How to Provision and Secure Tokens and Secrets in phoenixNAP EMP


phoenixNAP’s Encryption Management Platform (EMP) is a centralized system that provides data security across multiple cloud providers and multi-cloud infrastructures. With integrated security for all data protection needs, it safeguards encryption keys, secrets, and tokens.

In this article, you will learn how to provision security objects and secure all your secrets.

How to provision and secure tokens and secrets in PNAP EMP.

Note: Follow the link to learn how to encrypt a Bare Metal Cloud drive with EMP.

Getting Started With Security Objects

To start working with security objects, log in to the phoenixNAP Encryption Management Platform and navigate to the Security Objects section from the sidebar on the left.

You can create/import a new security object (A) or manage existing ones (B).

Getting started with PhoenixNAP's EMP security objects.

Add a New Security Object

To add a new security object, click on the plus sign and type in the following information:

  1. A name for the security object.
  2. A short description.
  3. Assign it to an existing group or create a new group to which the object will belong.
  4. Choose whether you want to import or generate a security object.
Add a new security object.

Option 1: Import Security Objects

To import an existing security object, follow the steps outlined below.

  1. Select IMPORT when adding a new SO.

Note: phoenixNAP EMP allows you to import a security object from Components. To do so, you must set a Key Custodian Group Policy to enable importing keys from Components. This feature applies to key types AES, DES, and DES3.

2. Specify the type of key you want to import.

Import security object and choose data key type.

3. If you are importing an AES, DES, DES3, DSA, or HMAC key type from a file, it is likely the key is already encrypted. If so, check the box: The key has been encrypted. Then, select the key encryption key used for that specific instance.

Import already encrypted security object.
  1. Choose the format of the file (Raw, Base64, or Hex) you want to import.
  2. Upload file to EMP.
Choose value format for importing a security object in EMP.
  1. Select the key operations you want to permit. Due to cryptographic policy, some operations will be disabled based on the key type specified in step 2.
  2. By default, EMP enables audit logging to keep a complete audit log for this object. If you want to increase performance, uncheck the box to disable logging.
  3. Finally, click IMPORT to import the new security key.
Configure key and import into EMP.

Option 2: Generate Security Objects

To generate a SO using phoenixNAP EMP:

  1. Select GENERATE when adding a new security object.
  2. Choose the type of key you want to generate.

Note: If you opt for Tokenization, jump to the steps for setting up a security object token.

3. Next, define the key size. The permitted values depend on the key type.

Generate security object in EMP.
  1. Choose which key operations you want to permit. Some of the operations will be disabled based on the key type specified in step 2.
  2. By default, EMP enables audit logging to keep a full audit log for this object. To increase performance, uncheck the box to disable logging.
  3. Finally, click GENERATE to import the new security key.
Generate a new security object in phoenixNAP EMP.


Generate a key using the EMP tokenization feature for credit card information, ID numbers, and other sensitive information. Tokens replace classified data with randomly generated alphanumeric IDs. By doing so, they eliminate any connection with the owner of the information.

  1. To create a token, start by selecting Tokenization when choosing the key type you want to generate.
  2. Select one of the four categories the security object token belongs to:
    • General
    • Identification numbers (USA)
    • Military Service Numbers (USA)
    • Custom
Choose security object token.

Note: Learn more about different types of tokens in the Types of Security Object Tokens section.

  1. The next step is to choose permitted key operations. By default, tokenization, detokenization, and app management are enabled, while other operations are disabled due to cryptographic policy.
  2. EMP enables audit logging by default to keep a full audit log for this object. If you prefer not to do so, uncheck the box to disable logging.
  3. Lastly, click GENERATE to create a new security object token with the specified configuration.
Generate token for EMP.

Types of Security Object Tokens

The type of tokens you can generate include:

  1. General
    • Credit card
    • IMSI
    • IMEI
    • IP Address (v4)
    • Phone number (USA)
    • Fax Number (USA)
    • Email Address
  2. Identification numbers (USA)
    • SSN
    • Passport Number (USA)
    • Driver’s license
    • Individual Taxpayer Identification Number (USA)
  3. Military Service Numbers (USA)
    • Army and Air Force Service Number (USA)
    • Navy Service Number (USA)
    • Coast Guard Service Number (USA)
    • Marine Corps Service Number (USA)
    • Military Office Service Number (USA)
  4. Custom
    • Numbers only
    • Hexadecimals
    • Alphanumeric

Once you select the token, you need to specify what kind of tokenization you want it to have. There are four main tokenization types:

  • Full token – masking the entire token.
  • Token + last 4 digits – masking the entire token except the last four digits.
  • First 6 digits + token - masking the entire token except the first six digits.
  • First 6 digits + token + last four digits - masking the entire token except the first six digits and the last four digits.

For additional security, you can enable the Add masking pattern option to replaces the selected digits of the token with asterisks (*).

Working with Security Objects

New secrets and keys appear on the list on the main page, as in the image below.

List of security objects on EMP account.

The list shows:

  • The name of the security object
  • Its KCV
  • The enabled key operations
  • The group to which it belongs to
  • The user who created the group
  • How long ago it was created
  • The type of SO
  • The size of the SO
  • When the SO expires

Click on the row to see more details about each object from the list. Doing so takes you to a new page with a detailed description of the SO configuration.

Information about security object.

Security Object Attributes/Tags

Each SO has attributes/tags, which you can see by switching to the ATTRIBUTES/TAGS tab located next to INFO. They include:

PKCS #11 and CNG – standard attributes assigned based on the SO specifications.

EMP security object attributes.

Custom attributes – attributes that the user can define and add to the SO’s metadata. You can easily add custom attributes when needed by clicking the blue button.

Custom attributes for security objects in phoenixNAP EMP.

Key Rotation

phoenixNAP EMP includes the Key Rotation feature for security objects which allows you to replace an old encryption key with a new cryptographic key.

You will find the key rotation option in the detailed view of the security object.

Key rotation feature for security objects.

Once you click ROTATE KEY, a new window opens. If you want to deactivate the original key after the rotation, check the box before confirming with the ROTATE KEY button.

Note: For more information on the Key Rotation feature, refer to the official Fortanix User's Guide.

Security Object Status

The SO status shows whether users can utilize the SO for cryptographic operations. A security object can be:

  • pre-active (has an activation date in the future and is not operational before the specified date)
  • active (can be used for cryptographic operations)
  • deactivated/disabled (cannot be used for cryptographic operations)
  • destroyed (the key is deactivated, the key material is lost, and it can no longer be used)

The current status is indicated with a green underline.

EMP security object status.

A key becomes deactivated if it is manually disabled by a user or it reaches its expiration date. When creating a new security object, the default configuration is never to expire.

You can edit this setting in the detailed SO view and add a date when you want the key to transition to deactivated state.

Add expiration date to security object.

Note: By default, new security objects are created in the activated state. If you want to create one in the pre-activated state, use the Fortanix REST API.

Enable/Disable Security Objects

You can easily enable or disable security objects by activating or deactivating the Enabled field in the key detailed view. When a SO is disabled, it cannot perform any cryptographic operations. However, the key material and data are saved and can be easily activated at any time.

Enable/disable security objects.

How to Delete/Destroy Security Objects

There are two ways to remove a key in EMP:

  • Delete. To delete a SO means to remove the key material and its metadata permanently. The action cannot be undone, and the object cannot be restored once deleted.
  • Destroy. To destroy a key means to put it in an irreversible disabled state and delete the key material. While the SO can no longer be used, its metadata is preserved.
Delete or destroy security object in EMP.


After reading this article, you should know how to import and generate security objects on your EMP account. To learn more about working in EMP, refer to phoenixNAP EMP Account Provisioning and Overview.

Was this article helpful?
Sofija Simic
Sofija Simic is an experienced Technical Writer. Alongside her educational background in teaching and writing, she has had a lifelong passion for information technology. She is committed to unscrambling confusing IT concepts and streamlining intricate software installations.
Next you should read
How to Set Up BMC Drive Encryption Using EMP
May 19, 2021

This tutorial explains how to encrypt a BMC drive using the phoenixNap EMP platform...
Read more
phoenixNAP EMP Account Provisioning and Overview
May 6, 2021

Get acquainted with phoenxNAP's EMP and learn how to create, manage, and maintain accounts and users.
Read more
How VMware Tenants Apply the Fortanix Encryption Policy
January 14, 2021

The steps in this guide explain how to apply the EMP (Fortanix) storage policy to a virtual machine as a tenant.
Read more
How to Connect to a Server Using the BMC Remote Console Feature
August 28, 2020

Follow the instructions in this guide to learn how to access a Bare Metal Cloud server via Remote Console.
Read more