Fortanix Data Security Manager (DSM) 4.34 comes with some exciting new features, improvements, and resolved issues.
WARNING
- You are required to upgrade Fortanix DSM to version 4.27 or 4.31 before upgrading to version 4.34.
- Downgrade from 4.34 to any prior version is not supported due to the Kubernetes version upgrade.
- You may observe delay (retries) in bringing up services post upgrade to DSM 4.34 due to a new table creation in the database to support the new Key Expiry Alert feature. For more details, contact Fortanix Support.
NOTE
- The Fortanix DSM cluster upgrade must be done with Fortanix Support on call. Please reach out to Fortanix Support if you are planning an upgrade.
- The customer's BIOS version must be checked by Fortanix Support before the Fortanix DSM software upgrade. If required, the BIOS version should be upgraded to the latest version and verified by Fortanix Support for a smooth upgrade.
- If your Fortanix DSM version is 4.13 or later, then the HSM Gateway version must also be 4.13 or later. Similarly, if the HSM Gateway version is 4.13 or later, then your Fortanix DSM version must be 4.13 or later.
1. New Features
- Added a new feature for key expiry alerts. It can be configured by selecting Syslog or Splunk as the external logging systems in the DSM account using Settings → ALERT MANAGEMENT.
Users can now set up key expiry alerts for 30, 7, and 1 day(s) prior to the key expiration date (JIRA: PM-146).
For more information, refer to User’s Guide: Alert Management. - Added a new feature where users can filter keys in the Security Objects table by expiration date (JIRA: PM-319).
For more information, refer to User’s Guide: Key Lifecycle Management. - Added support for LMS key in the DSM account-level and group-level Cryptographic policy (JIRA: PROD-9356).
- Added API support to assign a key rotation policy that includes the
rotate_copied_keysoption for a key in a FIPS backed group (JIRA: EXTREQ-1195).
2. Improvements
- Expired Quorum approval requests improvements (on-prem only) (JIRA: ES-399).
- Renamed the description "Enable the toggle to generate audit logs for pending expired approval requests." to "Enable the toggle to generate audit logs for expired pending approval requests." in the Fortanix DSM user interface (UI) Settings → QUORUM POLICY page.
- Added the Show expired tasks check box in the Import/Export and App credentials tabs under the COMPLETED, FAILED, and PENDING tabs on the Fortanix DSM Tasks page.
- Renamed the description "Enable the toggle to generate audit logs for pending expired approval requests." to "Enable the toggle to generate audit logs for expired pending approval requests." in the Fortanix DSM user interface (UI) Settings → QUORUM POLICY page.
- Added support to view more than 1000 groups on the Fortanix DSM Groups page (JIRA: ROFR-5084).
If you have more than 1000 groups in your Fortanix DSM account, the Groups page will display only the NAME, DESCRIPTION, and CREATED columns for a group. Similarly, you can only filter groups using the group Name, Description, and Created at filters. - Added support to view more than 1000 applications (apps) on the Fortanix DSM Apps page (JIRA: ROFR-4994).
If you have more than 1000 apps in your Fortanix DSM account, the Apps page will display only the NAME, CREDENTIALS, CERT EXPIRES, GROUPS, and DESCRIPTION columns for an app. Similarly, you can only filter apps using the app Name and Description filters.
For more information, refer to User's Guide: Getting Started with Fortanix Data Security Manager - UI.
3. Other Improvements
- Added support for 4096-bit RSA and EC private keys for TLS and support for certificate-based authentication for a DSM application using EC keys (JIRA: PM-368). For more information, refer to:
- Added support for logging the Trusted Node Identity for cross-verification during the Secure Node Join (SNJ) process in offline Data Center Attestation Primitives (DCAP) mode (JIRA: PROD-9221).
For more information, refer to Fortanix DSM Installation Guide.
4. Quality Enhancements
- Upgraded Kubernetes to version 1.30.5 (JIRA: DEVOPS-5162).
For more information, refer to the Administration Guide: Fortanix Data Security Manager (Release 4.34) Kubernetes Version Upgrade to 1.30 K8s. - Upgraded Kernel to version 5.4.0.x (JIRA: DEVOPS-5164).
5. API Updates
- Added support for filtering and sorting for list APIs for DSM groups and apps (JIRA: PM-349).
- Updated DSM groups collection API -
GET /sys/v1/groups(JIRA: PROD-5394).- Added
continuation_tokenas an optional query parameter in the request. It facilitates fetching data incrementally from DSM. - The filter now supports
created_at,description, andwrapping_key_nameparameters in addition to name. - Substring match is now supported with
name.
- Added
- Updated DSM apps collection API -
GET /sys/v1/apps(JIRA: PROD-8272).- Added
continuation_tokenas an optional query parameter in the request. It facilitates fetching data incrementally from DSM. - The filter now supports
app_type,created_at,auth_type,enabled,description, andinterfaceparameters in addition toname. - Substring match is now supported with
name.
- Added
- Updated DSM groups collection API -
6. Bug Fixes
- Fixed an issue where LDAP users logging into Fortanix DSM using account member role were facing high latency when navigating the DSM menu items (JIRA: ES-356).
- Fixed an issue in a DSM Azure Key Vault group where the users were unable to restore a purged key to enabled state with the key material successfully reimported into Azure Key Vault (JIRA: ES-383).
- Fixed an issue where the users encountered the error “This operation requires an account to be selected first” (JIRA: ES-427).
- Fixed an issue where a quorum approval request for rotating a key using Batch API does not work as expected (JIRA: ES-380).
- Fixed an issue that prevented users from removing the ML-KEM key from the allowed security objects in an account or group using the cryptographic policy (JIRA: ES-364).
- Assigned
attestation: nullas the default attestation for non-SGX nodes to fix VMware and AWS upgrade failure (JIRA: ES-360). - Fixed an issue where the users were unable to scroll through the list of groups in the COPY KEY window when attempting to perform a copy key operation (JIRA: ROFR-5109).
- Fixed an issue where during DSM 4.31 upgrade, users experienced a double password prompt during login received an "unauthorized access invalid token specified" error after logging in (JIRA: ES-422).
- Fixed an issue where the Disaster Recovery (DR) scenario failed when one of the FIPS nodes was turned off. The database crashed and did not automatically switch to another FIPS node. The database recovered only when the turned-off FIPS node was reactivated (JIRA: ES-415).
- Fixed an issue where the
excludeoption did not function correctly inproxyconfigurations for operations such as attestation (JIRA: ES-331). - Fixed an issue in CyberArk with DSM integration where it was unable to retrieve encryption key on one of the nodes after a power failure (JIRA: ES-424).
- Fixed an issue where a Fortanix DSM account, whether normal or system administrator, with the No roles can login with password role selected, experienced issues when attempting to log in using a password. If the users select such an account and enter the SSO credentials, they were logged out instead of accessing the account (JIRA: ES-443).
- Fixed an issue where the admin applications (apps) could not retrieve the details for
GET /users/{uuid}and instead returned the error "Inappropriate authorization for the requested operation" (JIRA: ES-336). - Increased the Cassandra repair timeout from 3600 to 10800 seconds to address the repair job issues (JIRA: ES-318).
- Fixed an issue where clicking Regenerate in an app's detailed view always generated a 64-byte app password, even when a smaller secret size (such as 16 or 32 bytes) was selected (JIRA: ES-434).
-
Fixed an issue with restoration of Fortanix DSM (JIRA: PROD-8629).
-
Fixed an issue where the DSM upgrade had a dependency on internet connectivity (JIRA: DEVOPS-5373).
7. Client Bug Fixes
- Fixed an issue with decrypting Pretty Good Privacy (PGP) messages using the Fortanix DSM Sequoia PGP client (JIRA: ES-381).
- Fixed an issue in the Fortanix DSM PKCS#11 client where multipart encryption failed when invoking
C_EncryptUpdatewith aNULL_PTRin a package buffer file (pBuf) (JIRA: PROD-9262).
8. Known Issues
- The hyperlink color for the field “Follow the instructions in” in the “Add Instance” form for Google Workspace Client-Side Encryption (CSE) still reflects the old link color value (JIRA: ROFR-4789).
- The sync key API returns a “400 status code and response error” if its short-term access token expires during the synchronization of a group linked to AWS KMS (JIRA: PROD-3903).
Workaround: Increase the timeout of the temporary session token beyond the expected duration of the sync key operation. - If an Azure key is rotated and then soft-deleted, only one version of the key is soft-deleted (JIRA: PROD-6947).
Workaround: Perform a key scan in DSM to synchronize the key state with Azure. - The
createoperation for security object creation does not work for the Azure Managed HSM plugin (JIRA: PROD-7078). - Copying an RSA or EC key from a normal DSM group to an AWS KMS-backed DSM group does not work as expected and results in an error (JIRA: PROD-7787).
Workaround: Export the RSA or EC key from the normal DSM group and import it into the AWS KMS-backed DSM group. - The COPY KEY dialog box does not filter the HSM/External KMS groups as expected when Import key to HSM/External KMS check box is selected, if there are more than 1,000 groups in the account (JIRA: ROFR-5167).
- Unable to delete a user who was invited to an account with a "Custom account role" that includes an "All Groups Role" along with group membership assigned explicitly in the invite user workflow if the invited user has not accepted the invitation (JIRA: PROD-9409).
Workaround: To delete the invited user, contact Fortanix Support or perform the following steps:
If you have already assigned explicit group memberships, perform the following steps to remove them and delete the user:- Change the user's account role to "Account Member".
- Remove the group memberships one by one using the user interface.
- Delete the user.
- The
sudo get_csrs --rotatecommand does not support changing the hostname of the service URL. For example, If your service's main URL is dsm.fortanix.net, you cannot change this main URL hostname (JIRA: PROD-9542). - When you run
sudo get_csrs --rotatecommand to create a new certificate pair for cluster and UI, it does not remove the old certificate pair from the sdkms pod resulting in two certificate pairs which can lead to unexpected results (JIRA: PROD-9570).
9. Fortanix Data Security Manager Performance Statistics
9.1 Series 2
| Key Types and Operations | Throughput (Operations/second on a 3-node cluster re-using a single TLS session) |
|---|---|
| AES 256: CBC Encryption/Decryption | 5,654/5,547 |
| AES 256: GCM Encryption/Decryption | 5,450/5,508 |
| AES 256: FPE Encryption/Decryption | 2,878/2,811 |
| AES 256 Key Generation | 1,333 |
| RSA 2048 Encryption/Decryption | 5,121/1,190 |
| RSA 2048 Key Generation | 33.7 |
| RSA 2048 Sign/Verify | 1,176/4,884 |
| RSA 4096 Sign/Verify | 393/4,259 |
| EC NISTP256 Sign/Verify | 1,239/712 |
| Kyber ML-KEM Encapsulation | 1,225 |
| Kyber ML-KEM Decapsulation | 1,172 |
| LMS Key (Height, Node) | |
| L1 5, Node 24 | 221 |
| L1 5, Node 32 | 180 |
| L1 10, Node 24 | 9 |
| L1 10, Node 32 | 7 |
| Data Security Manager Plugin (Hello world plugin) |
2,301 (invocations/second) |
________________________________________________________________________________________________________________
9.2 Azure Standard_DC8_v2
| Key Types and Operations | Throughput (Operations/second on a 3-node [Standard_DC8_v2] cluster re-using a single TLS session) |
|---|---|
| AES 256: CBC Encryption/Decryption | 4,671/4,732 |
| AES 256: GCM Encryption/Decryption | 4,690/4,612 |
| AES 256: FPE Encryption/Decryption | 2,642/2,626 |
| AES 256 Key Generation | 1054 |
| RSA 2048 Encryption/Decryption | 4,396/1,329 |
| RSA 2048 Key Generation | 45 |
| RSA 2048 Sign/Verify | 1,340/4,214 |
| RSA 4096 Sign/Verify | 523/4173 |
| EC NISTP256 Sign/Verify | 1,154/678 |
| Data Security Manager Plugin (Hello world plugin) |
2,119 (invocations/second) |
________________________________________________________________________________________________________________
9.3 Series 2 JCE
| Key Types and Operations | Throughput (Operations/second on a 3-node cluster re-using a single TLS session) |
|---|---|
| AES 256: CBC Encryption/Decryption | 4,994/5,208 |
| AES 256 Key Generation | 1,241 |
| RSA 2048 Key Generation | 33 |
| RSA 2048 Sign/Verify | 988/2,675 |
| RSA 4096 Sign/Verify | 373/2,401 |
| EC NISTP256 Sign/Verify | 1,051/652 |
| Data Security Manager Plugin (Hello world plugin) |
2,242 (invocations/second) |
________________________________________________________________________________________________________________
9.4 Azure Standard DC8 JCE
| Key Types and Operations | Throughput (Operations/second on a 3-node [Standard_DC8 JCE] cluster re-using a single TLS session) |
|---|---|
| AES 256: CBC Encryption/Decryption | 4,565/4,413 |
| AES 256 Key Generation | 1,096 |
| RSA 2048 Key Generation | 44 |
| RSA 2048 Sign/Verify | 1,084/2,492 |
| RSA 4096 Sign/Verify | 452/2,192 |
| EC NISTP256 Sign/Verify | 978/582 |
| Data Security Manager Plugin (Hello world plugin) |
2,166 (invocations/second) |
10. Fortanix Data Security Manager-Accelerator Performance Statistics
10.1 Runtime Environment
NOTE
- The following table lists the standard recommended runtime environment. You can choose a higher configuration for better performance.
- DSM-Accelerator was run in the runtime environment listed below for performance testing.
| Item | Specification |
|---|---|
| Number of Cores |
4 |
| CPU |
Intel(R) Xeon(R) CPU E5-2673 v4 @ 2.30GHz |
| RAM |
2 GiB |
| VM Type |
Standard D4ds v4 Azure VM |
| Docker Runtime Configuration |
|
________________________________________________________________________________________________________________
10.2 DSM-Accelerator Webservice
NOTE
The performance numbers below are captured with a single node; if you need higher performance or throughput, then we recommend adding multiple nodes.
| Key Types and Operations | Throughput (Operations/second on a 1-node cluster re-using a single TLS session) |
|---|---|
| AES 256: CBC Encryption/Decryption | 23,192/22,462 |
| AES 256: GCM Encryption/Decryption | 23,458/23,361 |
| AES 256: FPE Encryption/Decryption | 9,657/9,654 |
________________________________________________________________________________________________________________
10.3 Additional Modes
| Key Types and Operations | Throughput (Operations/second on a 1-node cluster re-using a single TLS session) |
|---|---|
| AES 256: CBCNOPAD Encryption and Decryption | 22,920/22,797 |
| AES 256: CFB Encryption/Decryption | 23,025/22,987 |
| AES 256: CTR Encryption/Decryption | 23,478/23,525 |
| AES 256: OFB Encryption/Decryption | 23,731/23,525 |
| AES 256: CCM Encryption/Decryption | 22,974/22,771 |
11. Installation
To install the DSM Runtime Encryption® SGX (on-prem/Azure) and Software (AWS/Azure/VMWare) packages, Download Here.
Comments
Please sign in to leave a comment.