Using Fortanix Data Security Manager with MinIO (KES Server)


This article describes how to integrate Fortanix Data Security Manager (DSM) with MinIO’s Key Encryption Service (KES) server that uses Fortanix DSM as a persistent and secure key store. KES server runs inside Kubernetes and distributes cryptographic keys to Fortanix DSM applications. This article also contains the information that a user needs to:

  • Configure Fortanix DSM
  • Set up KES server


KES-Architecture.pngFigure 1: KES with DSM architecture

KES Server acts as a bridge between a Fortanix DSM and cloud-native applications. Here Fortanix DSM is the central KMS that protects the master keys and acts as the root of trust in your infrastructure. Instead of deploying and managing one KMS per set of applications, when an application wants to encrypt data, it can request a new DEK from a KES server or ask the KES server to decrypt an encrypted DEK. This way the load on the central KMS (Fortanix DSM) does not increase much because KES can serve the vast majority of application requests without talking to Fortanix DSM.

For more details refer to

Fortanix Data Security Manager Configuration

Create Application

First, register a new application that can authenticate and communicate to the Fortanix DSM instance. To do that,

  1. Go to the Apps page in the Fortanix DSM UI and create a new App. KES-CreateApp.png Figure 2: Create new app
  2. Enter a descriptive name for the app. For example, KES.
  3. Select REST as the Interface and select API Key as the Authentication method. KES-CreateApp1.pngFigure 3: Create app

Assign App to Group

  1. Next, assign the application to a group. This group will be the default group of the application. The newly created keys will belong to this group unless an explicit group ID is specified in the KES configuration file. KES-AssignGroup.pngFigure 4: Assign app to group
  2. Click SAVE to complete creating the application.
  3. Click COPY API KEY to copy the application’s API key. This key is the access credential to talk to Fortanix DSM as the application. KES-CopyAPIKey.pngFigure 5: Copy API key

KES Server Setup

First, you need to generate a TLS private key and certificate for the KES server. A KES server can only be run with TLS - since secure-by-default. Here we use self-signed certificates for simplicity. For a production setup, we highly recommend using a certificate signed by CA (for example, your internal CA or a public CA like Let's Encrypt).

Generate a TLS Private Key and Certificate for the KES Server

The following command will generate a new TLS private key server.key and a X.509 certificate server.cert that is self-signed and issued for the IP and DNS name localhost (as SAN). You may want to customize the command to match your setup.

kes tool identity new --server --key server.key --cert server.cert --ip "" --dns localhost

Any other tooling for X.509 certificate generation works as well. For example, you could use openssl:

$ openssl ecparam -genkey -name prime256v1 | openssl ec -out server.key
$ openssl req -new -x509 -days 30 -key server.key -out server.cert \
   -subj "/C=/ST=/L=/O=/CN=localhost" -addext "subjectAltName = IP:"

Create Private Key and Certificate for your Application

kes tool identity new --key=app.key --cert=app.cert app

You can compute the app identity using:

kes tool identity of app.cert

Create Configuration File

Now, you have defined all entities in your demo setup. Wire everything together by creating the config file server-config.yml:

root:    disabled  # We disable the root identity since we don't need it in this guide 
key : server.key
cert: server.cert
     - /v1/key/create/my-app*
     - /v1/key/generate/my-app*
     - /v1/key/decrypt/my-app*    
       endpoint: "<your-fortanix-sdkms-endpoint>"    # Use your Fortanix instance endpoint.
         key: "<your-api-key>" # Insert the application's API key

Start the KES Server

Finally, start the KES Server in a new window/tab.

export APP_IDENTITY=$(kes tool identity of app.cert)
kes server --config=server-config.yml --auth=off

Where, --auth=off is required since your root.cert and app.cert certificates are self-signed.

Connect to the Server

In the previous window/tab, you can now connect to the server using the following commands:

export KES_CLIENT_CERT=app.cert
export KES_CLIENT_KEY=app.key
kes key create -k my-app-key

Where, -k is required because your are using self-signed certificates.

Decrypt Data Encryption Keys

Finally, you can derive and decrypt the data keys from the previously created my-app-key.

kes key derive -k my-app-key
   plaintext : ...
   ciphertext: ...
kes key decrypt -k my-app-key <base64-ciphertext>


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful