[4.11] - Sept 30, 2022

Fortanix Data Security Manager (DSM) 4.11 comes with some exciting new features, general enhancements, improvements, and resolved issues.

This release is superseded by October 13, 2022, release.

  • It is “REQUIRED” to upgrade Fortanix DSM to version 4.8 or 4.9 before upgrading to version 4.11. If you want to upgrade to 4.11 from an older version, please reach out to the Fortanix Customer Success team.
The Fortanix DSM cluster upgrade must be done with Fortanix support on call. Please reach out to Fortanix support if you are planning an upgrade.

1. New Functionality/Feature(s)

1.1 New Home Page for DSM SaaS (JIRA: ROFR-3472):

This release adds a new Home tab for DSM SaaS which is the landing page for users after they successfully log in to Fortanix DSM SaaS and create an account.


For more details, refer to Fortanix DSM SaaS Homepage.

1.2 Added the ability to delete Key access justification policy (JIRA: ROFR-3308):

You can now delete the Key access justification policy configured for a security object.


For more details refer to the guide Fortanix DSM with Google EKM Interface.

1.3 DSM password behavior changes (JIRA: ROFR-3456)

A DSM System Administrator can now configure if a user should not use dictionary words, or repetitive and sequential characters while setting up a password.

For more details refer to Administration Guide: SysAdmin Settings Guide - Policies.

1.4 Support for BMC firmware upgrade for Series 1 (JIRA: DEVOPS-2541):

This release adds support for upgrading BMC firmware on FX2200 Series 1 appliances.

For more details refer to Administration Guide: Fortanix IPMI Setup for FX2200 Series1.

1.5 Beta launch of Fortanix Transparent Encryption Proxy (JIRA: DEVOPS-2855)

Fortanix Transparent Encryption Proxy is a local API request/response encryption proxy that helps users to encrypt browser inputs before sending them to the upstream and decrypt the upstream responses before sending them back to the browser. TEP works in conjunction with Fortanix DSM to give transparent encryption/tokenization capabilities to the customer.

For more details, refer to the DSM with TEP integration Guide- Beta.

2. Enhancements to Existing Features

  1. Allow creating more object types for DSM backed groups (JIRA: PROD-5444):

    This release removes the restriction for the types of keys that can be created for DSM backed groups (using the “Store keys externally” option where the request is initiated by the destination group) and allows key types such as SEED, ARIA, and so on to be created or imported.

  2. Updated the description text for Microsoft Easy Wizard Integration (JIRA: ROFR-3542):
  3. Improved SysAdmin “Pending Changes” message (JIRA: ROFR-3486).
  4. Added “Cluster read-only mode” message (JIRA: ROFR-3477):

    The Fortanix DSM UI now displays a message on the top when the cluster is running in read-only mode.

  5. Added a datetime range picker for the “created at” search filter in the Security Objects table (JIRA: ROFR-3476). DateTimeRange.png

  6. Updated the icon for “Developer Resources” in the detailed view of a plugin (JIRA: ROFR-3380).
  7. Custom Roles UX improvements.
    1. Added the ability to select all permissions within a permission category and expand-contract the permission category in the permission editor and assignment screens (JIRA: ROFR-3365). CustomRole.png
    2. Other improvements (JIRA: ROFR-3360).
  8. Korean algorithm improvements for DSA, KCDSA, EC-KCDSA(JIRA: ROFR-3278).
    1. Added the DOWNLOAD PUBLIC KEY button for DSA, KCDSA, EC-KCDSA.
    2. Added the REMOVE PRIVATE KEY button for DSA, KCDSA, EC-KCDSA. KoreanSO.png

    3. Fixed KCDSA, EC-KCDSA parameter selection, and other improvements. KoreanParameter.png

  9. Updated product branding from “SDKMS” to “DSM” in the UI (JIRA: ROFR-3199).
  10. Updated the text for Google Stackdriver to Google Cloud’s operation suite (JIRA: ROFR-3191). The text “Google Stackdriver” in UI is now updated to “Google Cloud’s operation suite”. GoogleSuite.png
  11. Disabled System Administration option in the UI when the System Administrator is disabled (JIRA: ROFR-2917).
  12. Corrected inconsistent placement of import/export requests in the Pending/Completed tabs on the Fortanix DSM Tasks page (JIRA: ROFR-2768).
  13. Updated the text case for opaque and secret objects in the UI (JIRA: ROFR-2683).
    Updated the text from Uppercase (SECRET, OPAQUE) to Lowercase (secret, opaque) in the "Create new security object flow", “security objects table view”, “security objects detailed view”, and so on.
  14. Updated the “Copy URI” tooltip text in the detailed view of a security object (JIRA: ROFR-2321). RSATooltip.png
  15. Removed the excessive use of the sysadmin account in the header labels (JIRA: ROFR-2320).
  16. Improved Audit log search to include searching the table on all the pages instead of just the table on the current page (JIRA: ROFR-2624).
  17. Converted Audit log data table to DataTableStream for stream-style pagination with “previous” and “next” buttons rather than “page numbers” (JIRA: ROFR-2623). Audit.png
  18. Renamed “administrators” to “quorum reviewers” in the participant drop down list in the Quorum approval policy configuration to support the Allow Quorum Reviewer permission for Custom roles (JIRA: ROFR-3535). Quorum.png
  19. Updated the text for enabling linked key rotation from “Rotate all copied keys” to “Enable key rotation for copied keys(JIRA: ROFR-3475). key_rotation.png

3. Client and DSM-Accelerator Features and Enhancements

  1. Added support for DSM-Accelerator PKCS#11 Client Library(JIRA: PROD-5367). For more details, refer to the DSM-Accelerator Guides.
  2. Added support for DSM-Accelerator Webservice (JIRA: PROD-5368). For more details, refer to the DSM-Accelerator Guides.
  3. Added support for DSM-Accelerator Java SDK (JIRA: PROD-5340). For more details, refer to the DSM-Accelerator Guides.
  4. KMIP Client Enhancements:
    1. Added support for Original Creation Date attribute (JIRA: PROD-5187).
    2. Added support for the Last Change Date attribute that contains the date and time of the last change (JIRA: PROD-5188).
    3. Added support for storing Split Key object type (JIRA: PROD-5189).
    4. Added support for Digest attribute in security objects, certificates, opaque objects, and secret data (JIRA: PROD-5190).
    5. Added support for Default Operation Policy (JIRA: PROD-5191).
    6. Added support for storing keys for AES-XTS block cipher (JIRA: PROD-5192).
    7. Added KMIP attributes for DELL EMC Powermax (JIRA: PROD-4913)For more details refer to FAQ: KMIP Coverage.
  5. Terraform client enhancements:
    1. Added support to create a Quorum approval policy for DSM accounts (JIRA: DEVOPS-2930).
    2. Added support to create a Quorum approval policy for DSM groups (JIRA: DEVOPS-2872).

4. Other Improvements

  1. Updated unpatched packages in Fortanix DSM based on Ubuntu 20 build (JIRA: DEVOPS-3147).
  2. Documented all the APIs and enforced documentation in the code so that the client-generator reads it and adds it to the OpenApi doc (JIRA: PROD-5075).
  3. Improved the latency while loading the accounts and security objects during OAuth (JIRA: ROFR-3136).
  4. Improvements to the Kubernets CA rotation (JIRA: DEVOPS-1501).
  5. Changed the audit log table write consistency to Local Quorum to support read-only mode (JIRA: PROD-5505).
  6. Added support for multiple OU entries in the X.509 plugins (JIRA: PROD-5345).
  7. You can now reset the appliance to factory settings (JIRA: DEVOPS-1111). For more details, refer to the FAQ: Install/Upgrade/Administration.

5. Bug Fixes

  • Fixed OAuth consent screen for Auditors (JIRA: ROFR-3127).
  • Fixed the home directories for users cassandra and autoscaler during upgrades (JIRA: DEVOPS-3149).
  • Fixed an issue where users were able to add HMG configuration to a group that has Key Encryption Key configured (JIRA: PROD-5493).
  • Restricted all rotation scenarios for AWS multi-region keys (JIRA: PROD-5480).
  • Fixed AWS virtual key rotation for single region key (JIRA: ROFR-3564).
  • Fixed an issue where the auth header was printed in client logs (JIRA: PROD-5440).
  • Fixed the placement of the “Name your Security Object” walkthrough tooltip (JIRA: ROFR-3555).
  • Fixed an issue where the remove -- node command does not remove daemonset pods (JIRA: DEVOPS-3131).
  • Fixed an issue where plugins were forbidden from calling get_user and get_app API (JIRA: PROD-5421).
  • Fixed Microsoft Easy Wizard 404 error (JIRA: ROFR-3541).
  • Fixed an issue so that the users “cassandra” and “autoscaler” have no login shell (/bin/bash) (JIRA: DEVOPS-3086).
  • Fixed missing Cluster Deployment Key (CDK) migration logic in Fortanix DSM version 4.9 (JIRA: DEVOPS-3067).
  • Fixed an issue where the secrets were not saved as entered on the DSM UI upon rotation (JIRA: ROFR-3492).
  • Fixed an issue where the Approve button is not clickable while deleting the Account Quorum approval policy (JIRA: ROFR-3485).
  • Fixed an issue where the Key Access Justification Policy (GCP External Key manager) was visible for a key present in the external HSM/KMS linked Group. (JIRA: ROFR-3471).
  • Fixed an issue where the full token masking for datatypes other than “Custom” tokenization was inaccurate (JIRA: ROFR-3464).
  • Fixed an issue that does not allow a user to purge an AWS key in Fortanix DSM (JIRA: PROD-5210).
  • Fixed an issue where the DSM CLI uses default permissions when importing keys that are appropriate for FIPS deployment (JIRA: PROD-5166).
  • Fixed an issue where the page does not reload after approving the security object deletion request using the password re-entry option in the security object detailed view page (JIRA: ROFR-3433).
  • Fixed an issue where deleting a security object with the password re-entry option enabled does not ask for password or throw "Security object was successfully deleted" popup after the request is approved from the security object detailed view page (JIRA: ROFR-3432).
  • Fixed an issue where the "Key Undo Policy - Reversible Changes" table is not visible after clicking "REMOVE PRIVATE KEY" for an RSA key (JIRA: ROFR-3426).
  • Fixed an issue the user was unable to click DELETE SELECTED checkbox to delete the TEP instances in the Integrations tab (JIRA: ROFR-3386).
  • Fixed an issue where the user was not able to delete a Field Info after it was added in TEP Instance (JIRA: ROFR-3384).
  • Fixed an issue where the user was able to see the LINK HSM/EXTERNAL KMS button while creating a group even if the option “Create External Groups” was not selected in the Account custom role (JIRA: ROFR-3353).
  • Fixed a text mismatch issue in the description of the IBM DB2 Easy Wizard (JIRA: ROFR-3316).
  • Fixed an issue where after adding an account-level Quorum approval policy, the check box for mandatory 2-factor authentication is not enabled in the Authentication tab (JIRA: PROD-5366).
  • Fixed an issue where the minimum length of 1 was allowed in Custom tokenization (JIRA: ROFR-3283).
  • Fixed an issue where saving an empty API shows the PIN in the Network tab in the inspect mode (JIRA: ROFR-3279).
  • Fixed an issue where the input Secret object value was not saved as entered on the DSM UI (JIRA: ROFR-3225).
  • Fixed incorrect tooltip description for the App Manageable permission (JIRA: ROFR-2995).
  • Fixed latency in displaying missing information in the “Completed” tasks for Quorum policy requests when 2-factor authentication is enabled (JIRA: ROFR-2761).
  • Fixed an issue that prevented users from getting into the DSM web UI during the failover test (JIRA: ES-104).
  • Fixed an issue that now updates the version in the metadata file of X509 CA and TBS CA plugin (JIRA: PROD-5548).
  • Fixed an issue where clicking “Test Connection” in the group details page under HSM/KMS tab was not sending the PIN data (JIRA: ROFR-3326).

6. Quality Enhancements/Updates

7. Known Issues

  • An account could be lost if account tables are inconsistent between nodes. Make sure a backup is successful before proceeding with ANY upgrade (JIRA: PROD-4234).
  • When a node is removed from a 3-node cluster with build 4.2.2087, and the 2-node cluster is upgraded with build 4.3.xxxx, it is possible that the deploy job is exited and marked completed before cluster upgrade (JIRA: DEVOPS-2068). Workaround: If all the pods are healthy, you can deploy the version again.
  • The sync key API returns a “400 status code and response error” due to the short-term access token expiry during the sync key operation of a group linked to AWS KMS (JIRA: PROD-3903).
  • exclude does not work in the proxy config for operations such as attestation (JIRA: PROD: 3311).
  • Encryption with GCM mode is failing for DSM-Accelerator PKCS#11 Client Library (JIRA: PROD-5479).
  • Unable to connect to the Azure non-SGX endpoint while running DSM-A (JIRA: PROD-5558).
  • Unable to perform Local encrypt/decrypt operation in Fortanix DSM-Accelerator using DES3 algorithm in CBC/ECB mode with the key size 112 (JIRA: PROD-5598).

8. Fortanix Self-Defending KMS Performance Statistics

8.1 Series 2

Key Types and Operations Throughput (Operations/second on a  3-node cluster)
AES 256: CBC Encryption/Decryption


AES 256: GCM Encryption/Decryption


AES 256: FPE Encryption/Decryption


AES 256 Key Generation


RSA 2048 Encryption/Decryption


RSA 2048 Key Generation


RSA 2048 Sign/Verify


EC NISTP256 Sign/Verify


Data Security Manager Plugin (Hello world plugin)

1771 (invocations/second)



8.2 Azure Standard_DC8_v2

Key Types and Operations Throughput (Operations/second on a  3-node [Standard_DC8_v2] cluster)
AES 256: CBC Encryption/Decryption


AES 256: GCM Encryption/Decryption


AES 256: FPE Encryption/Decryption


AES 256 Key Generation


RSA 2048 Encryption/Decryption


RSA 2048 Key Generation


RSA 2048 Sign/Verify


EC NISTP256 Sign/Verify


Data Security Manager Plugin (Hello world plugin)

 1706 (invocations/second)



8.3 Series 2 JCE

Key Types and Operations Throughput (Operations/second on a  3-node cluster)
AES 256: CBC Encryption/Decryption


AES 256 Key Generation


RSA 2048 Key Generation


RSA 2048 Sign/Verify


EC NISTP256 Sign/Verify


Data Security Manager Plugin (Hello world plugin)

1705 (invocations/second)



8.4 Azure Standard_DC8 JCE

Key Types and Operations Throughput (Operations/second on a  3-node [Standard_DC8 JCE] cluster)
AES 256: CBC Encryption/Decryption


AES 256 Key Generation


RSA 2048 Key Generation


RSA 2048 Sign/Verify


EC NISTP256 Sign/Verify


Data Security Manager Plugin (Hello world plugin)

1716 (invocations/second)



Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful