Fortanix Data Security Manager (DSM) 4.27 comes with some exciting new features, improvements, and resolved issues.
WARNING
- You are required to upgrade Fortanix DSM to version 4.19 or 4.23 before upgrading to version 4.27. If you want to upgrade to 4.27 from an earlier version, please reach out to the Fortanix Support team.
- Downgrade from 4.27 to any version before 4.23 is not supported due to the Kubernetes version upgrade. Please reach out to Fortanix Support for downgrading to version 4.23.
NOTE
- The Fortanix DSM cluster upgrade must be done with Fortanix Support on call. Please reach out to Fortanix Support if you are planning an upgrade.
- The customer's BIOS version must be checked by Fortanix Support before the Fortanix DSM software upgrade. If required, the BIOS version should be upgraded to the latest version and verified by Fortanix Support for a smooth upgrade.
- If your Fortanix DSM version is 4.13 or later, then the HSM gateway version must also be 4.13 or later. Similarly, if the HSM Gateway version is 4.13 or later, then your Fortanix DSM version must be 4.13 or later.
- In the 4.27 release, performance will slightly decrease for certain cryptographic operations. Fortanix is investigating this.
1. New Features
-
Added support to verify the client certificate revocation status when using Trusted CA as the application (app) authentication method. (JIRA: PM-176).
When adding a new app with Trusted CA as the app authentication method, the Certificate Revocation List (CRL) status of the client certificate used to authenticate the app connection can now be configured by the user by selecting the check box labeled Verify client certificate revocation status.
For more details, refer to User's Guide: Authentication. -
Added ML-KEM Kyber Crystal algorithm support in DSM (JIRA: PM-1).
With this feature, a user can now select ML-KEM as a post-quantum cryptography method when generating a new security object.
For more details, refer to User's Guide: Fortanix Data Security Manager Key Lifecycle Management.
2. Enhancements to Existing Features
- Removed the toggle to enable or disable the System Administration accounts (JIRA: ES-285).
A system administrator cannot disable an account using the Enable or Disable toggle on the System Administration → Accounts page anymore.
- For security objects in an Azure Key Vault-backed DSM group that have audit logging enabled, DSM now logs the following new events (JIRA: PM-143):
- The security object is soft-deleted.
- The security object is recovered within the grace period after having been soft-deleted.
- The corresponding Azure Key Vault entry is soft-deleted or recovered on key sync.
- The security object is rotated on a rotation policy schedule.
- The security object is copied.
- Enabled audit logs for
ScheduleDeleteandCancelDeleteAPIs (JIRA: PROD-8251).
- Added support for rotating a linked key with an AWS policy set up in DSM; the updated key version will now align with the same AWS policy. (JIRA: ES-265).
3. Other Improvements
- Improved the transition of redundant Fortanix DSM FIPS nodes (JIRA: PM-203).
- I added the ability to downgrade the kernel in Fortanix DSM (JIRA: DEVOPS-4510).
- Increased the timeout in the
/opt/fortanix/sdkms/bin/dsm_manual_cassandra_backup.shscript file (JIRA: DEVOPS-4583). - Updated the Cassandra DC labeling script to display the number of nodes per label before applying the labeling and to perform a request seamlessly on a live cluster (JIRA: DEVOPS-4609).
- Packaged FX2200 series 2 new BMC firmware version 12.72.02 as part of the Fortanix DSM installer (JIRA: DEVOPS-4634).
- I removed the Intel Windows Launch Enclaves from the directory
common/libsenclave-runner/lein the Fortanix DSM container (JIRA: PROD-8279). - Added support to remove old DSM restore scripts from
/opt/fortanix/sdkms/bindirectory (JIRA: DEVOPS-4610).
4. Client Improvements
-
Added support for security object name attribute deletion using KMIP (JIRA: PROD-8230).
- Replace the name with a placeholder value that is significant only to the KMIP proxy.
- Added logic to treat it as a security object with no name.
- Fixed an issue where the KMIP client should be able to preserve the activation date of a security object set in the past (JIRA: PROD-7972).
- The DSM JCE Provider Client (unbundled) artifacts are now distributed through the Maven repository (JIRA: PM-235). For more details, refer to the DSM JCE Client Downloads.
5. DSM-Accelerator Improvements
-
DSM-Accelerator Webservice
- Added HMAC support for the DSM-Accelerator Webservice (JIRA: PM-244). For more details, refer to the Developer's Guide: DSM-Accelerator Web Service.
-
DSM-Accelerator JCE Provider
- Added HMAC support for DSM-Accelerator JCE Provider (JIRA: PM-244). For more details, refer to the Developer’s Guide: DSM-Accelerator JCE Provider.
-
DSM-Accelerator PKCS#11
- Added HMAC support for DSM-Accelerator PKCS#11 (JIRA: PM-244). For more details, refer to the Developer’s Guide: DSM-Accelerator PKCS#11.
6. Quality Enhancements
- Upgraded the Fortanix DSM kernel to the 5.4 latest version (JIRA: DEVOPS-4626).
7. Bug Fixes
- Fixed an issue where choosing RAW for decryption did not enable RAW decrypt to work as intended when setting up a Fortanix DSM account or group-level cryptographic policy. (JIRA: ES-253).
- Fixed an issue caused by when invalid
cert_lifetimeorserial_bitsparameters were passed tocsr:sign()orTbsCertificate.new()(JIRA: PROD-8208). - Fixed an issue where the Retention period for audit logs configuration had conflicting functionality using the Fortanix DSM user interface (UI) and APIs (JIRA: ES-325).
8. Known Issues
- API returns a “400 status code and response error” if its short-term access token expires during the synchronization of a group linked to AWS KMS (JIRA: PROD-3903).
Workaround: Increase the timeout of the temporary session token beyond the expected duration of the sync key operation.
-
excludedoes not work in theproxyconfiguration for operations such as attestation (JIRA: PROD: 3311). - Rotating a GCP BYOK key to a pre-existing Fortanix DSM-hosted key (Rotate to DSM key) is not supported (JIRA: PROD: 6722).
Workaround: You can manually copy the AES 256 key from a normal DSM group to a GCP-backed group. This key automatically becomes the currently active crypto key version in the GCP key ring. - The “Rotate linked key” feature fails with an error for keys in an externally backed group where the external entity is a Google Cloud Platform key ring (JIRA: PROD-6828).
Workaround: You must first manually rotate the source key in the normal DSM group and then copy the rotated key to the GCP group. - If an Azure key is rotated and then soft-deleted, only one version of the key is soft-deleted (JIRA: PROD: 6947).
Workaround: Perform a key scan in DSM to synchronize the key state with Azure. - The
createoperation for security object creation does not work for the Azure Managed HSM plugin (JIRA: PROD-7078). - Copying an RSA or EC key from a normal DSM group to an AWS KMS-backed DSM group does not work as expected and results in an error (JIRA: PROD-7787).
Workaround: Export the RSA or EC key from the normal DSM group and import it into the AWS KMS-backed DSM group.
- Fortanix DSM does not support the ML-KEM key type in the account and group-level cryptographic policies. Although it is available on the front end (UI), the back end does not support it. (JIRA: PROD-8427)
- The Fortanix DSM user interface (UI) fails to load groups beyond 1000. Therefore, any security object associated with a group beyond 1000 will not be displayed (JIRA: ROFR-4378).
- The admin applications (apps) cannot retrieve the details for
GET /users/{uuid}and instead returns the error "Inappropriate authorization for the requested operation" (JIRA: PROD-9212).
Workaround: Use
GET /users/{uuid}using the system administrator credentials to retrieve the user ID details. -
If the email configuration is incorrect, clicking RESEND VERIFICATION EMAIL on the Fortanix DSM user interface (UI) will result in a 500 Internal Server Error from the
resend_confirm_emailAPI (JIRA: PROD-9243).
Workaround: Email verification is not enforced for the entire cluster; therefore, only a few users must verify their emails. If the email configuration is incorrect, their accounts will remain accessible and not be blocked.TIPBefore enforcing email confirmation, ensure the System Administrator's email has been confirmed. Otherwise, if the email configuration is incorrect, the administrator might get locked out of the system.
9. Fortanix Data Security Manager Performance Statistics
9.1 Series 2
| Key Types and Operations | Throughput (Operations/second on a 3-node cluster re-using a single TLS session) |
|---|---|
| AES 256: CBC Encryption/Decryption |
4,498/4,513 |
| AES 256: GCM Encryption/Decryption | 4,450/4,462 |
| AES 256: FPE Encryption/Decryption | 2,252/2,197 |
| AES 256 Key Generation | 1,137 |
| RSA 2048 Encryption/Decryption | 4,057/1,158 |
| RSA 2048 Key Generation | 33 |
| RSA 2048 Sign/Verify | 1,146/3,998 |
| RSA 4096 Sign/Verify | 342/3,070 |
| EC NISTP256 Sign/Verify | 1,048/605 |
| Generate Kyber-ML Keys | 1,009 |
| Encapsulation | 1,082 |
| Decapsulation | 1,026 |
| LMS Key (Height, Node) | |
| L1 5, Node 24 | 20.21 |
| L1 5, Node 32 | 16.70 |
| L1 10, Node 24 | 0.54 |
| L1 10, Node 32 | 0.50 |
| Data Security Manager Plugin (Hello world plugin) |
1,730 (invocations/second) |
________________________________________________________________________________________________________________
9.2 Azure Standard_DC8_v2
| Key Types and Operations | Throughput (Operations/second on a 3-node [Standard_DC8_v2] cluster re-using a single TLS session) |
|---|---|
| AES 256: CBC Encryption/Decryption | 3,494/3,503 |
| AES 256: GCM Encryption/Decryption | 3,435/3,444 |
| AES 256: FPE Encryption/Decryption | 2,028/2,036 |
| AES 256 Key Generation | 964 |
| RSA 2048 Encryption/Decryption | 3,340/1,184 |
| RSA 2048 Key Generation | 43 |
| RSA 2048 Sign/Verify | 1,177/3,283 |
| RSA 4096 Sign/Verify | 457/2,814 |
| EC NISTP256 Sign/Verify | 967/584 |
| Data Security Manager Plugin (Hello world plugin) |
1,603 (invocations/second) |
________________________________________________________________________________________________________________
9.3 Series 2 JCE
| Key Types and Operations | Throughput (Operations/second on a 3-node cluster re-using a single TLS session) |
|---|---|
| AES 256: CBC Encryption/Decryption | 3,962/3,962 |
| AES 256 Key Generation | 1134 |
| RSA 2048 Key Generation | 33 |
| RSA 2048 Sign/Verify | 913/1,984 |
| RSA 4096 Sign/Verify | 316/1,601 |
| EC NISTP256 Sign/Verify | 864/547 |
| Data Security Manager Plugin (Hello world plugin) |
1,733 (invocations/second) |
________________________________________________________________________________________________________________
9.4 Azure Standard DC8 JCE
| Key Types and Operations | Throughput (Operations/second on a 3-node [Standard_DC8 JCE] cluster re-using a single TLS session) |
|---|---|
| AES 256: CBC Encryption/Decryption | 3,346/3,395 |
| AES 256 Key Generation | 950 |
| RSA 2048 Key Generation | 43 |
| RSA 2048 Sign/Verify | 912/1,754 |
| RSA 4096 Sign/Verify | 397/1,547 |
| EC NISTP256 Sign/Verify | 767/514 |
| Data Security Manager Plugin (Hello world plugin) |
1,587 (invocations/second) |
10. Fortanix Data Security Manager-Accelerator Performance Statistics
10.1 Runtime Environment
NOTE
- The following table lists the standard recommended runtime environment. You can choose a higher configuration for better performance.
- DSM-Accelerator was run in the runtime environment listed below for performance testing.
| Item | Specification |
|---|---|
| Number of Cores |
4 |
| CPU |
Intel(R) Xeon(R) CPU E5-2673 v4 @ 2.30GHz |
| RAM |
2 GiB |
| VM Type |
Standard D4ds v4 Azure VM |
| Docker Runtime Configuration |
|
________________________________________________________________________________________________________________
10.2 DSM-Accelerator Webservice
NOTE
The performance numbers below are captured with a single node; if you need higher performance or throughput, then we recommend adding multiple nodes.
| Key Types and Operations | Throughput (Operations/second on a 1-node cluster re-using a single TLS session) |
|---|---|
| AES 256: CBC Encryption/Decryption | 16,874/17,581 |
| AES 256: GCM Encryption/Decryption | 16,535/17,025 |
| AES 256: FPE Encryption/Decryption | 5,440/5,399 |
________________________________________________________________________________________________________________
10.3 Additional Modes
| Key Types and Operations | Throughput (Operations/second on a 1-node cluster re-using a single TLS session) |
|---|---|
| AES 256: CBCNOPAD Encryption and Decryption | 16,893/17,291 |
| AES 256: CFB Encryption/Decryption | 17,099/17,370 |
| AES 256: CTR Encryption/Decryption | 17,140/17,324 |
| AES 256: OFB Encryption/Decryption | 17,231/17,289 |
| AES 256: CCM Encryption/Decryption | 16,514/17,000 |
11. Installation
To install the DSM Runtime Encryption® SGX (on-prem/Azure) and Software (AWS/Azure/VMWare) packages, Download Here.
Comments
Please sign in to leave a comment.