Fortanix — Data Security Manager (DSM)

Fortanix Data Security Manager (DSM)

Common Models / Form Factors

  • DSM software/SaaS with on-prem deployment on Fortanix FX2200 Series II appliances (integrated HSM), and DSM SaaS. Interfaces include PKCS#11, KMIP, JCE, CAPI/CNG, and REST; HSM Gateway unifies legacy third-party HSMs behind DSM. fortanix.com+4fortanix.com+4fortanix.com+4

FIPS Status

  • Validated module: FIPS 140-2 Level 3 (CMVP certificate for the Fortanix SDKMS/DSM Appliance; active through its sunset window). We deploy DSM/FX2200 in FIPS-approved configuration and manage firmware to keep you in validated mode. NIST Computer Security Resource Center+1
  • Note on 140-3: We track Fortanix platform updates and will map workloads to 140-3–validated modules as certificates publish (without disrupting service). (Some Fortanix materials reference 140-3 posture; CMVP remains the source of truth.) fortanix.com

PQC (Post-Quantum) Support

  • Positioning & features: DSM offers PQC readiness tooling (e.g., PQC Central) and guidance; we implement dual-stack rollouts so classical (RSA/ECDSA) and NIST PQC (ML-KEM/Kyber, ML-DSA/Dilithium) can run side-by-side, with DSM enforcing policy, custody, and automation. fortanix.com+2fortanix.com+2

Dual Private-Key Format Support (Seed vs Expanded)

  • Context: PQC introduces compact seeds (~tens of bytes) and expanded keys (~1.6–4 KB). Emerging seed-only PKCS#12 profiles change backup and interchange practices.
  • What we implement with DSM:
    • Seed custody as DSM/HSM objects: Store seeds as controlled objects (RBAC, dual control/split knowledge), with audit and approval workflows.
    • Deterministic re-derivation in trusted compute: Materialize expanded keys from seeds inside DSM’s FIPS L3 appliance boundary (and/or Intel SGX enclaves) for KEM/signing—avoiding persistent storage of large keys when policy forbids it. fortanix.com
    • Expanded-key import & lifecycle: Where apps mandate expanded keys, we manage them as wrapped objects with labeling, rotation, archival, and change-controlled export paths.
    • Backup & portability: Cluster-level backups, tamper-evident ceremonies, and runbooks to migrate from legacy PFX to seed-centric custody as standards finalize.

How SafeCipher Helps (Procure • Deploy • Support)

  • Procurement & contracts: Sizing (SaaS vs on-prem FX2200), quotes, spares/RMA, co-termed renewals; PoCs and vendor-neutral comparisons. fortanix.com
  • Deployment & integration: HA clustering, policy/RBAC design, client stacks (PKCS#11/KMIP/JCE/CNG), HSM Gateway to consolidate third-party HSMs, and performance tuning. support.fortanix.com+1
  • Operations: 24×7/BH support options, monitoring/telemetry, firmware/config governance, seed/expanded-key ceremonies, backup/escrow, and audit-ready evidence packs.
  • Migrations: Legacy KMS/HSM → DSM via HSM Gateway, on-prem ↔ SaaS transitions, and classical→PQC dual-stack pilots with provenance-preserving re-wraps.

Bottom line

Whichever HSM or crypto platform you choose, we can help you buy it right, deploy it right, and keep it right—without locking you to a single vendor.