1.0 Introduction
This article provides an overview of Fortanix Key Insight on-premises File System infrastructure, which is used to scan cryptographic materials stored within file systems.
It also describes:
File system architecture
Scan file systems using File System Scanner Agent
Supported key and certificate formats
File system scanning benefits
2.0 Terminology References
For on-premises connection concepts and supported features, refer to On-premises Connection Concepts.
3.0 Architecture
The following diagram illustrates the on-premises file system scanning infrastructure integrated with Fortanix Key Insight:
Figure 1: File System Scanning Architecture
3.1 Components
The architecture consists of two main components:
File System Scanner Agent (
fortanix-fs-scanner): Installed on servers that need to be scanned. It traverses local file systems and extracts metadata about cryptographic materials.Fortanix On-premises Scanner (
fortanix-scanner): Installed once per organization. It receives metadata from multiple File System Scanner Agents over HTTPS and forwards the aggregated information to Fortanix Key Insight.
3.2 Workflow
This section outlines the file system scanning workflow:
Multiple File System Scanner Agents are deployed across Windows or Linux servers. Each File System Scanner Agent scans its local File Systems and key stores, detects supported key assets, and securely sends the collected metadata to the central Fortanix On-premises Scanner.
For more information, refer to Section 3.2.1: Scan File System Using File System Scanner Agent.
NOTE
No cryptographic material ever leaves the server. The File System Agent Scanner transmits only metadata, such as file paths, cryptographic asset types, algorithms, and key sizes. This information is at the same security level as what appears in Fortanix Key Insight reports and asset listings.
The Fortanix On-premises Scanner aggregates this information and establishes an outbound connection to the Fortanix Key Insight SaaS for analysis, reporting, and visualization.
For more information, refer to Section 3.2.2: Transfer Metadata to Foranix On-premises Scanner.
3.2.1 Scan File System Using File System Scanner Agent
The File System Scanner Agent is the primary component responsible for scanning and extracting metadata from file systems.
It is available for the following platforms:
Linux: Provided as
.deband.rpmpackages.Windows: Provided as an
.exeexecutable.
For detailed information on File System scanning, configuration, and execution using the File System Scanner Agent, refer to the following:
3.2.2 Transfer Metadata to Foranix On-premises Scanner
The metadata extracted by the File System Scanner Agent is securely transferred to the Fortanix On-premises Scanner, which serves as the integration point with Fortanix Key Insight.
It is available for the following platforms:
Linux: Provided as
.deband.rpmpackages.Windows: Provided as an
.exeexecutable.
For detailed information on file system scanning using the Fortanix On-premises Scanner, refer to the following:
4.0 File System Scanner Agent Properties
The following are the key properties of the File System Scanner Agent:
Extracts only metadata and never accesses or transfers raw cryptographic material such as private keys.
Ensures that no files are uploaded, keeping all data strictly within the on-premises environment.
Runs as a lightweight process without requiring long-running services or external dependencies such as OpenSSL.
Supports file system and network throttling to manage CPU, I/O, and network usage without impacting normal system operations.
5.0 Supported Key and Certificate Formats
The File System scanning process supports detection and analysis of the following key and certificate formats:
SSH Keys
RSA private and public keys (OpenSSH, PEM)
DSA keys
ECDSA private and public keys (PEM)
Ed25519 private and public keys
PuTTY RSA private key (PPK)
TLS/SSL Certificates and Keys
Certificate chains (PEM)
Root CA, Intermediate CA, and Leaf certificates
Certificate Signing Requests (CSR)
Certificate Revocation Lists (CRL)
RSA private and public keys
Elliptic Curve (EC) parameters and keys
Diffie–Hellman (DH) parameters
JSON Web Keys (JWK)
Symmetric keys (encrypted formats)
NOTE
Raw symmetric keys in AES or HMAC format (binary data without headers) may be detected based on file size and file naming patterns. However, any keys identified through this method should be manually verified, as these are not fully supported formats.
NOTE
Partially supported PKCS cryptographic container formats (detection and limited metadata extraction):
PKCS#12 / PFX bundles (encrypted and unencrypted)
PKCS#7 signed and enveloped messages
Supported PGP cryptographic materials (detection only):
PGP public keys
PGP private keys
PGP messages (encrypted and signed)
PGP signatures
5.1 File-Type Independent Scanning and Data Parsing
To maximize the accuracy of metadata detection, file extensions are not used to determine file type or scanning eligibility.
For now, all files up to 4 GiB in size are scanned, regardless of their extension. The File System Scanner Agent operates directly on binary data to extract metadata wherever possible.
If a file contains multiple PEM blocks, each block is evaluated individually for metadata in formats that support PEM encapsulation. File names are not considered: as long as a file is readable, its contents are processed and analyzed for compatible metadata.
6.0 File System Scanning Benefits
The File System scanning process helps to:
Discover hidden or unmanaged keys across file systems and key stores.
Improve key visibility to support compliance, auditing, and governance.
Simplify migration and centralization of keys into Hardware Security Modules (HSMs) or Fortanix Data Security Manager (DSM).
Enable a unified inventory view to support post-quantum cryptography (PQC) readiness and key lifecycle management.
Reduce manual effort in maintaining key repositories.