Skip to main content
Infisical connects to Fortanix Data Security Manager (DSM) through an HSM Connector. Once connected, Infisical features that support HSM-backed keys can generate and use keys that stay in your Fortanix DSM. This guide covers the full setup: installing the Fortanix PKCS#11 driver on a Gateway inside your network, pointing it at your DSM, and creating the Connector in Infisical.

Prerequisites

  • A Fortanix DSM account with a group and an application configured for PKCS#11 access.
  • A host inside your network that can reach your DSM endpoint over HTTPS, where you can install the Fortanix PKCS#11 client and run an Infisical Gateway.
  • Permission to create HSM Connectors in Infisical (HSM Connectors > Create).

How it works

Infisical reaches your DSM through the HSM Connector. Each operation goes from Infisical to the Connector, which routes it to a Gateway inside your network. The Gateway loads the Fortanix PKCS#11 driver, runs the operation against your DSM, and returns the result. DSM is reached only through the Connector and its Gateway, never from Infisical directly. Two pieces of configuration are involved, and they are separate:
  • The driver’s config file (pkcs11.conf) on the Gateway host tells the Fortanix driver which DSM endpoint to connect to. This is the standard Fortanix client configuration that any PKCS#11 application uses.
  • The Connector’s PIN in Infisical is your Fortanix API key. The Gateway passes it to DSM as the PKCS#11 login credential.
Your API key is a credential, so it goes only in Infisical as the PIN. It does not belong in pkcs11.conf.

Set up the connection

1

Get your Fortanix application API key

In the Fortanix DSM dashboard, go to Apps, open the application you use for PKCS#11 access, and find the API Key section. Click View API Key Details to copy the key, or Regenerate to create a new one.The application can only use keys in the groups it belongs to (shown in the Groups section of the app), so make sure the keys you want Infisical to use live in a group this app can access.You will enter this API key in Infisical as the Connector’s PIN in the final step.
2

Install the driver and point it at your DSM

Gateway HSM support runs on Linux only, so install the Fortanix PKCS#11 library on the Linux machine that will run the Gateway. Fortanix publishes it on its PKCS#11 library page as a .deb package, an .rpm package, or a standalone .so. A .deb apt repository is also available (deb https://download.fortanix.com/linux/apt focal main). The driver installs to /opt/fortanix/pkcs11/fortanix_pkcs11.so.Confirm the driver file is readable by the Gateway user:
ls -l /opt/fortanix/pkcs11/fortanix_pkcs11.so
Create the Fortanix client configuration file at /etc/fortanix/pkcs11.conf with the DSM endpoint for your region:
api_endpoint = "https://amer.smartkey.io"
This is the only setting the driver needs here. Infisical supplies the API key as the PIN in the final step.
3

Start the Gateway with the driver attached

Append --pkcs11-module=/opt/fortanix/pkcs11/fortanix_pkcs11.so to the Gateway start (or systemd install) command:
sudo infisical gateway systemd install <gateway-name> \
  --enroll-method=token \
  --token=<enrollment-token> \
  --domain=<your-infisical-domain> \
  --pkcs11-module=/opt/fortanix/pkcs11/fortanix_pkcs11.so
sudo systemctl start <gateway-name>
The Gateway logs a line confirming the PKCS#11 module loaded.
4

Create the HSM Connector in Infisical

In Certificate Manager > Settings > HSM Connectors, click Add HSM Connector and fill in:
FieldValue
NameSlug-friendly identifier, e.g. fortanix-prod.
GatewayThe Gateway you started above (or a Pool that contains it).
Slot labelFortanix Token by default. If you configured a custom token label, use that value instead.
PINYour Fortanix application API key from Step 1.
Key label prefixOptional prefix added to every key label Infisical creates in this slot.

Troubleshooting

The slot label must match the token label the driver reports, exactly and case-sensitive. List it on the Gateway host:
pkcs11-tool --module /opt/fortanix/pkcs11/fortanix_pkcs11.so --list-token-slots
On Fortanix DSM the value is Fortanix Token.
The PIN must be your Fortanix application API key, not the DSM account password. If you regenerated the API key in the Fortanix dashboard, update the Connector’s PIN in Infisical to match.
Check api_endpoint in /etc/fortanix/pkcs11.conf. It must point to your DSM region and be reachable over HTTPS from the Gateway host.
The Gateway must run with --pkcs11-module so the driver loads. Check the Gateway log for the PKCS#11 module load line.
Every operation makes a round-trip to DSM. Run the Gateway in the same network as DSM to keep latency low.

What’s next?

HSM Connectors

Concept overview and the generic setup flow.

Signers

Create an HSM-backed Signer that uses this Connector.