File System

  • Published on Oct 23, 2025
  • 3 minute(s) read
Prev Next

1.0 Introduction

This guide provides an overview of the Fortanix Key Insight on-premises File System infrastructure, which is used to scan cryptographic materials stored within file systems.

It also describes:

  • File System Scanning components

  • Supported key and certificate formats

2.0 Terminology References

For File System concepts and supported features, refer to On-premises Connection Concepts.

3.0 File System Scanning

Organizations often store cryptographic material in local files, including private keys, public keys, symmetric keys, certificates, and application-specific files (for example, SSH and PGP). To reduce security risks, these assets need to be scanned, their metadata extracted, and the results integrated into a managed state.

The File System Scanning feature enables this scanning process by capturing inventory information and integrating it into Fortanix Key Insight, providing visibility, analysis, and seamless integration.

3.1 File System Scanning Components

The feature consists of two main components:

  • File System Scanner Agent (fortanix-fs-scanner): Installed on servers that need to be scanned. It traverses file systems and extracts metadata about cryptographic materials. For detailed information on File System Scanner Agent installation and configuration, refer to File System Scanner Agent Configuration.

  • Fortanix On-premises Scanner (fortanix-scanner): Installed once per organization. It receives metadata from multiple File System Scanner Agents using HTTPS and forwards the collected information to Fortanix Key Insight. For detailed information on Fortanix On-premises Scanner installation and configuration, refer to On-premises Scanner Configuration.

NOTE

No cryptographic material ever leaves the server. The File System Agent Scanner transmits only metadata, such as file paths, cryptographic asset type, algorithms, and key sizes. The information sent outside the server is at the same security level as the data shown in Fortanix Key Insight reports and asset listings.

3.2 File System Scanner Agent

The File System Scanner Agent is the primary component responsible for scanning and extracting metadata. It is available for:

  • Linux: Provided as .deb and .rpm packages.

  • Windows: Provided as an .exe executable.

The following are the key properties of the File System Scanner Agent:

  • Extracts only metadata (never raw cryptographic materials such as private keys).

  • Ensures that no file uploads occur, keeping all data strictly on-premises.

  • Runs as a lightweight process without requiring long-running services or external dependencies such as OpenSSL.

  • Supports file system and network throttling to control CPU, I/O, and network usage without disrupting normal operations.

3.3 Supported Key and Certificate Formats

The file system scanning process supports detection and analysis of the following key and certificate formats:

  • SSH Keys

    • RSA private and public keys (OpenSSH, PEM)

    • DSA keys

    • ECDSA private and public keys (PEM)

    • Ed25519 private and public keys

    • PuTTY RSA private key (PPK)

  • TLS/SSL Certificates and Keys

    • Certificate chains (PEM)

    • Root CA, Intermediate CA, and Leaf certificates

    • Certificate Signing Requests (CSR)

    • Certificate Revocation Lists (CRL)

    • RSA private and public keys

    • Elliptic Curve (EC) parameters and keys

    • Diffie–Hellman (DH) parameters

    • JSON Web Keys (JWK)

    • Symmetric keys (encrypted formats)

      NOTE

      Raw symmetric keys in AES or HMAC format (binary data without headers) may be detected based on file size and file naming patterns. Any keys found this way should be manually verified, as they are not fully supported formats.

NOTE

  • Partially supported PKCS cryptographic container formats (detection and limited metadata extraction):

    • PKCS#12 / PFX bundles (encrypted and unencrypted)

    • PKCS#7 signed and enveloped messages

  • Supported PGP cryptographic materials (detection only):

    • PGP public keys

    • PGP private keys

    • PGP messages (encrypted and signed)

    • PGP signatures

3.4 File-Type Independent Scanning and Data Parsing

To maximize the accuracy of metadata detection, file extensions are generally not used to determine file type or scanning eligibility.

For now, all files that are 4 GiB or smaller are scanned, regardless of extension. The File System Agent scanner works directly on the binary data, attempting to extract metadata where possible.

If a file contains multiple PEM blocks, each block is evaluated separately for metadata in formats that support PEM encapsulation. File names are not a factor: as long as the file is readable, its contents are processed and checked for compatible metadata.