Fortanix Data Security Manager Deployment Options

  • Updated on Feb 15, 2026
  • Published on May 29, 2024
  • 3 minute(s) read
Prev Next

1.0 Introduction

Fortanix-Data-Security-Manager (DSM) is an integrated HSM/KMS solution that provides the flexibility to support multiple deployment options to best meet customer's needs for security, latency, and operational simplicity. Regardless of how the solution is deployed, the functionality and integration capabilities remain the same, and all keys can be managed from a single pane of glass.

1.1 On-premises

Fortanix DSM can be deployed on-premises using FX2200 or FX3400 physical appliances. The on-premises option offers the best security while giving customers complete control over the solution (for example: scaling, backups, software updates, and so on).

1.2 Public/Private Cloud

Fortanix DSM can be deployed on VMware or similar Hypervisors or in a public cloud using our virtual appliance. This provides the same control over the installation as on-premises, but without having to host physical hardware within data centers. When deployed in an SGX-compatible environment (for example: Azure Confidential Computing VMs), the security is arguably similar to FIPS 140-2 Level 3, although no certificate has been issued for that particular hardware or software combination.

1.3 SaaS

Fortanix DSM SaaS is a cluster of physical Fortanix hardware appliances hosted in Equinix data centers and managed by Fortanix. It is a globally deployed service. Refer to Fortanix DSM SaaS Global Availability Map to see all its global locations. To provide our customers with maximum operational flexibility and frequent feature releases, the appliances always run the latest DSM software version (which may not be FIPS validated) and operate in non-FIPS mode. With DSM SaaS, you can be up and running within minutes, without the hassle of managing your own cluster of appliances.

1.4 Single-Tier Hybrid

A mixed cluster of virtual appliances across multiple clouds and/or physical appliances is possible, provided they are all operating in an Intel SGX environment or all operating in a non-SGX environment. This may be useful for minimizing latency across multiple environments and regions.

1.5 Dual-Tier Hybrid

With any of the options above, a subset of the keys may be stored externally in a separate DSM cluster, DSM SaaS Account, or third-party HSM, while retaining the ability to manage all keys from a single pane of glass. This is typically used in the following scenarios:

  • A public/private cloud deployment is preferred, but some keys must be generated/stored/processed in a FIPS 140-2 Level 3 environment (for example, using Fortanix hardware appliances), or

  • Any deployment where some keys must be generated/stored/processed in a FIPS 140-2 Level 3 environment operating in strict "FIPS mode" (that is, a FIPS-validated version of the DSM software restricted to using NIST-approved algorithms and key lengths) with resilience and high availability – this can be achieved using a cluster of non-FIPS on-premises Fortanix hardware appliances in combination with one or more FIPS appliances. The FIPS 140 unit(s) are accessed through a FIPS-backed Group in the regular cluster and cryptographic objects under that Group are generated and used in a FIPS 140-compliant module.

2.0 Operating in FIPS Mode

Fortanix DSM is tested and validated by an external laboratory against the US/Canadian Federal Information Processing Standard (FIPS) 140. Fortanix obtains FIPS 140 certificates for specific hardware and software configurations of its products. Certificates obtained at various levels of the standard are published on the Cryptographic Module Validation Program (CMVP) website1.

To operate in compliance with a FIPS 140 certificate, a Fortanix module must be running the validated software version and be initialized in conformance with the certificate and its Security Policy document.

When Fortanix DSM is not in a specifically FIPS 140-compliant configuration, it is running the same software and offers the same validated cryptographic algorithms as the compliant configuration. Non-FIPS installations may provide practical benefits over a strictly FIPS 140-compliant one, such as:

  • Improved availability and resilience of a multi-node cluster.

  • Frequently updated software that includes vulnerability fixes.

  • Access to algorithms and mechanisms not available under the FIPS 140 restrictions.

Fortanix can provide guidance and information on FIPS 140 compliance, but the customer is ultimately responsible for assessing and meeting the requirements of their organization regarding cryptographic module security.

1 https://csrc.nist.gov/projects/cryptographic-module-validation-program

Related articles

Platform
Fortanix Armor
Armet AI Key Insight Data Security Manager Confidential Computing Manager
Open Source Platform
Enclave Development Platform®

Solutions
Use Cases
Legacy to Cloud Infrastructure Migration Regulatory Compliance Post-Quantum Readiness Secure, Data-Driven Innovation
Industry
Healthcare Banking & Financial Services Fintech Manufacturing Federal Government

Company
About Us Partners Careers Confidential Computing University Blog FAQ Contact Us Awards Events Webinars Press News Services Media Kit Newsletters

Customers

Resources

Support
Fortanix-logo

4.6

star-ratings

As of August 2025

Request a Demo