1.0 Introduction
Welcome to the Fortanix-Data-Security-Manager (DSM) Cryptographic Policy User Guide. This article describes the cryptographic policies of the Fortanix DSM.
It also contains the information related to Fortanix DSM account-level cryptographic policies.
1.1 Fortanix DSM Cryptographic Policy Definition
The Fortanix DSM supports cryptographic policies that can be set on accounts or groups to restrict what kind of keys can be created and the permitted operations. The policies are specified at the account or group level.
2.0 Fortanix DSM Cryptographic Policy Structure
The Fortanix DSM Cryptographic Policy defines how cryptographic keys are managed. It allows administrators to control key types, sizes, and operations to maintain security.
2.1 Allowed Keys
By default, all types of keys are selected in the policy, including AES, DES, DES3, RSA, EC, HMAC, SECRET, CERTIFICATE, OPAQUE, LMS, ML-KEM, Tokenization, ML-DSA, XMSS, BIP32, EC-KCDSA, KCDSA, SEED, ARIA, and BLS.
2.2 Key Sizes
The following key sizes are allowed for each key type:
AES: 128, 192, or 256 bits
DES3: 168 bits or 112 bits (for 2-key triple DES)
DES: 56 bits only
DSA: 2048 bits (subgroup size: 224, 256 bits) or 3072 bits (subgroup size: 256 bits)
RSA: minimum 1024 to 8192 bits
HMAC: minimum 112 to 8192
EC: Supported curves include SecP192K1, SecP224K1, SecP256K1, NistP192, NistP224, NistP256, NistP384, NistP521, Gost256A, X25519, Ed25519, and X448.
Tokenization: 128, 192, or 256 bits.
ML-KEM: 512, 768, or 1024 bits.
ML-DSA: 44, 65, or 87 bits.
EC-KCDSA: Supported curve include SecP192K1, SecP224K1, SecP256K1, NistP192, NistP224, NistP256, NistP384, or NistP521 and hashing algorithm include SHA1, SHA224, SHA256, SHA384, or SHA512.
KCDSA: Key size: 2048 bits and Subgroup size: 224 or 256 bits.
SEED: 128 bits.
ARIA: 128, 192, or 256 bits.
2.3 Key Operations
The following default key operations are allowed for each key type:
AES/DES3: ENCRYPT, DECRYPT, WRAPKEY, UNWRAPKEY, DERIVEKEY, MACGENERATE, MACVERIFY, APPMANAGEABLE
DSA: SIGN, VERIFY, APPMANAGEABLE, EXPORT
RSA: SIGN, VERIFY, ENCRYPT, DECRYPT, WRAPKEY, UNWRAPKEY, APPMANAGEABLE
EC: SIGN, VERIFY, APPMANAGEABLE, AGREEKEY
DES: ENCRYPT, DECRYPT, WRAPKEY, UNWRAPKEY, DERIVEKEY, APPMANAGEABLE
HMAC: DERIVEKEY, MACGENERATE, MACVERIFY, APPMANAGEABLE
ML-KEM: ENCAPSULATE, DECAPSULATE, EXPORT, APPMANAGEABLE
ML-DSA: SIGN, VERIFY, APPMANAGEABLE, EXPORT
EC-KCDSA: SIGN, VERIFY, APPMANAGEABLE, EXPORT
KCDSA: SIGN, VERIFY, APPMANAGEABLE, EXPORT
SEED: ENCRYPT, DECRYPT, WRAPKEY, UNWRAPKEY, DERIVEKEY, EXPORT
ARIA: ENCRYPT, DECRYPT, WRAPKEY, UNWRAPKEY, DERIVEKEY, MACGENERATE, MACVERIFY, APPMANAGEABLE, EXPORT
BLS: SIGN, VERIFY, APPMANAGEABLE, EXPORT
Tokenization: TOKENIZE, DETOKENIZE, APPMANAGEABLE
LMS: SIGN, VERIFY, APPMANAGEABLE
XMSS: SIGN, VERIFY, APPMANAGEABLE
When setting a Cryptographic Policy, users can restrict the key operations allowed for an account. By default, all operations are permitted.
3.0 Managing a Cryptographic Policy
You can manage cryptographic policies by creating, editing, or deleting them to control key types, sizes, and operations across the account.
3.1 At the Account Level
You can create, edit, and delete the Cryptographic policies at the account level to apply security settings across the entire account.
3.1.1 Creating the Policy
The Fortanix DSM account administrator controls the types of keys, key sizes (or elliptic curves), padding policies, and key permissions that allow keys to be created or imported into an account.
Perform the following steps to create an account level cryptographic policy:
Navigate to the Settings menu item in the DSM left navigation bar.
Figure 1: Fortanix DSM settings tab
On the Account settings page, click the CRYPTOGRAPHIC POLICY tab, and click the ADD CRYPTOGRAPHIC POLICY button to add a new policy.
Figure 2: Add new cryptography policy
In the Allowed object types for the account section, select the key types that you want to allow for this account. By default, all the key types are selected.
In the Allowed key sizes section, add the required allowed key size(s) for the keys.
In the Handling existing non-compliant keys section, select the required radio button to handle the existing non-compliant keys. By default, the radio button for Accept option is selected. For more information, refer to Section 4.0: Policy Enforcement.
Click the RESTRICT KEY OPERATIONS button to select the permitted key operations that will be allowed for the keys. By default, all the key operations are selected.
In the Audit Log section, enable the toggle button to store the detailed audit logs for all the groups in the account.
Figure 3: Account cryptographic policy
Click the SAVE POLICY button to save the policy settings.
After the policy is saved, you need to create a new group and add a security object. For detailed information, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.
.png?sv=2022-11-02&spr=https&st=2025-04-03T14%3A27%3A30Z&se=2025-04-03T14%3A43%3A30Z&sr=c&sp=r&sig=7KVHyKPHXancGO6BpB%2B7Ui8Abl9PBqLSJyhIusH%2Frfw%3D)
Figure 4: Create new security object
You will notice that key types and operations are restricted based on the cryptographic policy settings at the account level. The restricted values are greyed out.
.png?sv=2022-11-02&spr=https&st=2025-04-03T14%3A27%3A30Z&se=2025-04-03T14%3A43%3A30Z&sr=c&sp=r&sig=7KVHyKPHXancGO6BpB%2B7Ui8Abl9PBqLSJyhIusH%2Frfw%3D)
Figure 5: Create security object with new cryptographic policy
If there are existing keys in the account that do not comply with the newly added policy, a warning will appear next to the non-compliant keys in the security object table view.
.png?sv=2022-11-02&spr=https&st=2025-04-03T14%3A27%3A30Z&se=2025-04-03T14%3A43%3A30Z&sr=c&sp=r&sig=7KVHyKPHXancGO6BpB%2B7Ui8Abl9PBqLSJyhIusH%2Frfw%3D)
Figure 6: Error message for non-compliance
Additionally, an error message will be displayed in the detailed view of the key, highlighting the non-compliance based on the account-level cryptographic policy settings.

Figure 7: Error message for non-compliance
3.1.2 Editing or Deleting a Policy
A user can edit an account-level policy to add or remove key types, change key operations, or modify key sizes.
Perform the following steps to edit an account level cryptographic policy:
Navigate to Settings → CRYPTOGRAPHIC POLICY → Cryptographic policy for security objects page and click the EDIT POLICY button.
Figure 8: Edit account cryptographic policy
Modify the allowed key operations as required. For example, disable adding a “DES3” key type, disable the “MacVerify” key operation.
Figure 9: Edit cryptographic policy
Click the SAVE POLICY button.
This action will restrict the users from selecting the “DES3” key type and the “MacVerify”, “Sign”, “Verify”, “AgreeKey”, and “Transform” key operation when creating a new security object.
Figure 10: Create a new security object
Click the DELETE POLICY button at the bottom of the page to delete the cryptographic policy.
Figure 11: Delete account level cryptographic policy
WARNING
Deleting an account-level cryptographic policy will remove all the key restriction for the groups that were set at the account-level.
4.0 Policy Enforcement
All new keys will be allowed/denied based on the cryptographic policy rules.
Any existing keys that are not compliant with the policy will still exist in the group. However, these keys will be marked separately as policy-violating keys. For these keys the following conditions are applicable:
Cryptographic Operations that are classified as “protect operations” will not be allowed: For example: Sign, Encrypt, Wrapkey, Derivekey, MacGenerate, AgreeKey.
Cryptographic Operations which are classified as “process operations” will still be allowed: For example: Verify, Decrypt, UnwrapKey, MacVerify.
If a group contains keys that are not compliant with the policy being added, an error message is displayed where the key can either be grandfathered, forbidden, or partially grandfathered. When a cryptographic policy is created at an account or group level, there are three options provided to handle non-compliant keys. These options are detailed in the section Handling existing non-compliant keys:

Figure 12: Handling non-compliant keys
Forbid to use: Forbid any use of non-compliant objects. If this option is selected, you are forbidden from using the non-compliant keys for any operation.
Accept: Accept non-compliant objects even though they violate the current policy. If this option is selected, you may continue to use existing non-compliant keys, but you may not generate or import new non-compliant objects.
Limit usage: Restrict non-compliant objects so that they may only be used for “process operations” such as Decrypt, Unwrap, Verify, and MacVerify operations. The “protect operations” such as Encrypt, Wrap, Sign, and Mac are forbidden.
NOTE
If the non-compliance setting for account-level Cryptographic policy is different from the group-level Cryptographic policy, then the setting which is more restrictive is applied for the existing keys.