Using Fortanix Data Security Manager with BigID

  • Updated on Nov 5, 2025
  • Published on Sep 30, 2025
  • 15 minute(s) read
Prev Next

1.0 Introduction

This article provides guidance for integrating Fortanix Data Security Manager (DSM) with BigID to secure sensitive data, which is discovered and classified by BigID and then protected using Fortanix DSM's robust encryption capabilities.

The Fortanix Data Security Gateway, available in the Fortanix Support Portal, acts as a bridge between BigID and Fortanix DSM. It establishes a secure communication channel between the two platforms and automatically initiates data protection actions when BigID identifies sensitive or regulated data, such as Personally identifiable information (PII).

By combining BigID’s data discovery and classification capabilities with Fortanix DSM’s centralized cryptographic services, organizations can implement consistent and scalable data protection.

1.1 Key Benefits

The following are key benefits of this integration:

  • Improved Data Security: Automatically remediate sensitive data using vault-less tokenization and strong encryption provided by Fortanix DSM.

  • Operational Efficiency: Tokenization workflows are manually triggered when BigID flags sensitive data, minimizing manual intervention and accelerating response time.

  • Regulatory Compliance: Streamline adherence to privacy regulations with traceable and auditable data protection operations.

1.2 Fortanix Data Security Manager

Fortanix DSM is an integrated Data Security as a Service that provides secure key management and cryptography services including cloud key management, secret management, and tokenization to protect sensitive data in public, private, hybrid, or multi-cloud environments. Encryption keys are stored in the FIPS 140-2 Level 3 certified HSM and cryptographic operations are securely executed within the module. HSM as a service simplifies operations and reduces management overhead. The service can be accessed publicly using the cloud.

1.3 BigID

BigID is a data discovery and classification platform that enables organizations to identify, manage, and act on sensitive and regulated data. It supports data privacy, security, and governance initiatives by helping classify personal information and reduce data risk across the enterprise.

2.0 Product Versions Tested

The following product versions were tested:

  • Fortanix DSM version 5.2.2852

  • Fortanix Data Security Gateway version 1.0.24 in Fortanix Support Portal

  • BigID platform version release 231.6

3.0 Supported Databases

The following databases are supported for updating with tokenized data:

  • Microsoft SQL Server version 2019 or later

  • PostgreSQL version 13 or later

  • Oracle Database version 12.1 or later

  • Snowflake version 9.00 or later

4.0 Prerequisites

The following are the prerequisites:

  • Download the Fortanix Data Security Gateway artifact from here.

  • Compute: A compute environment with the ability to run containers using Docker Compose or Podman Compose is required for deploying the gateway. It can be provisioned on-premises or in the cloud, depending on your requirements. The minimum requirements are as follows:

    • Memory (RAM): 8 GB

    • CPU: 2 vCPUs

    • Storage: 50 GB (SSD preferred, primarily used for Docker images and log storage)

For larger workloads or high concurrency, allocate higher resources to improve performance.

  • Install Docker Engine and Docker Compose on the system where the gateway will be deployed.

  • Local BigID Scanner (for on-prem data sources):

    • If the data sources are hosted on-premises, deploy the Fortanix Data Security Gateway on the same network where the local BigID Scanner is deployed.

  • Fortanix DSM Access:

  • BigID Configuration:

    • The authentication method in BigID must be set to "Username Credentials" when adding data sources.

    • The Fortanix Data Security Gateway in BigID must have read and write access to the connected databases, along with permission to retrieve schema information to complete the tokenization of sensitive data.

  • Database User Permissions:

    • The database user must have ALTER and UPDATE permissions on the required tables or schema to support temporary performance-related operations.

    • UPDATE – Required to update sensitive data values with their tokenized forms during the ‘Tokenize’ action.

    • ALTER – Required to create temporary performance objects (such as an identity column or a non-clustered index) only when the target table does not already have a primary key. These objects enable fast lookups and efficient batch processing and are automatically dropped once the operation completes.

5.0 Architecture Workflow

Figure 1: Architecture Diagram

5.1 Port Requirements

PORT

USED BY

PURPOSE

8080 / 8443

Fortanix Data Security Gateway

All communication with the Fortanix Data Security Gateway occurs over this port.

443

Fortanix DSM

All outbound requests from the Fortanix Data Security Gateway are sent to Fortanix DSM over this port.

All databases have their respective ports open. For example:
Microsoft SQL Server – 1433
PostgreSQL – 5432
Oracle Database – 1521

Database

All database connections are made over these ports.

5.2 Workflow

This section describes the integration architecture between Fortanix DSM and BigID for secure and scalable remediation of sensitive data using tokenization.

  1. BigID scans data in the user-configured data sources, identifies sensitive fields, such as PII, financial records, or healthcare data.

  2. It applies classification tags to these fields in its metadata catalog based on predefined policies.

  3. The Fortanix Data Security Gateway, which runs within the user’s environment, reads this metadata.

  4. The Fortanix Data Security Gateway initiates tokenization.

  5. The Fortanix Data Security Gateway uses Fortanix DSM REST API to create necessary tokenization keys in Fortanix DSM.

  6. Fortanix DSM tokenizes the data using Vaultless Format Preserving encryption.

  7. As a part of Fortanix Data Security Gateway configuration from BigID marketplace, user provides Fortanix DSM endpoint, Fortanix DSM App API Key and database credentials. These values are stored securely in BigID’s encrypted database. The gateway uses these credentials to update the data sources with the tokenized data. These credentials must have write permission to allow tokenization as mentioned in Section 4.0: Prerequisites.

NOTE

If an error occurs, such as misconfiguration or authentication failure, the gateway logs the error details within the BigID platform to support effective troubleshooting.

All tokenization operations are carried out inside Fortanix DSM’s secure enclave, ensuring sensitive data remains protected and is never exposed in plaintext outside the trusted environment. Fortanix’s Format Preserving Encryption engine replaces sensitive values with secure, format-preserving tokens, ensuring both data integrity and regulatory compliance.

6.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

6.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://amer.smartkey.io. On-premises customers use the KMS URL, and the SaaS customers can use the URLs as listed  here  based on the application region.

For more information on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS.

6.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

Figure 2: Logging in

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

6.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

  1. In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.


    Figure 3: Add groups

  2. On the Adding new group page, do the following:

    1. Title: Enter a name for your group.

    2. Description (optional): Enter a short description of the group.

  3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

Figure 4: Group added

6.4 Creating an Application

Perform the following steps to create an app in the Fortanix DSM:

  1. In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.

    Figure 5: Add application

  2. On the Adding new app page, do the following:

    1. App name: Enter the name for your application.

    2. ADD DESCRIPTION (optional): Enter a short description of the application.

    3. Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

    4. Assigning the new app to groups: Select the group created in Section 6.3: Creating a Group from the list.

  3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

Figure 6: Application added

6.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

  1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 6.4: Creating an Application to go to the detailed view of the app.

  2. On the INFO tab, click VIEW API KEY DETAILS.

  3. From the API Key Details dialog box, copy the API Key of the app to be used later.

7.0 Deploy Fortanix Data Security Gateway

This section outlines the steps required to prepare the environment for integration between BigID and Fortanix DSM.

The Fortanix Data Security Gateway can be deployed in two environments:

  • BigID SaaS (Software as a Service)

  • BigID On-premises

Perform the following steps to deploy the Fortanix Data Security Gateway:

  1. Download the Fortanix Data Security Gateway artifact and save it on the target system. Refer to Section 4.0: Prerequisites.

  2. Install and verify Docker Engine and Docker Compose on the system where the gateway will be deployed. Refer to Section 4.0: Prerequisites.

  3. Run the following command to extract the tarball:

    tar -xzf fortanix-data-security-gateway.<version>.tar.gz

  4. Run the following command to move into the extracted directory:

    cd fortanix-data-security-gateway

    The extracted directory includes the following files:

    • app-compose.networks.yaml – Docker network configuration

    • app-compose.yaml – Docker Compose configuration

    • fortanix-data-security-gateway_image.<version>.tar.gz – Docker image

    • setenv.sh – Environment variable and port configuration

    • ssl.conf - SSL configuration

    • start-gateway.sh – Startup script

    • stop-gateway.sh – Shutdown script

  5. By default, the app-compose.networks.yaml file uses the following network configuration. To use an existing network (for example, the one where the local BigID Scanner is running), update the name field, as required.

    networks:
  default:
    external: true
    name: compose_default

    To create a new network, set external: false and update the name as required.

  6. If the Fortanix Data Security Gateway is deployed without the BigID local scanner and needs to be enabled with SSL certificates, users can provide the path to their certificates (self-singed or singed by their CA), private key and the ssl.conf file in the setenv.sh:  

    NOTE

    • CERTS_DIR should contain the following files

      • privkey.pem - Private key file in PEM format

      • fullchain.pem - Certificate file in PEM format – this file may contain the certificate chain

    • If the private key file and certificate file in CERTS_DIR has a different name, then please update following lines in the ssl.conf file

      ssl_certificate     /etc/ssl/certs/fullchain.pem;
ssl_certificate_key /etc/ssl/certs/privkey.pem;
    #export CERTS_DIR=/home/ftx/certs
#export SSL_CONFIG_FILE=/home/ftx/ssl.conf

    Also, uncomment the following lines in the app-compose.yaml file:

    #    - 8443:443
#volumes:
#    - ${CERTS_DIR}:/etc/ssl/certs:ro
#    - ${SSL_CONFIG_FILE}:/etc/nginx/conf.d/ssl.conf

    NOTE

    To enable a self-signed certificate, refer to BigID Documentation.

  7. Run the startup script to load the Docker image and launch the application:

    ./start-gateway.sh

  8. Run the following command to stop the application gracefully:

    ./stop-gateway.sh

7.1 Configuring Fortanix Data Security Gateway in BigID

Perform the following steps to add and configure the Fortanix Data Security Gateway within your BigID instance:

  1. Complete the steps in Section 7.0: Deploy Fortanix Data Security Gateway to ensure the container is running.

  2. After deployment, note the Base URL of the gateway. For example, http://fortanix-data-security-gateway:8080.

  3. Log in to your BigID instance.

  4. Navigate to Apps Center and click Add New App.

  5. Enter the Base URL as copied in Step 2 and select Remote App if using a local scanner.

  6. Click Add.

    Figure 7: Adding new app

    NOTE

    If a local BigID Scanner is not deployed, use the public IP of the gateway as the Base URL. In this case, do not select the Remote App check box.

  7. Open the newly added app and click Edit app from the drop down menu.

    Figure 8: Edit newly added Fortanix gateway

  8. On the Edit App page, verify the following configuration:

    NOTE

    Ensure that the BigID Base URL matches your current BigID instance URL.

    Figure 9: Verifying Fortanix gateway configuration

  9. Select the Additional Permissions check box.

  10. Click Save to apply the configuration.

7.2 Fortanix Data Security Gateway Version

Perform the following steps to check the version of the Fortanix Data Security Gateway in your BigID platform to ensure compatibility:

  1. Navigate to Apps Center in your BigID instance.

  2. Locate the Fortanix Data Security Gateway.

  3. Click Edit App.

  4. The current application version is displayed under .Application Version

    Figure 10: Application version

8.0 Data Protection with Fortanix DSM

This section describes how the Fortanix Data Security Gateway secures sensitive data flagged by BigID through security object creation and tokenization.

The gateway provides two actions to protect data: it first creates security objects in Fortanix DSM and then uses those objects to tokenize the flagged data.

  • Create Security Objects – Create dedicated security objects in Fortanix DSM to tokenize various kinds of data.

  • Tokenize – Replaces sensitive data with secured, format-preserving tokens using Fortanix’s Format Preserving Encryption capability.

8.1 Creating Security Objects for Tokenization

Perform the following steps to create security objects through Fortanix Data Security Gateway in BigID:

  1. In the BigID left navigation panel, navigate to Apps Center and select the Fortanix Data Security Gateway.

    Figure 11: Accessing Fortanix data security gateway

  2. On the Fortanix Data Security Gateway page, click icon to begin configuring the preset.

    Figure 12: Editing the create security objects preset

  3. In the Create Security Objects page, click icon and enter the following details:

    • DSM_ENDPOINT: The URL of your Fortanix DSM instance. The default is https://amer.smartkey.io.

    • API_KEY: The API key for the Fortanix Data Security Gateway with access to the associated DSM group as copied in Section 6.5: Copying the API Key.

    • ALLOW_DECRYPT: By default, it is set to true. This default value holds good when detokenization is required in the future. Once set to false user cannot detokenize data.

    • EXPORTABLE_KEY: To use the low-latency tokenization service supported by Fortanix DSM, users need to set it to true. For more information, refer to the Fortanix DSM Accelerator Webservice Deployment Guide.

    Figure 13: Filling out create security object parameters

  4. Click Save to apply the configuration.

  5. After saving, return to the Fortanix Data Security Gateway page and click Run to initiate the security object creation process.

    Figure 14: Running the create security object workflow


  6. Upon successful execution, the required security objects will be created in Fortanix DSM.

    NOTE

    A tag named Protect: Secure with Fortanix is also created during this action. This tag is used later for selective tokenization, as described in Section 8.2.1: Tokenize Mode. For more information to create additional security objects manually for tokenization, refer to Security Objects Tokenization Quickstart.

8.2 Running the Tokenization Workflow

This section explains how to perform tokenization of sensitive data using the Fortanix Data Security Gateway in BigID, leveraging the security objects created in the previous step.

Perform the following steps to run the tokenization workflow:

  1. In the BigID left navigation panel, navigate to Apps Center and select the Fortanix Data Security Gateway.

  2. On the Fortanix Data Security Gateway page, click icon to begin configuring the preset.

    Figure 15: Editing the tokenization secret

  3. In the Tokenize– Edit Preset form, enter the following details:

    • DSM ENDPOINT: The URL of your Fortanix DSM instance. The default is https://amer.smartkey.io.

    • API KEY: The API key generated from the Fortanix Data Security Gateway with access to the relevant DSM group, as copied in Section 6.5: Copying the API Key.

    • DATA SOURCE TYPE: The type of data source that needs to be tokenized.

    • DATA SOURCE NAME: The name of the data source as added when configuring the data source in BigID.

    • USERNAME: Specify your data source account username with update and alter permissions.

    • PASSWORD: Specify your data source account password with update and alter permissions.

    • BATCH SIZE: Specifies the number of records to process at a time, depending on the data size.

    • TOKENIZE MODE: Tokenizes only columns tagged with “Secure with Fortanix”.

    • DSM TIMEOUT: Maximum time to wait for a response from the DSM API. Increase this value if you encounter timeout or connection errors.

      NOTE

      By default, TIMEOUT is set to NONE, which means the gateway will wait indefinitely for a response from the Fortanix DSM. Users can optionally configure a timeout duration to prevent long waits or hanging requests.

    Figure 16: Filling out tokenization parameters

  4. Click Save to apply the configuration.

  5. After saving, return to the Fortanix Data Security Gateway page and click Run to initiate the tokenization process.

    NOTE

    To maintain stability and prevent performance issues, it is recommended to keep the BATCH_SIZE at or below 2000. Higher values may result in timeouts or increased memory usage, depending on system load and data complexity.

8.2.1 Tokenize Mode

This section explains how the TOKENIZE MODE parameter controls full or selective tokenization behaviour.

  1. If TOKENIZE MODE is set to ALL (by default), all the columns tagged by BigID classifiers in the data source will be tokenized automatically.

  2. If TOKENIZE MODE is set to TAGGED, only the columns manually tagged by the user will be tokenized. To perform selective tokenization:

    1. Navigate to the BigID Registry and Metadata Catalog.

    2. From the Object Name pane, select the required object and then locate the column you want to tokenize.

    3. In the Columns tab, click the Tags icon next to the target column.

    4. In the Add Tag dialog box, click the + button and enter the Protect: Secure with Fortanix tag.

      Figure 17: Adding the tag

    5. Click Save to apply the tag.

  3. After saving, return to the Fortanix Data Security Gateway page and click Run to execute the updated tokenization action.

8.2.2 Tags

Once the tokenization action is completed successfully, the following tags are automatically added to the tokenized data:

  • Secured with Fortanix: Tokenized – An object-level tag added when at least one column in the object has been tokenized. This helps identify the overall protection status of the object.

    Figure 18: Object-level tag applied after tokenization

  • Secured with Fortanix:<column_name> – A column-level tag added to each individual column that has been tokenized. This allows users to verify exactly which fields were processed.

    Figure 19: Column-level tag applied after tokenization

9.0 Troubleshooting

PROBLEM

RESOLUTION

FF1 Error

This error indicates that the data passed for tokenization does not meet the criteria defined during security object creation.

This often occurs when the same data is tokenized more than once, or when the input format is invalid.

Create a new tokenization key in Fortanix DSM with the appropriate input format that matches the data characteristics.

Authentication failed: 401

This error indicates unauthorized access due to invalid authentication credentials.

Ensure the API key and DSM endpoint are correctly configured.

Request Entity Too Large [413]

This error indicates that the batch size exceeds the acceptable limit.

Reduce the batch size and retry the tokenization operation.

Tokenization failed: Connection issue with Fortanix DSM

Retry the tokenize operation.

10.0 Important Considerations

  1. No Automatic Tokenization for New Data:

    Once a column or table has been tokenized and tagged, any new data added later will not be automatically tokenized. The presence of tags indicates that the object has already been processed, and the app will skip it in subsequent runs.

  2. Tokenization Requires Tag Removal:

    If users want to tokenize a column or table (such as due to newly added data), they must rescan the data source and add tags for new columns. This signals the app to treat the object as unprocessed and include it in the next tokenization run.

  3. Do Not Manually Remove Tags After Tokenization (Unless Reprocessing Intentionally):

    The tags applied after tokenization indicate that the data has already been secured. Removing them without planning to reprocess can result in double tokenization, which may lead to data corruption, FF1 errors, or unexpected results.

  4. Manual Tagging to Tokenize Unclassified Columns:

    If users want to tokenize additional columns that were not classified by BigID, they can manually add the tag: Protect: Secure with Fortanix. This enables the app to recognize and include the column in the tokenization process during the next run.

  5. Column not tokenized even after being flagged by BigID:

    If a column was flagged as sensitive by BigID but remains unprocessed after the Tokenize action, it indicates that a corresponding security object does not exist in Fortanix DSM.

    Resolution: Create a security object in Fortanix DSM using the exact same name as the column displayed in the BigID catalog.

    For more information on how to create required security objects in Fortanix DSM, refer to Security Objects Tokenization Quickstart.

Related articles