISTP256 Sign/Verify


Data Security Manager Plugin (Hello world plugin)

2299 (invocations/second)


7. Installation

To download the DSM SGX (on-prem/Azure) and Software (AWS/Azure/VMWare) packages, click here.


Please sign in to leave a comment.

Was this article helpful?
1 out of 1 found this helpful