[4.9] - Jul 29, 2022

Fortanix Data Security Manager (DSM) 4.9 comes with some exciting new features, general enhancements, improvements, and resolved issues.

This release is superseded by September 02, 2022, release.

  • It is “REQUIRED” to upgrade Fortanix DSM to version 4.6 or 4.8 before upgrading to version 4.9. If you want to upgrade to 4.9 from an older version, please reach out to the Fortanix Customer Success team.
The Fortanix DSM cluster upgrade must be done with Fortanix support on call. Please reach out to Fortanix support if you are planning an upgrade.

1. New Functionality/Feature(s)

1.1 Group key encryption key (KEK) (JIRA: ROFR-2492):

This release adds support to the group key encryption key (KEK) feature, where all keys generated inside a group always remain encrypted by a Master Encryption Key (KEK) which is a Symmetric key configured at the group level. This KEK belongs to another group. The KEK should have the encrypt, decrypt, wrap, and unwrap permissions and should be activated/enabled. The KEK is required to be AES 256.


For more details, refer to User’s Guide: Group Key Encryption Key (KEK).

1.2 Custom Roles (JIRA: ROFR-2090):

This release adds support for creating custom roles that allow fine-grained control over what users can do in the Fortanix DSM accounts and groups.


For more details refer to User’s Guide: Custom Roles.

1.4 Support for SSO Self-Provisioning (JIRA: ROFR-3262):

This release adds support for users to provision themselves in Fortanix DSM when the account is configured with LDAP.

For more details refer to User’s Guide: Single-Sign On.

2. Enhancements to Existing Features

  1. Decoupled key rotation from key deletion/destruction in the quorum policy setup (JIRA: ROFR-3173):

    This release separates key rotation from key deletion/key destruction in the group quorum policy add/edit flow. The Destroy Key, Update Key, Rotate Key option has been broken down into various sub-options that a Group Admin can configure for quorum approval.


    For more details, refer to the User’s Guide: Quorum Approval.

  2. Added new key access justification reasons in the UI for Google EKM (JIRA: ROFR-3260):

    This release adds support for the following two additional key access justification reasons for Google EKM at the app and key level:

    • Modified Google-initiated system operation
    • Google response to production alert

    For more details, refer to the Use Case Guide: Fortanix DSM with GCP EKM.

  3. Expose easy wizards for Fortanix DSM on-premises deployments (JIRA: ROFR-3257):

    This release exposes the Integration tab on Fortanix DSM on-premises for the following easy wizards.

    • Snowflake
    • Microsoft DKE
    • VMware
    • Cohesity
    • Rubrik
    • NetApp
    • Scality
    • IBM DB2
    • Veritas

    For more details, refer to the Use Case Guide: Fortanix DSM with GCP EKM.

  4. Split copying UUID and URL of the plugin in the plugin detailed view (JIRA: ROFR-1886):

    You can now copy the Fortanix DSM plugin UUID and plugin URL using individual buttons.


  5. Added Cluster configuration flag in the SysAdmin settings to enable the Custom Roles feature (JIRA: ROFR-3258).
  6. Support for SCP “PRIVATEKEY” auth mode for Cassandra audit log backup (JIRA: DEVOPS-2851):

    This release adds support for backing up Cassandra audit logs using privatekey auth mode.

    For more details, refer to the Administration Guide: Backup and Restore

  7.  Added support for unwrapping using an external key to import the key into an external HSM (JIRA: PROD-4937).

3. Client Enhancements

  1. Terraform support: CSR generation and Security Object error fixes (JIRA: DEVOPS-2799):

    This release adds support to generate CSR signed by the Fortanix DSM security object. For more details, refer to the Developer’s Guide: Terraform Provider.

4. Other Improvements

  1. Use "Manage Auth" or "Manage Authentication & Authorization" for the MANAGE_AUTH permission (JIRA: ROFR-3344).
  2. Refresh session user permissions when a user is refreshed (JIRA: PROD-3340).
  3. Tested Fortanix DSM on Azure DC_V3 VMs (Intel SGX) (JIRA: PROD-5033).
  4. The input handling for Cluster Deployment Key (CDK) is now handled better (JIRA: DEVOPS-2306).
  5. Exposed explicitly assigned user groups (JIRA: PROD-5013).
  6. Removed vXXXX configmaps with all the applied charts (JIRA: DEVOPS-2854).
  7. The manual backup script now executes a dedicated “auditlog” backup job. (JIRA: DEVOPS-2837).
  8. Cloned Group key encryption key feature backend implementation (JIRA: PROD-4822).
  9. DSM SaaS - added a warning banner to MOTD for SSH login (JIRA: DEVOPS-2198).
  10. Handled multiple system (error) messages gracefully (JIRA: ROFR-1306).
  11. Packaged cri-tools version 1.13.0-01 in the Fortanix DSM installer (JIRA: DEVOPS-2849).

4. Bug Fixes

  • Fixed an issue where empty notifications show up when the back end has no error messages (JIRA: ROFR-2918).
  • Fixed an issue where Group Auditors cannot see pending tasks (JIRA: ROFR-2772).
  • Fixed an issue where the "Change" button for sending a request to update a subscription was missing on the Subscription page in DSM SaaS (JIRA: ROFR-3412).
  • Fixed an issue where the “Security Object was successfully rotated" pop-up is thrown before the quorum request is accepted (JIRA: ROFR-3399).
  • Fixed an error where inviting a user as an Account Administrator or Auditor from the LDAP directory gives the "JSON error: `321de904-738f-5d99-80da-db9daea915f7` is not a custom role id at line 1 column 90" (JIRA: ROFR-3398).
  • Fixed an issue where "Update Profiles" is incorrectly mapped with the "Audit Logs" permission label in the Quorum approval window (JIRA: ROFR-3397).
  • Fixed an issue where users were unable to log in to Fortanix DSM SaaS test beds due to regression from "SSO self-provisioning" (JIRA: ROFR-3396).
  • Fixed an issue where the “Copy URL” button was showing in the plugin list (JIRA: ROFR-3395).
  • Fixed an issue that causes a user to log out automatically (JIRA: ROFR-3372).
  • Fixed an issue that displays an “Oops” error message on task approval with “no read all custom group role permission” (JIRA: ROFR-3367).
  • Fixed an issue where the Save button was not displayed for update plugins code (with UPDATE_PLUGINS custom group role permission) (JIRA: ROFR-3359).
  • Fixed an issue where no error message was displayed on creating new custom plugins (without CREATE_PLUGINS custom group role permission) (JIRA: ROFR-3356).
  • Fixed an issue where disabling "Update Security Object Policies" in the Custom group role, then in the Security Object detailed view page, in the Key Access Justification tab, the "Add policy" and "Edit policy" button should not be enabled (JIRA: ROFR-3354).
  • Fixed an issue where even if we are not enabling the “Create external groups” option in the Custom role, even then users are able to see the LINK HSM/EXTERNAL KMS button (JIRA: ROFR-3353).
  • Fixed SigV4 panic on bad requests (JIRA: PROD-5071).
  • Fixed an issue where after enabling "Create Group Approval Policy" in the Custom group role, creating and saving a Quorum approval policy at the group level fails and asks for some extra group level permissions (JIRA: ROFR-3352).
  • Fixed an issue where downgrade from DSM 4.9 to 4.8 fails on the latest RC 4.9.2073-2293 (JIRA: DEVOPS-2927).
  • Fixed an issue where the user was unable to export security objects in any types, element target id mismatch (JIRA: ROFR-3347).
  • Fixed an issue where the AWS IAM Auth option is not shown on the Add New App modal window (JIRA: ROFR-3346).
  • Fixed an issue where the Sdkms-backup job is failing to get back up on the Azure container for the second time (JIRA: DEVOPS-2917).
  • Fixed an issue where the user was able to delete the KEK key after Key Rotation (JIRA: PROD-5046).
  • Fixed Custom roles - GET permission issues (JIRA: ROFR-3341).
  • Fixed an issue where Quorum Request was not requested while removing a KEK (JIRA: PROD-5044).
  • Fixed an issue where the DSM build Install failed on one of the nodes as cleanup did not work successfully (JIRA: DEVOPS-2911).
  • Fixed an issue so that changing SharedSysadminAccountSharedSysadminAccount now returns a separate session each time (JIRA: PROD-5034).
  • Fixed an issue where an operation in the group KEK feature required approval and was showing an error while adding Quorum Policy for the KEK Group (JIRA: PROD-5053).
  • Fixed an issue for the Custom roles feature in the invite a user with all-groups role flow which runs into error in the group’s assignment step (JIRA: ROFR-3331).
  • Fixed an issue where a group containing a KEK should not be allowed to be configured with a KEK from another group (JIRA: PROD-5011).
  • Fixed an issue where the custom role drop down menu should not be present on the create custom roles page (JIRA: ROFR-3330).
  • Fixed an issue that resulted in an empty "role_id" parameter in POST{{host}}/sys/v1/roles (JIRA: ROFR-3332).
  • Fixed a Security Object table page panic, after disabling the security object (JIRA: PROD-5008).
  • Fixed an issue where there was an error while creating a cluster in AWS (JIRA: DEVOPS-2894).
  • Fixed an issue where Serde(ErrorImpl { code: Message("missing field `users`")  crashes in sdkms-join (JIRA: PROD-5038).
  • Fixed an issue where the attestation tool packaged in DSM does not have execute permission (JIRA: DEVOPS-2879).
  • Fixed an issue where the Legacy Modal has a lower z-index than the Baklava Modal (JIRA: ROFR-3313).
  • Fixed an issue where backup fails if backup + auditlog backup schedule overlaps (JIRA: DEVOPS-2852).
  • Fixed an issue that caused an incorrect toast message displayed when an app is enabled and disabled (JIRA: ROFR-3247).
  • Fixed an issue with etcd pod https port number while upgrading DSM (JIRA: DEVOPS-2447).
  • Fixed an issue in the Key rotation policy where, while editing the time, "pm" converts to "am" (JIRA: ROFR-2907).
  • Fixed an issue that resulted in empty concat or OR parts in token schemas (JIRA: PROD-3473).
  • Fixed inconsistency in plugin detail view (JIRA: ROFR-1181).
  • Fixed an issue where copy/paste U2F recovery codes have missing spaces (JIRA: ROFR-1176).

5. Quality Enhancements/Updates

  • Decreased TCP Keepalive intervals (JIRA: DEVOPS-2678).
  • Support for Fortanix sdkms-client for Java version 11 (JIRA: PROD-4546).
  • Fully removed Elasticsearch templates (JIRA: DEVOPS-2842).
  • Removed pre-deploy job and associated machinery (JIRA: DEVOPS-2839).

6. Security 

  • User Initialization Files are now Owned and Group-Owned by the Primary User (JIRA: DEVOPS-2498).
  • Added noexec Option to /dev/shm (JIRA: DEVOPS-2503).

7. Known Issues

  • An account could be lost if account tables are inconsistent between nodes. Make sure a backup is successful before proceeding with ANY upgrade (JIRA: PROD-4234).
  • When a node is removed from a 3-node cluster with build 4.2.2087, and the 2-node cluster is upgraded with build 4.3.xxxx, it is possible that the deploy job is exited and marked completed before cluster upgrade (JIRA: DEVOPS-2068). Workaround: If all the pods are healthy, you can deploy the version again.
  • The sync key API returns a “400 status code and response error” due to the short-term access token expiry during the sync key operation of a group linked to AWS KMS (JIRA: PROD-3903).
  • exclude does not work in the proxy config for operations such as attestation (JIRA: PROD: 3311).

8. Fortanix Self-Defending KMS Performance Statistics

8.1 Series 2

Key Types and Operations Throughput (Operations/second on a  3-node cluster)
AES 256: CBC Encryption/Decryption


AES 256: GCM Encryption/Decryption


AES 256: FPE Encryption/Decryption


AES 256 Key Generation


RSA 2048 Encryption/Decryption


RSA 2048 Key Generation


RSA 2048 Sign/Verify


EC NISTP256 Sign/Verify


Data Security Manager Plugin (Hello world plugin)

1815 (invocations/second)



8.2 Azure Standard_DC8_v2

Key Types and Operations Throughput (Operations/second on a  3-node [Standard_DC8_v2] cluster)
AES 256: CBC Encryption/Decryption


AES 256: GCM Encryption/Decryption


AES 256: FPE Encryption/Decryption


AES 256 Key Generation


RSA 2048 Encryption/Decryption


RSA 2048 Key Generation


RSA 2048 Sign/Verify


EC NISTP256 Sign/Verify


Data Security Manager Plugin (Hello world plugin)

 1721 (invocations/second)



8.3 Series 2 JCE

Key Types and Operations Throughput (Operations/second on a  3-node cluster)
AES 256: CBC Encryption/Decryption


AES 256 Key Generation


RSA 2048 Key Generation


RSA 2048 Sign/Verify


EC NISTP256 Sign/Verify


Data Security Manager Plugin (Hello world plugin)

1818 (invocations/second)



8.4 Azure Standard_DC8 JCE

Key Types and Operations Throughput (Operations/second on a  3-node [Standard_DC8 JCE] cluster)
AES 256: CBC Encryption/Decryption


AES 256 Key Generation


RSA 2048 Key Generation


RSA 2048 Sign/Verify


EC NISTP256 Sign/Verify


Data Security Manager Plugin (Hello world plugin)

1761 (invocations/second)

9. Installation

To download the DSM SGX (on-prem/Azure) and Software (AWS/Azure/VMWare) packages, click here.


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful