Using Data Security Manager with External Secret Operator

  • Updated on Oct 23, 2025
  • Published on Oct 23, 2025
  • 7 minute(s) read
Prev Next

1.0 Introduction

This article describes how to integrate Fortanix Data Security Manager (DSM) with External Secrets Operator (ESO) to securely manage and retrieve secrets for Kubernetes workloads.

By using the Fortanix provider with ESO, you can store secrets centrally in Fortanix DSM and automatically synchronize them with Kubernetes Secret objects, ensuring strong protection and lifecycle management of sensitive data.

2.0 Prerequisites

Ensure the following:

3.0 Product Version Tested

The following product versions were tested:

  • Fortanix DSM version 5.2 or later

  • External Secrets Operator (ESO) version 0.9 or later

  • Kubernetes version 1.25 or later

4.0 Architecture Workflow

Figure 1: Architecture diagram

This figure illustrates the high-level workflow of the integration between Fortanix DSM and the ESO for Kubernetes.

The ESO acts as an intermediary that fetches secrets from external secret managers such as Fortanix DSM and injects them into Kubernetes Secrets.

  1. ExternalSecretsObject – Specifies which external secret to fetch, from which provider (such as Fortanix DSM), and how often to synchronize it.

  2. SecretStore – Defines the provider connection details and authentication method. In this case, it stores the Fortanix DSM API URL and API key credentials used by ESO.

  3. External Secrets Operator – Authenticates using the configured service account and securely connects to Fortanix DSM to retrieve secret values.

  4. Sync Process – The operator periodically fetches the secret values from Fortanix DSM based on the refresh interval defined in the ExternalSecretsObject.

  5. Kubernetes Secret Creation – ESO creates or updates a native Kubernetes Secret with the retrieved data, making it available to pods and workloads in the specified namespace.

  6. Secrets Manager (Fortanix DSM) – Serves as the external secret source that securely stores and manages sensitive information such as API keys, credentials, and certificates. ESO retrieves these secrets from Fortanix DSM through the configured SecretStore connection, ensuring they remain synchronized and available as native Kubernetes Secrets for use by applications and workloads.

5.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

5.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://amer.smartkey.io. On-premises customers use the KMS URL, and the SaaS customers can use the URLs as listed  here  based on the application region.

For more information on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS.

5.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

Figure 2: Logging in

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

5.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

  1. In the DSM left navigation panel, click the Groups menu item, and then click the button to create a new group.

    Figure 3: Add groups

  2. On the Adding new group page, do the following:

    1. Title: Enter a name for your group.

    2. Description (optional): Enter a short description of the group.

  3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

5.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

  1. In the DSM left navigation panel, click the Apps menu item, and then click the button to create a new app.

    Figure 4: Add application

  2. On the Adding new app page, do the following:

    • App name: Enter the name for your application.

    • ADD DESCRIPTION (optional): Enter a short description of the application.

    • Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

    • Assigning the new app to groups: Select the group created in Section 5.3: Creating a Group from the list.

  3. Click SAVE to add the new application. 

The new application is added to the Fortanix DSM successfully.

5.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

  1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in the previous section to go to the detailed view of the app.

  2. On the INFO tab, click VIEW API KEY DETAILS.

  3. From the API Key Details dialog box, copy the API Key of the app to use it later.

5.6 Creating a Security Object

You can either IMPORT or GENERATE any security object type in Fortanix DSM. For example, this integration demonstrates importing a SECRET type of security object.

Perform the following steps to generate a secret key in the Fortanix DSM:

  1. Click the Security Objects menu item in the DSM left navigation bar and click the button on the Security Objects page to add a security object.

    Figure 5: Add Security Object

  2. On the Add new Security Object page, enter the following details:

    1. Security Object Name: Enter the name of your security object. 

    2. Group: Select the group as created in Section 5.3: Creating a Group.

    3. Select the IMPORT radio button.

    4. In the Choose a type section, select the SECRET key type.

    5. In the Place value here or import from file section, select the value format type as required, such as Text (UTF-8), Hex, Base64, or Raw, and click the UPLOAD A FILE button to upload the key file.

    6. In the Key operations permitted section, select the required operations to define the actions that can be performed with the cryptographic keys, such as encryption, decryption, signing, and verifying.

  3. Click the IMPORT button to create the new security object.

The new security object is added to the Fortanix DSM successfully.

6.0 Creating a Namespace in Kubernetes

Run the following command to create a Kubernetes namespace for the ESO:

kubectl create namespace <namespace>

Where, <namespace> refers to the Kubernetes namespace in which you want to deploy the External Secrets Operator resources.

7.0 Creating the Fortanix API Key Store

Run the following command to create a Kubernetes Secret that stores the Fortanix DSM API key used by the ESO provider:

kubectl -n <namespace> create secret generic <api-key-secret-name> \
--from-literal=sdkms-api-key-='<api-key-value>'

Where,

8.0 Creating the SecretStore File

Create a SecretStore file to establish the connection between ESO and Fortanix DSM and update it with the following content:

apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: <secretstore-name>
  namespace: <namespace>
spec:
  provider:
    fortanix:
      apiUrl: "<dsm-endpoint>"  # Replace with your DSM endpoint URL
      apiKey:
        secretRef:
          name: <api-key-secret-name>
          key: <api-key-name>

Where,

Run the following command to apply the configuration:

kubectl apply -f <secretstore-filename>.yaml

Where, <secretstore-filename> refers to the YAML file name created in the previous step.

9.0 Creating the External Secret File

Create an ExternalSecret file to configure Kubernetes to retrieve secrets from Fortanix DSM and create corresponding Kubernetes Secrets, and update it with the following content:

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: <external-secret-name>
  namespace: <namespace>
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: <secretstore-name>
    kind: SecretStore
  target:
    name: <k8s-secret-name>
    creationPolicy: Owner
  data:
    - secretKey: <local-secret-key>
      remoteRef:
        key: "<dsm-secret-name>"  # Replace with the DSM secret name

Where,

  • <external-secret-name> refers to the name of the ExternalSecret resource.

  • <namespace> refers to the Kubernetes namespace created in Section 6.0: Creating a Namespace in Kubernetes.

  • <secretstore-name> refers to the SecretStore resource created in Section 8.0: Creating the SecretStore.

  • <k8s-secret-name> refers to the name of the Kubernetes Secret that will be created or updated.

  • <local-secret-key> refers to the key name within the Kubernetes Secret that maps to the secret value retrieved from Fortanix DSM.

  • <dsm-secret-name> refers to the name of the secret created in Fortanix DSM, as described in Section 5.6: Creating a Security Object.

Run the following command to apply the configuration:

kubectl apply -f <externalsecret-filename>.yaml

Where, <externalsecret-filename> refers to the YAML file name that contains the ExternalSecret configuration created in the previous step.

10.0 Verifying the Integration

Perform the following commands to verify successful integration between Fortanix DSM and ESO.

  1. Run the following command to check the status of the ExternalSecret:

    kubectl -n <namespace> get externalsecret <external-secret-name>
kubectl -n <namespace> describe externalsecret <external-secret-name>

  2. Run the following command to check if the Kubernetes Secret was created:

    kubectl -n <namespace> get secret <k8s-secret-name>

  3. Run the following command to view and decode the secret value:

    kubectl -n <namespace> get secret <k8s-secret-name> -o jsonpath='{.data.<local-secret-key>}' | base64 -d