1.0 Introduction
This article provides detailed instructions for configuring, managing, and maintaining cryptographic policies through the Policy Center across Fortanix Key Insight cloud and on-premises environments.
Using the Policy Center, you can:
Define account-level cryptographic policies to control allowed key types, key sizes, and permitted operations.
Enforce compliance with security standards such as NIST 800-57, PCI DSS, GDPR, ISO, FIPS, and so on.
Create and manage custom or user-defined policies tailored to organizational or regulatory requirements.
Import synchronized cryptographic policies from Fortanix Data Security Manager (DSM) (SaaS or On-premises) to maintain consistency across environments.
Duplicate, modify, or delete existing policies to accommodate evolving cryptographic standards.
2.0 Access Policy Center
The Policy Center in Fortanix Key Insight enables you to define and manage account-level cryptographic policies. These policies allow you to enforce restrictions on the types of cryptographic keys that can be created and the operations that are permitted within an account.
You can access the Policy Center from the left navigation panel of the Fortanix Key Insight user interface (UI).
From the Policy Center, you can create customized, user-defined policies, configure access to Fortanix Data Security Manager (DSM) using API keys, and utilize synchronized policies from Fortanix DSM (SaaS or On-Premises) for connected environments.
For each policy, you can view the following information:
Policy name
Policy type: System default policy, User-defined (KI), and Fortanix DSM.
Policy compliance type: Either a standard type as described in Section 6.0: Cryptographic Policy Compliance Matrix or a custom-defined type.
Last updated: Timestamp of the last modification.
Figure 1: Access Policy Center
NOTE
Users with the Account Administrator and Group Administrator roles can only manage (Import, Duplicate, Edit, and Delete) the cryptographic policies on Fortanix Key Insight – Policy Center.
After you access the Policy Center, you can view, modify, or create new cryptographic policies as described in the following sections:
3.0 Manage System-Defined Cryptographic Policy
By default, when a connection (cloud or on-premises) is onboarded into Fortanix Key Insight, the system automatically applies a pre-configured cryptographic policy (with NIST 800-57 standard). This policy is labelled as System Defined Policy and is classified under the System default policy type on Policy Center. It serves as the baseline policy for managing cryptographic operations until the user decides to customize or modify it.
This default policy ensures that every new connection adheres to a set of predefined security rules and cryptographic standards, maintaining consistency and minimizing the risk of configuration errors.
You cannot edit and delete the system-defined cryptography policy. You can only duplicate and modify it to generate a new user-defined policy.
3.1 Duplicate and Modify the System-Defined Cryptographic Policy
Perform the following steps to copy and modify the system default policy to create a user-defined cryptographic policy:
Click Duplicate and Modify (
) on the System Defined Policy. The Duplicate & modify Cryptographic Policy page appears with:The Compliance type is set to Compliance Standards.
NOTE
You can also switch to Custom type if required and manually configure the required object types and configurations in the Net Allowed Object Types section.
The Select Compliance Standard drop down value is NIST 800-57. You can select the different standard, if required.
The Net Allowed Object Types section shows all the object types and configurations based on the NIST 800-57 standard.
In the Net Allowed Object Types section, select the object types and configurations that you want to allow.
Enter the Policy Name.
Click SAVE to add the new user-defined policy.
The new policy appears under the User defined (KI) type in the Policy Center.
4.0 Manage User-Defined Cryptographic Policy
Fortanix Key Insight allows users to customize and modify the default cryptographic policy, allowing them to create their own user-defined policies. This customization enables users to develop the cryptographic rules and operations to meet their specific security requirements or compliance standards.
4.1 Add a User-Defined Cryptographic Policy
Perform the following steps to add a user-defined cryptographic policy in the policy center:
Click ADD POLICY on the top-right corner of the Policy Center page.
NOTE
During a cloud connection onboarding, you can also add a user-defined policy by selecting ADD POLICY in the Key Insight Policy form.
On the Add Cryptographic Policy page,
Select the Compliance Type. Choose either Compliance Standards (default) or Custom.
If Compliance Standards is selected,
Select a maximum of two compliance standards from the Select Compliance Standard drop down. The available values are ASD, PCI DSS, NIST 800-57 (default), GDPR, SG MAS, FIPS, CMMC, ISO, CIS. For more information on these types, refer to Section 6.0: Cryptographic Policy Compliance Matrix.
The Net Allowed Object Types section will automatically populate with object types and configuration values based on the selected compliance standard (s). For more information on the different object types and key sizes, refer to the User's Guide: Account Cryptographic Policy.
NOTE
If you manually modify the allowed object types, the Modify Allowed Object Types dialog box will appear, warning that the compliance type will change to Custom. If you click Proceed, the compliance type is updated to Custom.
The Policy Name is auto-generated in the format
policy standard name_<a unique UUID for the name>, and it cannot be edited. For example, nist-800-57_c7dcb7cf-8441-4d13-a935-ef0ce346258e.Click SAVE to add the new user-defined policy. The policy will appear in the Policy Center with the type value set to User Defined (KI) and the compliance type value set to the policy standard (s) selected in Step 2.b.i.
If Custom is selected,
Manually configure the required object types and configurations in the Net Allowed Object Types section. These are disabled by default.
Enter the appropriate Policy Name.
Click SAVE to add the new user-defined policy. The new policy will appear in the Policy Center with the type value set to User Defined (KI) and the compliance type value set to Custom.
NOTE
After the user-defined policy is added, it will be available for selection in the Key Insight Policy form during connection onboarding.
4.2 Duplicate and Modify the User-Defined Cryptographic Policy
Perform the following steps to duplicate and modify an existing user-defined cryptographic policy:
Click Duplicate and Modify (
) on the current user-defined policy.In the Duplicate & modify Cryptographic Policy page, repeat the steps from Step 2.a in Section 4.1: Add a User-Defined Cryptographic Policy.
4.3 Edit a User-Defined Cryptographic Policy
Perform the following steps to edit the details of the existing user-defined cryptographic policy:
Click Edit (
) on the user-defined cryptographic policy.On the Edit Cryptographic Policy page, update the compliance type, policy name, and allowed object types or key sizes as per the requirement.
NOTE
You can switch the compliance type to convert a custom policy into a compliance standards policy, or vice versa.
Click SAVE to update the policy details.
4.4 Delete a User-Defined Cryptographic Policy
You can delete the user-defined policy if it is no longer required.
Perform the following steps to delete a user-defined cryptographic policy:
Click Delete (
) on the required user-defined cryptographic policy.On the Delete Cryptographic Policy dialog box,
You can view the number of connections linked to the policy and read all the details.
Enter the policy name to confirm the deletion.
Click CONFIRM to remove the policy from the Policy Center.
WARNING
Deleting the user-defined policy is irreversible and will remove the policy permanently. Affected connections will revert to the System Default Policy.
5.0 Import Fortanix DSM SaaS Policy
Fortanix Key Insight offers the flexibility to import cryptographic policies from Fortanix DSM SaaS to streamline the management and application of cryptographic standards across your cloud or On-premises environments. By importing policies from Fortanix DSM SaaS, you can ensure consistency in key management, encryption protocols, and security settings, allowing you to easily apply the same policies across multiple connections.
NOTE
For a single account, you can duplicate or import policies using the user interface (UI) up to 10 times. To import or duplicate policies beyond this limit, you must first delete the existing ones.
You can import Fortanix DSM SaaS cryptographic policies to Fortanix Key Insight using an administrative (admin) application (app) API Key.
NOTE
Currently, Fortanix DSM On-premises users cannot import cryptographic policies into the Key Insight Policy Center, as this feature is only supported with Fortanix DSM SasS.
Perform the following steps to import a Fortanix DSM SaaS cryptographic policy using the admin app API key:
Click IMPORT DSM POLICY on the top right corner of the Policy Center page.
On the Import DSM Policy dialog box,
Enter the Fortanix DSM Admin app API key. For information on how to obtain the admin app API key, refer to the User’s Guide: Authentication.
Select the region from the drop down menu. For example, North America. For more information on other regions, refer to Fortanix DSM SaaS Global Availability Map.
Click IMPORT to import the policy from Fortanix DSM SaaS to Fortanix Key Insight. The imported policy will be listed on the Policy Center page with the type Fortanix DSM.
After the Fortanix DSM SaaS cryptographic policy is imported, you can only duplicate and delete it similar to the user-defined policy explained in Section 4.0: Manage User-Defined Cryptographic Policy.
NOTE
After the Fortanix DSM policy is added, it will be available for selection on the Key Insight Policy form during a connection onboarding.
6.0 Cryptographic Policy Compliance Matrix
The table below represents a matrix outlining the standard compliance and recommendation status of various cryptographic algorithms and key types across multiple security standards and regulatory frameworks.
Each row denotes a specific algorithm or key type, while each subsequent column corresponds to a relevant standard, guideline, or compliance requirement.
Legend:
✔ = Compliant or recommended
X = Non-compliant or Not recommended
The qualifiers, such as ‘(128+)’ or ‘(Best Practice)’ provide additional context, such as the minimum acceptable key length or whether the algorithm is recommended but not explicitly mandated.
Algorithm/Key Type | ASD | PCI DSS | NIST 800-57 | GDPR | SG MAS | FIPS | CMMC | ISO | CIS |
|---|---|---|---|---|---|---|---|---|---|
AES (128+/192+/256+) | ✓ (128+) | ✓ (128+) | ✓ (128+) | ✔ (Best Practice) | ✔ (Best Practice) | ✔ | ✔ | ✔ | ✔ |
RSA (2048+) | ✔ (2048+) | ✔ (2048+) | ✔ (2048+) | ✔ (Best Practice) | ✔ (Best Practice) | ✔ | ✔ | ✔ | ✔ |
HMAC (with SHA-2) | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
EC (NIST P-224+; P-384 preferred) | ✔ | ✔ (224+) | ✔ (224+) | ✔ (Best Practice) | ✔ (Best Practice) | ✔ | ✔ | ✔ | ✔ |
DSA (2048+; being phased out) | ✔ | ✔ (2048+) | ✔ (2048+) | ✔ (Best Practice) | ✔ (Best Practice) | ✔ | ✔ | ✔ | ✔ |
DES/3DES | X | ✓ (3DES) | |||||||
SEED/ARIA | ✔ (Korean) | X | X | X | X | X | X | X | X |