[4.3] - Jan 20, 2022

Fortanix Data Security Manager (DSM) 4.3 comes with some exciting new features and enhancements.

This release is superseded by March 09, 2022, release. 


It is “REQUIRED” to upgrade Fortanix DSM to version 4.1 before upgrading to version 4.3.
After the software package is uploaded, the expected time to upgrade a 3-node cluster is about 1.5 to 2 hours from version 4.1 or 4.2 to 4.3.

1. New Functionality/Feature(s)

1.1 Fortanix DSM integration with Google Workspace CSE. (JIRA: PROD-3388):

With the Fortanix DSM 4.3 release, you may perform Google Workspace Client-Side Encryption (CSE) using Fortanix DSM and encrypt the Google Workspace application data (such as Google Docs and Google Drive) with a Data Encryption Key (DEK) and use Fortanix DSM API to wrap the DEK before storing it on Google Cloud storage.


For more details, refer to User’s Guide: Using Google Workspace CSE with Fortanix DSM.

1.2 New App Authentication Method – AWS IAM (JIRA: PROD-3483):

Fortanix DSM extends the App authentication model to allow the App to authenticate using AWS Identity and Access Management (IAM).


For more details, refer to the User’s Guide: Authentication.

1.3 Support for SEED algorithm (JIRA: ROFR-2782):

With release 4.3, you can create security objects of type SEED which is a 128-bit symmetric key block cipher encryption algorithm.


For more details, refer to User’s Guide: Key Lifecycle Management.

1.4 Implemented server-side table processing (JIRA: PROD-3130):

Server-side table processing improves the runtime performance of Fortanix DSM with full filtering, sorting, and pagination support.

2. Enhancements to Existing Features

  1. Add DSA Support in JCE (JIRA: PROD-3197): This release adds Digital Signature Algorithm (DSA) support in the Fortanix DSM JCE provider.
  2.  Support for Certificate-based authentication in CNG (JIRA: PROD-3281):

    With release 4.3, a CNG client authenticates with Fortanix DSM using a certificate, in addition to authentication using an API key. So Fortanix DSM supports certificate-based authentication or API key-based authentication for a CNG client. In the certificate authentication, the user must specify a client certificate, its corresponding private key, and the App UUID for successful authentication.

    For more details refer to Developers’ Guide: Microsoft CNG Key Storage Provider.

  3. Support KWP mode in UI for Key Wrapping (JIRA: ROFR-2633): This release adds the KWP mode of encryption for key wrapping in the Export and Import Security Object workflows.
  4. Allow group auditors to see approval requests (JIRA: PROD-2491): Group auditors will now be able to see approval requests in the Fortanix DSM Tasks tab for pending tasks.
  5. Added the text box to insert text values during the security object import operation (JIRA: ROFR-2442). 


  6. Show the secret object text value when exporting the secret if group quorum policy is applied (JIRA: ROFR-2591):

    The Fortanix DSM UI now allows viewing the value of a Secret Object of type Text (UTF-8) during the Export Secret Object operation.


  7. Stats API: Replace the date range picker with the label 'Today' to fetch the stats corresponding to the current day only (JIRA: ROFR-2954):


3. Other Improvements

  • Removed dependency on Cassandra-0 (JIRA: DEVOPS-1492): This release removes the deploy job dependency on cassandra-0 for running cqlsh. This change avoids a situation where the upgrade does not complete after multiple retries, if a finite retry on deploy jobs is performed.
  • Avoid Compression during DSM backup (JIRA: DEVOPS-1550).
  • Added timeout in repair jobs (JIRA: DEVOPS-1551).
  • Use timestamping server with Windows code signing (JIRA: DEVOPS-1674).
  • Improvement in Cassandra repair jobs (JIRA: DEVOPS-1826): For more details refer to Fortanix DSM Installation Guide – Troubleshooting and Support.
  • Stop new package installation if swdist files exist (JIRA: DEVOPS-1867).
  • Added Streaming API (JIRA: PROD-2535): This release adds a streaming encryption API to improve support for encrypting and decrypting large amounts of data that is greater than the 512KB request size limit.
  • User activity logs are now consistent in the audit log table (JIRA: PROD-2557).
  • Logging API authentication failures on SDKMS (JIRA: PROD-3143): Fortanix DSM now captures all types of authentication success/failure events that are both UI and API specific.
  • Added logs for invoking a plugin using an invalid API key (JIRA: PROD-3221).
  • Added support for AES CMAC in PKCS#11 (JIRA: PROD-3418).
  • Enforced a limit on the number of audit logs on what GET logs returns (JIRA: PROD-3632): The limit on the number of audit logs is set to 1000 logs.
  • Included the quorum policy while/after creating a group using the sdkms-cli (JIRA: PROD-3670): The sdkms-cli now has an option to select a quorum policy while creating a group.
  • The health check API is now aware of various global queues (JIRA: PROD-3675).
  • Added retry mechanism for EKM DLL (JIRA: PROD-3687): The EKM client now re-connects automatically if the connection to a database goes down because of issues like network outage and so on.
  • Support for Azure Managed HSM BYOK Plugin AES key generation (JIRA: PROD-3783): You can now create AES symmetric keys for Azure's Managed HSM using Fortnanix DSM Azure Bring Your Own Key (BYOK) Plugin.
  • Improved accuracy of dates when returning audit logs using sdkms-cli (JIRA: PROD-3857).
  • The KMIP protocol now allows to create a secret object with the DERIVEKEY operation (JIRA: PROD-3862).
  • Added authorization for the Fortanix DSM app to use the GET API to get the information of all the groups that are members of the app (JIRA: PROD-3884).
  • Redacted the account policy fields such as key_history_policy, log_bad_requests, client_configurations, and workspace_cse_config for sysadmins (JIRA: PROD-3941).
  • Avoided excessive sys/v1/apps calls when navigating through audit logs (JIRA: ROFR-2849).
  • Added metrics for deferred post-response updates (JIRA: PROD-3661): This is useful in debugging issues related to app_lastused or session_expiry post-response updates.
  • Added security object get_all and get_by_names in the Plugin reference (JIRA: PROD-3759): For more details, refer to Lua Pluin Reference Guide.
  • Added userviaapp principal type in Plugin (JIRA: PROD-3942).
  • Improved debug of scheduled operations (JIRA: PROD-3790).
  • Documented POST /crypto/v1/keys/info API and fixed a typo (JIRA: PROD-3856).
  • Documented how plugins can require approvals using the require_approval_for or the check function (JIRA: PROD-3883).
  • Plugin fetch using git:// protocol now works (JIRA: ROFR-2904): Changing the call to https:// and removing www makes it work without any additional changes.
  • Fortanix DSM now uses the stats database to report usage data (JIRA: PROD-3885): The stats and usage API is now updated to use the new table created with account_id, timestamp (UTC), and Usage/stats info in the database when related logs are purged.

4. Bug Fixes

  • Fixed Fortanix DSM installation/cluster-creation failure if the user's umask is anything other than 0022 (JIRA: DEVOPS-1243).
  • Fixed deploy failure error: “doesn't match $setElementOrder list” (JIRA: DEVOPS-1536).
  • Fixed missing KMIP load balancer rule in Azure marketplace (JIRA: DEVOPS-1825).
  • Fixed deploy pod failure for Elasticsearch without any audit logs (JIRA: DEVOPS-1860).
  • Fixed renew-K8s-certs.sh script failure (JIRA: DEVOPS-1861).
  • Sequoia RPM package (sq-dsm-0.1-0.x86_64.rpm) can now be installed successfully (JIRA: DEVOPS-1862).
  • Fixed panic when rotating AWS-backed virtual keys (JIRA: PROD-3571).
  • Fixed an issue where sync keys in AWS Group resulted in inconsistent results (JIRA: PROD-3620).
  • Fixed panic during the scan operation on an AWS group while creating a secret object using API (JIRA: PROD-3765).
  • Fixed /sys/v1/users returns 500 on the sysadmin account (JIRA: PROD-3767).
  • Fixed an issue where [KMIP]: Cryptographic Usage Mask was missing in GetAttributes operation (JIRA: PROD-3774).
  • Fixed an issue where several API calls and scheduled operations were failing with: Database mbedtls error: mbedTLS error CipherAuthFailed (JIRA: PROD-3789).
  • CipherAuthFailed error for sys/v1/users and sys/v1/groups for an account (JIRA: PROD-3799).
  • Fixed panic in derive with FPE mode (JIRA: PROD-3815).
  • Fixed an error where PKCS#11 library creates threads even if CKF_LIBRARY_CANT_CREATE_OS_THREADS is passed (JIRA: PROD-3818).
  • Removed virtual key sync deletion logic when sysadmin is deleting the stale account (JIRA: PROD-3842).
  • External groups will not allow the creation of opaque and secret objects anymore (JIRA: PROD-3876).
  • Added userviaapp principal type in the plugin (JIRA: PROD-3942).
  • Updated API documentation and error message to show thathash based signing is not supported in FIPS (JIRA: PROD-3947).
  • Fixed SEED CBC padding (JIRA: PROD-3953).
  • Fixed Azure BYOK - Scan - 500 API error (JIRA: PROD-3967).
  • Fixed get_all in plugins (JIRA: PROD-3980).
  • Fixed public key import in HSM-backed group failure (JIRA: PROD-4004).
  • Fixed an issue where the Azure Managed HSM and Premium plugins throw stacktrace instead of actual error message in case of misconfiguration (JIRA: PROD-4014).
  • Fixed an issue where users were unable to see all accounts on the accounts listing page (JIRA: ROFR-2465).
  • Fixed an issue where stale account deletion by sysadmin displays the wrong error message (JIRA: ROFR-2803).
  • Fixed an error where the Administrator name became invisible when you perform any action on sysadmin and go to the accounts detail page (JIRA: ROFR-2817).
  • Fixed an issue where the audit log of a previous user is shown under sysadmin user instead of the new user (JIRA: ROFR-2834).
  • Disabled HIGHVOLUME (disable audit log) on a secret which caused the creation of the secret object to fail (JIRA: ROFR-2836).
  • Fixed an issue where the quorum approval request view modal window does not scroll horizontally (JIRA: ROFR-2845).
  • Fixed sysadmin Splunk -> error "Invalid certificate. Please check the certificate and verify it is a valid certificate in PEM format" (JIRA: ROFR-2851).
  • Fixed AWS group: test connection error - unhandled exception from the plugin (JIRA: ROFR-2871).
  • Fixed an issue where the HSM/KMS fields were not visible on the group detailed page and errors when testing the connection using the TEST CONNECTION button (JIRA: ROFR-2879).
  • If an AWS key is not in the Destroyed state, then the delete row in the security object table under Group/App/User/Plugin detailed view is disabled (JIRA: ROFR-2944).
  • Fixed an issue where the “Export Key” feature gives incorrect results in the modal window while the downloaded file contains the correct result (JIRA: ROFR-2983).
  • Fixed wrong use of unknown_field in Deserialize implementation for HmgConfig (JIRA: PROD-3800).
  • Fixed Admin app certificate error - "Invalid API path" and "Inappropriate authorization" (JIRA: ROFR-2936).
  • Fixed pagination issue for AWS BYOK where syncing keys returned only the first 100 keys (JIRA: PROD-3840).
  • Fixed VMware integration with KMIP failure (JIRA: PROD-3777).
  • Fixed the Cleanup job failure (JIRA: PROD-3978).
  • Fixed the -a flag deprecation in Kubernetes 1.14 that was causing the kubectl command to fail (JIRA: DEVOPS-1646).
  • Fortanix DSM will use "https://" protocol instead "git://" protocol for plugin registry (JIRA: PROD-4052).

5. Quality Enhancements/Updates

  • Updated the DSM backend container to Ubuntu 20.04 (JIRA: DEVOPS-1287).
  • This release includes Kubernetes (K8s) upgrade from 1.10 K8s to 1.14 K8s version (JIRA: DEVOPS-1351). For more details, refer to Administration Guide: Kubernetes Upgrade to 1.14.
  • Updated Sensu agent for supporting TLS authentication between agent and server instead of using username/password (JIRA: DEVOPS-1352).
  • Upgraded Kernel from 5.4 to 5.8 (JIRA: DEVOPS-1364).
  • Upgraded Kernel to 5.8 for AWS and Azure (JIRA: DEVOPS-1801).
  • Updated flannel as part of the k8s upgrade (JIRA: DEVOPS-1455).
  • Retained Cassandra debug logs (/var/log/cassandra) on a host when the container is restarted (JIRA: DEVOPS-2016).
  • Elasticsearch components will be cleaned up if audit log/statistics migration has been completed successfully (JIRA: PROD-3174).

6. Security 

  • Content-Security-Policy is enforced (JIRA: PROD-2384).
    CSP.png For more details, refer to the Sys Admin Settings Guide – Policies.
  • Updated to using log4j 2.17.1 in the JCE client (JIRA: PROD-4012).

7. Known Issues

  • When a cluster is upgraded from build 4.2.2087 to <4.3.xxxx> on a 3-node cluster, it is possible that the deploy job is exited and marked completed before cluster upgrade (JIRA: DEVOPS-2106). Workaround: If all the pods are healthy, you can deploy the version again.
  • When a node is removed from a 3-node cluster with build 4.2.2087, and the 2-node cluster is upgraded with build 4.3.xxxx, it is possible that the deploy job is exited and marked completed before cluster upgrade (JIRA: DEVOPS-2068). Workaround: If all the pods are healthy, you can deploy the version again.
  • The sync key API returns “400 status code and response error” due to the short-term access token expiry during the sync key operation of a group linked to AWS KMS (JIRA: PROD-3903).
  • Fortanix DSM cluster upgrade is interrupted when the warmup-proxy-cache job is running, and the next iteration starts as soon as the current one completes (JIRA: DEVOPS-1951).
    Workaround: Delete the cronjob warmup-proxy-cache before starting the upgrade:
    kubectl delete cronjob warmup-proxy-cache
    The upgrade will take care of creating this cronjob again in the cluster
  • The Azure BYOK plugin returns out of memory error in case the key vault has more than a certain number of keys (JIRA: PROD-3568).
  • exclude does not work in the proxy config for operations such as attestation (JIRA: PROD: 3311).

8. Fortanix Self-Defending KMS Performance Statistics

8.1 Series 2

Key Types and Operations Throughput (Operations/second on a  3-node cluster)
AES 256: CBC Encryption/Decryption


AES 256: GCM Encryption/Decryption


AES 256: FPE Encryption/Decryption


AES 256 Key Generation


RSA 2048 Encryption/Decryption


RSA 2048 Key Generation


RSA 2048 Sign/Verify


EC NISTP256 Sign/Verify


Data Security Manager Plugin (Hello world plugin)

1978 (invocations/second)



8.2 Azure Standard_DC8_v2

Key Types and Operations Throughput (Operations/second on a  3-node [Standard_DC8_v2] cluster)
AES 256: CBC Encryption/Decryption


AES 256: GCM Encryption/Decryption


AES 256: FPE Encryption/Decryption


AES 256 Key Generation


RSA 2048 Encryption/Decryption


RSA 2048 Key Generation


RSA 2048 Sign/Verify


EC NISTP256 Sign/Verify


Data Security Manager Plugin (Hello world plugin)

1912 (invocations/second)


9. Installation

To download the DSM SGX (on-prem/Azure) and Software (AWS/Azure/VMWare) packages, click here.


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful