Database

1.0 Introduction

This article provides an overview of the Fortanix Key Insight on-premises Database infrastructure, which is used to scan cryptographic materials stored within on-premises databases.

It also describes:

Database scanning architecture
Database scanning process
Database scanning benefits

2.0 Terminology References

For on-premises connection concepts and supported features, refer to On-premises Connection Concepts.

3.0 Architecture

The following diagram illustrates how Fortanix Key Insight integrates with on-premises databases through the Fortanix On-premises Scanner to collect and analyze encryption metadata:

**Figure 1: Database Scanning Architecture**

3.1 Components

The architecture consists of two main components:

Oracle and Microsoft SQL Server Databases: These are the on-premises Database systems that store both organizational data and their associated encryption configurations. They support Transparent Data Encryption (TDE) to protect data at rest by automatically encrypting Database files, tables, or columns. Each database maintains metadata repositories that describe the structure and configuration of its encryption components.
Fortanix On-premises Scanner (fortanix-scanner): Installed once per organization. It connects to supported databases to collect encryption-related metadata and securely forwards the aggregated information to Fortanix Key Insight for centralized analysis.

3.2 Workflow

This section outlines the workflow for scanning the on-premises databases:

The Fortanix On-premises Scanner connects to supported databases (Oracle and Microsoft SQL Server) and performs catalog queries (read-only queries against system metadata) to identify cryptographic components such as:
- TDE Key Encryption Keys (KEKs)
- Data Encryption Keys (DEKs)
- Key hierarchies
- Encryption levels (for example, fully or partially encrypted)
The Fortanix On-premises Scanner aggregates the collected metadata and establishes a secure outbound connection to the Fortanix Key Insight SaaS for analysis, reporting, and visualization.

4.0 Database Scanning Benefits

The Database scanning process helps to:

Gain complete visibility into encryption keys stored or referenced within databases.
Strengthen your data security posture by identifying unmanaged or weakly protected keys.
Simplify compliance with encryption and key management regulations.
Detect duplicate keys or inconsistent encryption configurations across databases.
Enable a unified inventory view to support post-quantum cryptography (PQC) readiness and key lifecycle management.

5.0 Limitations

The following table summarizes the known limitations of Oracle and MSSQL databases in managing encryption keys:

KEY TYPE	ORACLE	MSSQL
Master Encryption Key	If TDE is configured with an External Key Management System (KMS) or Hardware Security Module (HSM), the list of master keys is not available in the Database because the keys and their metadata are managed externally.	The creation and rotation dates of master keys are not available.
Data Encryption Key (DEK)	Metadata for DEKs is not available.	Metadata is available only for the currently active DEK.

6.0 Scan Databases Using Fortanix On-premises Scanner

The Fortanix On-Premises Scanner is the primary component responsible for discovering and extracting encryption metadata from on-premises databases.

It is available for the following platforms:

Linux: Provided as .deb and .rpm packages.
Windows: Provided as an .exe executable.

For detailed information on Database scanning using the Fortanix On-premises Scanner, refer to the following:

7.0 Frequently Asked Questions (FAQs)

Can I use the on-premises scanner to scan cloud-managed databases such as Amazon Relational Database Service (RDS)?

No. The on-premises scanner supports only native Database servers, such as Microsoft SQL Server and Oracle, that are running on-premises.

To scan cloud-managed databases such as Amazon RDS, use Fortanix Key Insight cloud scanning REST APIs, which can discover the RDS instances, identify the underlying database type (for example, MSSQL or Oracle), and assess key usage and compliance by connecting to AWS services such as RDS and KMS.

Database

1.0 Introduction

2.0 Terminology References

3.0 Architecture

3.1 Components

3.2 Workflow

4.0 Database Scanning Benefits

5.0 Limitations

6.0 Scan Databases Using Fortanix On-premises Scanner

7.0 Frequently Asked Questions (FAQs)

PLATFORM

Key Insight

Data Security Manager™

Confidential Computing Manager

Enclave Development Platform®

Request A demo

Contact Us

Free Trial

SOLUTIONS

AWS KMS External Key Store (XKS)

Google External Key Manager

Bring Your Own Key (BYOK)

HSM Modernization

Multicloud Key Management

Post Quantum Cryptography

Code Signing

Secrets Management

Tokenization Transparent

Database Encryption

Filesystem Encryption

Confidential Data Search

Confidential AI

Healthcare

Banking & Financial Services

Fintech

Manufacturing

Web 3.0

Federal Government

RESOURCES

Blog

Whitepapers

Datasheets

Solution Briefs

Ebooks

Reports

Case Studies

Webinars

University

Media Kit

Newsletters

COMPANY

About

Careerswe’re hiring

Customers

Partners

Awards

Events

Press

News

Services

Support

FAQ

4.6