[4.4] - Feb 16, 2022

Fortanix Data Security Manager (DSM) 4.4 comes with some exciting new features, general enhancements, improvements, and resolved issues.

This release is superseded by March 04, 2022, release. 

It is “REQUIRED” to upgrade Fortanix DSM to version 4.2 or 4.3 before upgrading to version 4.4.
After the software package is uploaded, the expected time to upgrade a 3-node cluster is about 1.5 to 2 hours from version 4.2 or 4.3 to 4.4.

1. New Functionality/Feature(s)

1.1  Key metadata policy for Fortanix DSM groups (JIRA: ROFR-2686):

Key metadata policies can be set on Fortanix DSM groups which allow users to configure certain restrictions on the “metadata” associated with security objects.  Here, “metadata” refers to certain features of security objects that are not covered by Cryptographic policies.  For example, custom metadata, description, expiry, and so on. This policy allows users to specify that certain metadata “must be present”, “must not be present”, or “must be present and have certain value”.


For more details, refer to User's Guide: Key metadata policy.

1.2 Group based on external Google Cloud Platform (GCP) KMS and Bring Your Own Key (BYOK) for GCP (JIRA: ROFR-2643) : 

GCP Key Management Service is added to the list of supported Key Management Systems in HSM/External KMS groups. Fortanix DSM can now manage keys in GCP and allows to:

  • Configure the GCP KMS group in Fortanix DSM.
  • Import and copy key (Bring Your Own Key - BYOK) into GCP KMS.
  • Enable/Disable keys in GCP KMS directly.


For more details refer to the User’s Guide: GCP Cloud Key Management.

1.3  Billable metrics support in Fortanix DSM Account and Sys Admin dashboard (JIRA: ROFR-2842):

Fortanix DSM now shows the usage of resources associated with an account. Real-time and historical data of these metrics can now be viewed in the Fortanix DSM account and Sys Admin dashboard.


For more details, refer to User’s Guide: Fortanix DSM Usage Metrics.

1.4  Support Fortanix DSM on Azure non-SGX VMs (JIRA: DEVOPS-2123): 

  1. This release supports the standard deployment of Fortanix DSM on non-SGX Azure VMs. For more details, refer to the Fortanix DSM Installation from Azure Marketplace guide.

2. Enhancements to Existing Features

  1.  Simplified UI for authorization provider in Google Workspace CSE (JIRA: ROFR-2973): You can now select Google Drive and Docs to configure this option as an authorization provider so that the authorization settings will be automatically included for Google Drive and Docs. WorkspaceCSE.png
    For more details, refer to User’s Guide: Using Google Workspace CSE with Fortanix DSM.
  2. The “Expires” field in the detailed view of a security object is now renamed to “Deactivation date” in the UI (JIRA: ROFR-2973):


  3. Fortanix DSM account name change now initiates quorum approval (JIRA: ROFR-2870): Renaming an account now generates a quorum approval request. For more details, refer to the User’s Guide: Quorum Policy.
  4. Cluster Master Key protection for Software version of DSM (JIRA: PROD-3404): When Fortanix DSM is deployed on platforms that do not support Intel SGX, such as AWS, the Cluster Master Key is now protected using another key. This key can be stored on an external instance of Fortanix DSM, for example, an on-prem cluster. For more details, refer to the Administration Guide: Cluster Deployment Key Protection – non-SGX
  5. Public key authentication for SCP backup (JIRA: DEVOPS-1320):

    You can now set passwordless authentication for SCP backup. For more details refer to Administration Guide: Backup and Restore in Fortanix DSM.

  6. Fortanix DSM SaaS usage metrics are now reported on the dashboard (JIRA: PROD-3940): For more details, refer to the User’s Guide: Usage Metrics.

3. Other Improvements

  • All world-writable folders have their sticky bit set (JIRA: DEVOPS-1880): This improvement prevents the ability to delete or rename files in the world-writable directories (such as /tmp ) that are owned by another user.
  • Set external HSM credentials in k8s secret using sdkms-cluster (JIRA: PROD-2162):
    This allows the Cluster Master Key (CMK) to be protected by an external HSM when outside SGX.
  • Audit logs will not be deleted during the account delete operation (JIRA: PROD-3843).
  • Security object filter operation now supports filtering by state (JIRA: PROD-3981).
  • Azure BYOK plugin now supports extractable keys in Luna HSM (JIRA: PROD-3965).

4. Bug Fixes

  • Fixed an issue where the sdkms-cluster update fails if cluster-config.sdkms secret is missing (JIRA: DEVOPS-2072).
  • Fixed HMG issue with Sync Keys for SanSec HSM (JIRA: PROD-3330).
  • Fixed Azure BYOK plugin “out of memory” error when the key vault has more than a certain number of keys (JIRA: PROD-3568).
  • Fixed an issue that now allows pagination support for Azure BYOK key versions in the UI (JIRA: PROD-3623).
  • Allow Admin apps to change user roles (JIRA: PROD-3671).
  • Fixed an issue where Fortanix DSM returns 403 error due to a bug related to group existence check when an administrative app tries to create a new security object or crypto app (JIRA: PROD-3678).
  • Fixed an issue where AWS Scan fails with 500 ERROR (JIRA: PROD-3787).
  • Fixed an issue where Azure Managed HSM and Premium plugins were throwing stack trace instead of actual error message in case of misconfiguration (JIRA: PROD-4014).
  • Fixed an issue where /sys/v1/accounts creates panic (JIRA: PROD-4109).
  • Fixed an issue where the normal plugin details page in the Fortanix DSM UI hangs if GitHub access is not available (JIRA: ROFR-2899).

5. Quality Enhancements/Updates

  • Upgraded the exabgp base container to Ubuntu 20.04 version (JIRA: DEVOPS-1413).

6. Security 

7. Known Issues

  • An account could be lost if account tables are inconsistent between nodes. Make sure a backup is successful before proceeding with ANY upgrade (JIRA: PROD-4234).
  • When a node is removed from a 3-node cluster with build 4.2.2087, and the 2-node cluster is upgraded with build 4.3.xxxx, it is possible that the deploy job is exited and marked completed before cluster upgrade (JIRA: DEVOPS-2068). Workaround: If all the pods are healthy, you can deploy the version again.
  • The sync key API returns “400 status code and response error” due to the short-term access token expiry during the sync key operation of a group linked to AWS KMS (JIRA: PROD-3903).
  • Fortanix DSM cluster upgrade is interrupted when the warmup-proxy-cache job is running, and the next iteration starts as soon as the current one completes (JIRA: DEVOPS-1951).
    Workaround: Delete the cronjob warmup-proxy-cache before starting the upgrade:
    kubectl delete cronjob warmup-proxy-cache
    The upgrade will take care of creating this cronjob again in the cluster
  • exclude does not work in the proxy config for operations such as attestation (JIRA: PROD: 3311).

8. Fortanix Self-Defending KMS Performance Statistics

8.1 Series 2

Key Types and Operations Throughput (Operations/second on a  3-node cluster)
AES 256: CBC Encryption/Decryption


AES 256: GCM Encryption/Decryption


AES 256: FPE Encryption/Decryption


AES 256 Key Generation


RSA 2048 Encryption/Decryption


RSA 2048 Key Generation


RSA 2048 Sign/Verify


EC NISTP256 Sign/Verify


Data Security Manager Plugin (Hello world plugin)

1978 (invocations/second)



8.2 Azure Standard_DC8_v2

Key Types and Operations Throughput (Operations/second on a  3-node [Standard_DC8_v2] cluster)
AES 256: CBC Encryption/Decryption


AES 256: GCM Encryption/Decryption


AES 256: FPE Encryption/Decryption


AES 256 Key Generation


RSA 2048 Encryption/Decryption


RSA 2048 Key Generation


RSA 2048 Sign/Verify


EC NISTP256 Sign/Verify


Data Security Manager Plugin (Hello world plugin)

1816 (invocations/second)


9. Installation

To download the DSM SGX (on-prem/Azure) and Software (AWS/Azure/VMWare) packages, click here.


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful