[4.2] - Oct 1, 2021

Fortanix Data Security Manager (DSM) 4.2 comes with some exciting new features and enhancements.

This release is superseded by November 09, 2021, release. 

It is “REQUIRED” to upgrade Fortanix DSM to version 4.0 before upgrading to version 4.2.
After the software package is uploaded, the expected time to upgrade a 3-node cluster is about 1 hour.

1. New Functionality/Feature(s)

1.1 Tokenization of date datatype with support for date ranges. (JIRA: ROFR-2495):

With the Fortanix DSM 4.2 release, you can tokenize date datatype for the following date formats:



For more details, refer to User’s Guide: Tokenization.

1.2 Allow sysadmin to delete stale users/accounts (JIRA: ROFR-2491):

The Fortanix DSM System Administrators can now clean up users and accounts when a user does not belong to an active account anymore. The wait period duration for account deletion in Fortanix DSM is 7 days. This cannot be configured.

  • Delete account: To delete an account, the user must first disable the account, which initiates the waiting period to ensure the account was not deleted due to an error. Then delete the account after the waiting period ends. Account deletion is irreversible.



  • Delete users: If a user is not part of any account, the user can be deleted from Fortanix DSM.


For more details, refer to the Sysadmin - Delete Users and Accounts Guide.

1.3 Allow updating the group for a security object (JIRA: PROD-1297):

The Key Move feature of Fortanix DSM will allow users to move a security object from a Fortanix DSM group to another Fortanix DSM group.

The following actions will happen as part of the key move operation:

  • The key will be moved from the source group to the target group: The new key will have the same key material as the original key.
  • The key links will remain with the source group and will not be moved to the target group when the key material is moved. Key links must be updated to use the new group that the key material resides in.
  • The Key Rotation Policy will move to the target group with the key.


For more details, refer to User’s Guide: Key Move.

1.4 Support for HAProxy protocol v2 (JIRA: PROD-2969):

This release adds support for HAproxy protocol v1 and v2. This feature allows for correctly configured load balancers to forward client IP addresses to Fortanix DSM.

For more details, refer to Fortanix DSM Installation Guide: HAProxy Support.

1.5 Sequoia-PGP integration for Fortanix DSM (JIRA: PROD-3240):

Fortanix DSM integrates with Sequoia-PGP, a modern implementation of the OpenPGP Message Format. Sequoia has a CLI tool called sq with git-like commands for PGP operations, which is extended by sq-sdkms to communicate with DSM whenever a sensitive cryptographic operation is needed. For more details, refer to Clients: Sequoia-PGP.

2. Enhancements to Existing Features

  1. Support Custom TLS configuration for groups backed by external KMS (JIRA: PROD-3638): From this release, you can add a certificate for authenticating your AWS and Azure KMS, in addition to HSM.



    For more details, refer to the User’s Guide: AWS External KMS and User’s Guide: Azure Key Vault.
  2. Deactivate old key as part of key rotation policy (JIRA: PROD-2575):
    From this release onwards, the option to “deactivate original key after rotation” may be set, as part of the Key Rotation Policy.


    For more details, refer to User’s Guide: Key Lifecycle Management.
  3. Quorum Approval improvements:
    1. Submit approval request for invalid log setting based on account policy (JIRA: ROFR-2774): A quorum approval request is submitted from the UI if you enable/disable “Logging invalid API requests” under Log Management in Account Settings as part of Account Quorum policy.


    2. Cover invalid log setting under account quorum policy (JIRA: PROD-2979): “Logging invalid API requests” under Log Management in Account Settings is now covered under “Log Management” as part of Account Quorum policy.


    3. UX improvement to Deletion of Key Custodian Policy (JIRA: ROFR-2758): Added meaningful message in the quorum approval “completed” tasks window.


    4. Updated Stackdriver log management (JIRA: ROFR-2699): When you update stackdriver configuration details in the Log Management page in Account Settings, the Quorum Approval modal does not show an empty message in the human-readable view.


    5. Cryptographic policy - handling non-compliant keys is now shown in Quorum approval modal view (JIRA: ROFR-2414).


    6. Key-operations edit from cryptographic policy now shows the existing setting in quorum approval (JIRA: ROFR-2413).


  4. Removed 'Deactivate original key after the rotation' option for Azure (JIRA: ROFR-2773): The option 'Deactivate original key after the rotation' in the Key Rotation modal for Azure virtual keys, has been removed.


  5. Error displayed for removal of App’s access to default group (JIRA: ROFR-2718): An error is displayed when the App’s access to its default group is removed. The user is notified through a popup that “Removing these groups would leave the app inaccessible to you".


  6. Added “Actor” column to the Audit Log table (JIRA: ROFT-2697): Added “Actor” column in the Audit Log table, so that a user can filter by a specific user using Search.


  7. [Security Object Table View] Allow deletion of AWS Virtual key only after its AWS Key is permanently deleted from AWS (JIRA: ROFR-2433): “Delete Selected” option will be disabled for an AWS virtual key when its source key is in “pending delete” state.


  8. Fluentd enhancement (JIRA: DEVOPS-1317): To configure forwarding the 'container', 'sdkms', 'system' logs from all nodes in the cluster to multiple remote Syslog servers. For more details, refer to Fortanix DSM Install Guide.
  9. Ability to download complete audit log output per account (JIRA: ROQA-313): Users now have the ability to download the complete audit log output using a filter in a single file.

3. Other Improvements

  • Use KeyLinks to bind primary keys with subkeys in DSM (JIRA: PROD-3410): Key links are enhanced to represent relations between keys such as: parent-child, rotation, and so on.
  • Improvements to memory management of C_FindObjects while using PKCS#11 library (JIRA: PROD-3354).
  • Support publishing public keys for certificates (JIRA: PROD-3340).
  • Extend AppID in certificate SAN for client certificate authentication. (JIRA: PROD-3583).
  • Add enhanced support for preserving certain parts of dates in tokenization (JIRA: PROD-3213).
  • The install_certs command will not allow empty certs (JIRA: DEVOPS-1357).

4. Bug Fixes

  • Disabling accounts by sys-admin will terminate the current user session (JIRA: PROD-3205).
  • Creating a Custodian policy with users not part of the account should not be allowed (JIRA: PROD-2423).
  • Creating a Quorum policy with users not part of the account should not be allowed (JIRA: PROD-2422).
  • Fixed PKCS#11 library where AES keys were getting created as HMAC when using "signing_aes_key_as_hmac" option (JIRA: PROD-3591).
  • RSA keys in FIPS mode would be restricted to either “encrypt/decrypt” or “sign/verify” permissions (JIRA: PROD-3564).
  • Fixed an error where the “Key undo policy- Reversible Changes” section had an empty description for “Expiration with the date” and “audit logging disable” scenarios. (JIRA: PROD-3476).
  • Added check for empty concatenation or OR parts in tokenization schemas (JIRA: PROD-3473).
  • This release prevents user removal from a Fortanix DSM group or account, if they are part of the Key custodian policy (JIRA: PROD-3450).
  • Fixed an error where the “Log management” tab was missing on the left-menu in the system-administrator view (JIRA: ROFR-2691).
  • Fixed Security Object (RSA)– The “Public key published” option has the “URL of API endpoint” link empty (JIRA: ROFR-2404).
  • Fixed sdkms-cluster create fails when "productName: sdkms" is present in the config.yaml (JIRA: DEVOPS-1299).

5. Quality Enhancements/Updates

  • This release includes Kernel and Ubuntu base package updates.

6. Known Issues

  • Azure BYOK plugin returns out of memory error in case the key vault has more than a certain number of keys (JIRA: PROD-3568).
  • exclude is not working in proxy config for operations such as attestation (JIRA: PROD-3311).
  • Single node updates can have kube-dns pending POD (JIRA: DEVOPS-1683).

7. Fortanix Self-Defending KMS Performance Statistics

7.1 Series 2

Key Types and Operations Throughput (Operations/second on a3-node cluster)
AES 256: CBC Encryption/Decryption


AES 256: GCM Encryption/Decryption


AES 256: FPE (Format-Preserving Encryption)


AES 256 Key Generation


RSA 2048 Encryption/Decryption


RSA 2048 Key Generation


RSA 2048 Sign/Verify


EC NISTP256 Sign/Verify


Data Security Manager Plugin (Hello world plugin)

2093 (invocations/second)



7.2 Azure Standard_DC8_v2

Key Types and Operations Throughput (Operations/second on a 3-node [Standard_DC8_v2] cluster)
AES 256: CBC Encryption/Decryption


AES 256: GCM Encryption/Decryption


AES 256: FPE (Format-Preserving Encryption)


AES 256 Key Generation


RSA 2048 Encryption/Decryption


RSA 2048 Key Generation


RSA 2048 Sign/Verify


EC NISTP256 Sign/Verify


Data Security Manager Plugin (Hello world plugin)

1967 (invocations/second)


8. Installation

To download the DSM SGX (on-prem/Azure) and Software (AWS/Azure/VMWare) packages, click here.


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful