Fortanix Key Insight is a solution on the Fortanix Armor platform. Therefore, you need to create an account on the Fortanix Armor platform if you do not already have one.
3.1 Sign Up and Log In to Fortanix Armor Platform - New Users
If you are accessing Fortanix Key Insight for the first time, you need to sign up for Fortanix Armor to access Key Insight. For subsequent access, you can log in to Fortanix Armor directly.
For more information on how to sign up or log in and create an account for Key Insight, refer to Fortanix Armor – Getting Started.
3.2 Log In to Fortanix Armor Platform - Existing Users
You can directly log in to the Fortanix Armor platform to access Key Insight if you have already signed up and have an account.
After you access the Key Insight solution from Fortanix Armor, if you want to onboard an external key source, that is, a Fortanix DSM (SaaS) connection, then you need to configure it to scan your keys and services.
4.1 Prerequisites
The following are the prerequisites to add a Fortanix DSM (SaaS) connection to Fortanix Key Insight:
Fortanix DSM Account Setup: A valid and active Fortanix DSM (SaaS) account is set up to allow communication between Fortanix DSM and Key Insight.
Application Configuration: An application (app) must be created in Fortanix DSM (SaaS) to enable interaction between the two solutions. This application defines the roles and permissions required for key management.
Security Objects Setup: Security objects, such as keys or key versions, must be created and configured within Fortanix DSM (SaaS) to allow secure key management and usage by Fortanix Key Insight.
Group Configuration: User groups or access policies should be configured in Fortanix DSM (SaaS) to ensure appropriate access control and permissions for users interacting with keys through Fortanix Key Insight.
Perform the following steps to select the external KMS key type:
After you create a Fortanix Armor account, you will be redirected to the Fortanix Armor Available Solutions page. Click GO TO KEY INSIGHT.
Figure 1: Access available solutions
On the Let's Connect to Your Cloud, On-Premises or External Key Source Provider page, select the External Key Source Connections type and the Fortanix DSM (SaaS) provider.
Click NEXT.
Figure 2: Select a DSM (SaaS) provider
4.3 Add Fortanix DSM (SaaS) Connection
Perform the following steps to add a Fortanix DSM (SaaS) connection on the Let's Connect to Your External Key Source Provider page:
Click SAVE AND PROCEED. The connection will be added under the EXTERNAL KEY SOURCE tab on the Connections page, though it will not yet be integrated with Fortanix DSM.
Figure 3: Add DSM (SaaS) connection
4.4 Add Admin App UUID
Perform the following steps to configure the private key and certificate on the Admin App UUID page:
Click GENERATE PRIVATE KEY to create a private key. You can generate a maximum of two private keys.
Click GENERATE ANOTHER PRIVATE KEY to generate an additional key.
You can delete the private key using .
Click GENERATE CERTIFICATE to generate a self-signed certificate. This button will only be enabled after generating a private key.
You can copy the generated certificate details.
You can also RE-GENERATE THE CERTIFICATE, if required.
Create an administrative (admin) app using the steps mentioned in Create Admin Apps, selecting Certificate as the authentication method, and uploading the certificate generated in Step 2.
After creating the admin app, copy the UUID value.
Enter the Admin app UUID obtained from Fortanix DSM (SaaS) admin app.
Click CONNECT to establish the connection between Fortanix DSM (SaaS) and Fortanix Key Insight. If your credentials (region and certificate) are incorrect, an error message will appear. Ensure you use the correct credentials to establish the connection with Fortanix DSM (SaaS).
Figure 4: Configure Fortanix DSM (SaaS) in Fortanix Key Insight
After the Fortanix DSM (SaaS) connection is added, you can access the Overview and Keys pages. For more information on the external key source (Fortanix DSM SaaS or On-premises) keys, refer to External Key Source Connection - User Interface Components.
NOTE
When the Fortanix DSM (SaaS) connection is added, all security objects in your Fortanix DSM (SaaS) account that are accessible to the admin application will be imported into Fortanix Key Insight.
After creating Foranix DSM (SaaS) connection, a group with the same name will be created on the Fortanix IAM Groups page. For more information, refer to Fortanix Armor Identity and Access Management-IAM.
After accessing the Fortanix Key Insight solution from Fortanix Armor, if you want to onboard an external key source, that is, a Fortanix DSM (On-premises) connection, you need to configure it to scan your keys and services.
Perform the following steps to select the external KMS key type:
After you create a Fortanix Armor account, you will be redirected to the Fortanix Armor Available Solutions page. Click GO TO KEY INSIGHT.
Figure 5: Access available solutions
On the Let's Connect to Your Cloud, On-Premises or External Key Source Provider page, select External Key Source Connections type and the Fortanix DSM (On-Premises) provider.
Click NEXT.
Figure 6: Select DSM (On-Premises) provider
5.3 Add Fortanix DSM (On-premises) Connection
Perform the following steps to add a Fortanix DSM (On-premises) connection on the Let's Connect to Your External Key Source Provider page:
Enter the Connection name.
You must install the Fortanix On-premises Scanner package to manage your Fortanix DSM on-premises keys and resources. For more information, refer to On-premises Scanner Configuration.
Click any of the following:
ADD DSM: Select this option if you have not enabled the I have downloaded and installed the Scanner package check box. The connection will be added under the EXTERNAL KEY SOURCE tab on the Connections page, though it will not yet be integrated with Fortanix DSM.
Perform the following steps:
Select I have downloaded and installed the Scanner package check box to confirm the scanner installation.
Click GENERATE API KEY to add the scanner using the generated API key.
On the API Key Details dialog box, click COPY API KEY to copy the API key value.
ADD DSM & GENERATE API KEY: Select this option if you have enabled the I have downloaded and installed the Scanner package check box to add the scanner using the generated API key. You will be authenticating with Fortanix Key Insight using the API keys.
Perform the following steps:
On the API Key Details dialog box, click COPY API KEY to copy the API key value. This value is used to authenticate both the Fortanix On-premises Scanner and Fortanix Key Insight.
Figure 7: Configure a Fortanix DSM on-premises connection
After the Fortanix DSM (On-premises) connection is added, you can access the Overview and Keys pages. For more information on the external key source (Fortanix DSM SaaS or On-premises) keys, refer to External Key Source Connection - User Interface Components.
NOTE
After creating Foranix DSM (On-premises) connection, a group with the same name will be created on the Fortanix IAM Groups page. For more information, refer to Fortanix Armor Identity and Access Management-IAM.
6.0 Scanning External HSMs Using Fortanix DSM HSM Gateway
Fortanix Key Insight supports scanning cryptographic keys stored in external HSMs using the Fortanix DSM (SaaS or on-premises) HSM Gateway.
NOTE
Before scanning, ensure the following:
The Fortanix DSM instance (SaaS or on-premises) already connected to Fortanix Key Insight.
Fortanix DSM HSM Gateway installed and connected to the target HSM.
In this scanning process,
Fortanix Key Insight connects to Fortanix DSM, which uses the HSM Gateway to reach the external HSM.
Fortanix Key Insight requests key information from Fortanix DSM.
Fortanix DSM retrieves the details from the HSM through the gateway and returns them to Fortanix Key Insight.
This setup allows Fortanix Key Insight to,
Collect and view keys from different HSMs in one place, without needing a direct connection between Fortanix Key Insight and the external HSM.
Include the keys in security and compliance reports, such as CBOM.
Prepare for post-quantum readiness by including keys managed in external HSMs.
For detailed steps on how to add a new HSM Gateway to the Fortanix DSM, refer to the User's Guide: HSM Gateway.
7.0 Manage External Key Source Connection
An external key source, such as Fortanix DSM (SaaS or On-premises), is used to manage and protect cryptographic keys. This integration also simplifies compliance by providing a unified, cohesive view of the entire key inventory and lifecycle governance.
The EXTERNAL KEY SOURCE tab on the Connections page shows all the external key source connections configured for the selected Fortanix Key Insight account.
Figure 8: Access external key source
Click each connection to navigate to its corresponding Overview page.
Copy the Connection ID using .
Add an external key source connection using ADD EXTERNAL KEY SOURCE.
LAST SCAN column value reflects the connection creation time stamp.
The CONNECTION STATUS column displays one of the following statuses:
Connected: The Fortanix On-premises Scanner package has been successfully added, and all keys have been scanned and imported.
Pending: The Fortanix On-premises Scanner package has been added, but the keys sync is still pending. For Fortanix DSM on-premises connections in this state:
You must use the generated API key to connect with Fortanix Key Insight.
To begin scanning, you need to add the resources after establishing the connection.
Disconnected: The Fortanix On-premises Scanner package is connected, but the session has been terminated. For Fortanix DSM on-premises connections that are disconnected, you will need to restart the scanner to re-establish the connection.
NOTE
It is recommended to use a unique admin app UUID for each Fortanix DSM (SaaS) connection when adding or editing to prevent performance degradation and avoid unnecessary clutter.
For each external key source connection, you can perform the following:
Edit
Delete
Rescan
NOTE
Users with the Account Administrator and Group Administrator roles can only perform add, edit, delete, and rescan operations for the external key source connection.
7.1 Edit an External Key Source Connection
Use this feature to update the external key source connection details if required.
Perform the following steps to edit the external key source connection:
Click on the required external key source connection.
Select Edit.
On the Edit <External Key Source> page, update the required details.
Click SAVE to apply the changes. Click CANCEL to discard the changes.
NOTE
You can also edit the external key source connection during the cloud and on-premises connections onboarding.
Figure 9: Edit an external key source
When you update the external key source details, you must rescan both the external key source connection and any associated parent cloud or on-premises connection to apply the new values.
7.2 Delete an External Key Source Connection
Use this feature to remove an external key source connection and its associated information.
Perform the following steps to delete the external key source connection:
Click on the required external key source connection.
Select Delete.
On the Delete External Key Source Connection dialog box, read all the details and enter the external key source name.
Click CONFIRM to delete the external key source.
WARNING
Deleting the external key source connection cannot be undone.
After deletion, the external key source connection will be removed from the EXTERNAL KEY SOURCE list.
7.3 Rescan an External Key Source Connection
Use this feature to restart the scan for the external key source.
Perform the following steps to rescan the external key source:
Click on the required external key source connection.
Select Rescan.
NOTE
The Rescan option is available only when the external key source connection status is Connected.
On the Scan Connection page, click START SCANNING to restart the scan.
If the re-scan is successful, the LAST SCAN column under the EXTERNAL KEY SOURCE tab will be updated with the latest scan date and time.
NOTE
After successfully rescanning the Fortanix DSM (SaaS or On-premises) connection, you must manually rescan the associated parent or linked Fortanix Key Insight cloud or on-premises connection if any, to update the correlated key data.
7.4 View an External Key Source Connection Details
This feature is available only for Fortanix DSM (On-Premises) type external key source connections.
Perform the following steps to view the connection details:
Click on the required external key source connection.
Select View Details.
On the DSM page,
Click DOWNLOAD PACKAGE to download the package again in case you changed your machine, your current package has errors, or was not installed correctly.
Click Delete to remove the Fortanix DSM (On-premises) connection.
Click Edit to update the name of the connection, if required.
Also, you can view the following sections:
Scanner Details: This section provides details about the scanner's connection status, connection ID, last scan, periodic polling interval, and the date and time it was created.
Access Type: This section offers details about the API key.
Perform the following to manage the API keys:
Click MANAGE API KEY to manage the generated API key(s).
On the Manage API Key dialog box, read the details.
NOTE
You can generate a maximum of two API keys for configuring the connection between Fortanix DSM (On-premises) and Fortanix Key Insight.
Click GENERATE ANOTHER API KEY to generate a second key if one already exists.
For each API Key, you can perform the following:
Click COPY to copy the API key value.
Click DELETE to remove the generated API key.
WARNING
Deleting an API key may revoke access for the Fortanix DSM (On-premises) connection, potentially disrupting its functionality. This action is irreversible.
Fortanix Key Insight identifies encryption keys and data services across on-premises and hybrid multicloud environments, providing a unified dashboard for tracking key mappings and cryptographic security. It offers security and compliance teams data-driven insights to assess risks, align with best practices, and meet industry regulations. Iy also supports continuous risk mitigation and crypto-agility, adapting to evolving security needs, including preparation for the post-quantum era.
Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.
Fortanix Armor is a comprehensive cybersecurity solution that protects data and applications across on-premises, hybrid, and multi-cloud environments. It integrates Fortanix solutions into a single unified product, securing data throughout its lifecycle. Built on the Runtime Encryption Platform, it ensures real-time encryption of data at rest, in transit, and during processing. Additionally, it includes platform services such as IAM, KMS, and Audit and Monitoring to simplify security management.
The Fortanix On-premises Scanner is a configuration component installed within an organization’s local infrastructure. It is designed to scan, analyze, and manage sensitive cryptographic data using Fortanix Key Insight. The scanner identifies keys, certificates, and compliance information within on-premises systems. It supports both Linux and Windows platforms, allowing for flexible and secure deployment and visibility across different environments.
.png?sv=2022-11-02&spr=https&st=2025-12-03T13%3A22%3A37Z&se=2025-12-03T13%3A45%3A37Z&sr=c&sp=r&sig=PneqhLmttQynZC1ZnMZnsmXoWqAgk%2FZ5kKHpWrsA1S4%3D)
.
.png?sv=2022-11-02&spr=https&st=2025-12-03T13%3A22%3A37Z&se=2025-12-03T13%3A45%3A37Z&sr=c&sp=r&sig=PneqhLmttQynZC1ZnMZnsmXoWqAgk%2FZ5kKHpWrsA1S4%3D)
.png?sv=2022-11-02&spr=https&st=2025-12-03T13%3A22%3A37Z&se=2025-12-03T13%3A45%3A37Z&sr=c&sp=r&sig=PneqhLmttQynZC1ZnMZnsmXoWqAgk%2FZ5kKHpWrsA1S4%3D)
..png?sv=2022-11-02&spr=https&st=2025-12-03T13%3A22%3A37Z&se=2025-12-03T13%3A45%3A37Z&sr=c&sp=r&sig=PneqhLmttQynZC1ZnMZnsmXoWqAgk%2FZ5kKHpWrsA1S4%3D)
on the required external key source connection.
