[4.18] Patch - June 20, 2023

Fortanix Data Security Manager SaaS (DSM SaaS) 4.18.2232 release provides an overview of the resolved issues.

1. Bug Fixes

• Fixed an issue where unverified Fortanix DSM users with multi-factor authentication (MFA) configured were not able to log in to DSM using a recovery code after account lockout (JIRA: PROD-7008).
• Fixed an issue where searching for an item without using the search filter in the Fortanix DSM Groups, Apps, and Security Objects table did not show any search results (JIRA: ROFR: 4214).

2. Known Issues

• The sync key API returns a “400 status code and response error” due to the short-term access token expiry during the sync key operation of a group linked to AWS KMS (JIRA: PROD-3903).
• exclude does not work in the proxy config for operations such as attestation (JIRA: PROD: 3311).
• Rotating a GCP BYOK virtual key to a Fortanix DSM-backed key (Rotate to DSM key) is not supported (JIRA: PROD: 6722).
  Workaround: You can manually copy the AES 256 key from a normal DSM group to a GCP-backed group.
• The “Rotate linked key” feature does not work where a Fortanix DSM source key is rotated along with its linked keys by choosing the “Rotate linked keys” check box, where the linked key might belong to a GCP group in which case rotating linked key results in rotating the key in GCP as well as generating the new key in GCP (JIRA: ROFR: 4075).
  Workaround: You must first manually rotate the source key in the normal DSM group and then copy the rotated key to the GCP group.
• An Azure Managed HSM external KMS group now also allows the following security object types to be generated or imported. But the Bring Your Own Key (BYOK) and rotate key functionality does not work for these security object types (JIRA: ROFR: 4192).
  • EC
  • AES 128 and AWS 192
  Workaround: Do not generate or import security objects of type EC, AES 128, and AES 192 in an external KMS group of type Azure Managed HSM since the only allowed security object  types for an Azure key generated using the Generate or Import key workflows are:
  • RSA key pairs ( RSA_2048, RSA_3072, and RSA_4096).
  • AES 256
• For the Azure Managed HSM external KMS group, the following security object types are enabled (JIRA: ROFR: 4187).
  • DES
  • DES3
  • EC-KCDSA
  Workaround: Do not generate or import security objects of type EC-KCDSA, DES, or DES3 in an external KMS group of type Azure Managed HSM since the only allowed security object types for an Azure key generated using the Generate or Import key workflows are:
  • RSA key pairs ( RSA_2048, RSA_3072, and RSA_4096).
  • AES 256
• If an Azure key is rotated and then soft-deleted, only one version of the key is soft-deleted (JIRA: PROD: 6947).
  Workaround: Perform a key scan in DSM to synchronize the key state with Azure.

For a complete list of new features, enhancements to existing features, other improvements, and bug fixes refer to the full description of the 4.18 DSM SaaS release.