DocumentationRelease Notes
Log In
Documentation

Fortanix Data Security Manager

Suggest Edits

This document describes the steps to integrate Fortanix Data Security Manager (DSM) with BeyondTrust Password Safe. The integration is based on PKCS#11.

Password Safe allows users and applications to check-out passwords or sessions using passwords. Password Safe is also responsible for rotating the passwords for the privileged accounts it manages. For check-out operations, the passwords stored in Password Safe must be decrypted.  When Password Safe rotates or changes a password, the new value must be encrypted.  While Password Safe can use self-generated keys to encrypt and decrypt passwords, there are benefits associated with externalizing all encryption and decryption operations to Fortanix DSM.

Benefits for customers include the ability to monitor key usage, and also the ability to invalidate a key, even if access to Password Safe is not possible. Externalizing Password Safe keys to Fortanix DSM provides customers with additional security controls and flexibility, unlocking use cases including BYOK (Bring Your Own Key) and HOYK (Hold Your Own Key).

This quick step-by-step guide will help you configure a simple integration to allow Password Safe to externalize encryption and decryption operations to Fortanix DSM.

ℹ️

Note

For more information, see:

Prerequisites

This integration has been tested and is supported on:

  • Fortanix DSM 4.14 and later
  • Password Safe (BeyondInsight) 21.3 and later.  BeyondInsight is the underlying platform and web console for Password Safe.

Configure Fortanix DSM for Password Safe

To configure the integration:

  1. Create a group in DSM.
  2. Create an app in DSM. Note the API key that you will use for the PIN when configuring the HSM in the BeyondInsight Configuration tool.
  3. Download the Fortanix PKCS#11 client from this URL:  https://support.fortanix.com/hc/en-us/sections/4408769080724-PKCS-11
  4. Download the latest Windows 64-bit installer from Fortanix.
  5. After installing the MSI on your BeyondInsight server or appliance, locate the PKCS#11 driver and a README.txt file.
  6. Use the BeyondInsight Configuration tool to configure HSM credentials. The PIN is the API key for the DSM app (see step 2).
  7. In Password Safe, test and change the password for a Managed Account.  You should see a Successful message at the bottom for each test and change.
  8. In DSM, find the new key created by Password Safe (with the name used earlier).
  9. The Activity Logs in the Key object in DSM confirms Decryption (Test Password) and Encryption (Change Password) operations are performed by Password Safe.

Updated 6 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.