File System

  • Updated on May 15, 2026
  • Published on Oct 23, 2025
  • 5 minute(s) read
Prev Next

1.0 Introduction

This article provides an overview of Fortanix Key Insight on-premises File System infrastructure, which is used to scan cryptographic materials stored within file systems.

It also describes:

  • File system architecture

  • Scan file systems using the File System Scanner Agent (Windows) or the File System and Network Scanner Agent (Linux)

  • Supported key and certificate formats

  • File system scanning benefits

The File System and Network Scanner Agent also provides the capability to ingest and analyze network logs generated by network security monitoring frameworks (for example, Zeek) on Linux systems. This enables passive monitoring of network traffic to detect cryptographic metadata such as TLS versions, cipher suites, certificates, and key exchange parameters.

For more information on network infrastructure, refer to Network.

2.0 Terminology References

For on-premises connection concepts and supported features, refer to On-premises Connection Concepts.

3.0 Architecture

The following diagram illustrates the on-premises file system scanning infrastructure integrated with Fortanix Key Insight:

Figure 1: File System Scanning Architecture

3.1 Components

The architecture consists of two main components:

  • File System Scanner Agent (Windows) or File System and Network Scanner Agent (Linux): These scanner agents are installed on servers that need to be scanned. It traverses local file systems and extracts metadata about cryptographic materials.

  • Fortanix On-premises Scanner: Installed once per organization. It receives metadata from multiple file system scanner agents over HTTPS and forwards the aggregated information to Fortanix Key Insight.

3.2 Workflow

This section outlines the file system scanning workflow:

  • Multiple scanner agents are deployed across Windows or Linux servers. Each scanner agent scans its local File Systems and key stores, detects supported key assets, and securely sends the collected metadata to the central Fortanix On-premises Scanner.

    For more information, refer to Section 3.2.1: Scan File System Using Scanner Agents.

    NOTE

    No cryptographic material ever leaves the server. The scanner agent transmits only metadata, such as file paths, cryptographic asset types, algorithms, and key sizes.

  • The Fortanix On-premises Scanner aggregates this information and establishes an outbound connection to the Fortanix Key Insight SaaS for analysis, reporting, and visualization.

    For more information, refer to Section 3.2.2: Transfer Metadata to Fortanix On-premises Scanner.

3.2.1 Scan File System Using Scanner Agents

The File System Scanner Agent (Windows) or File System and Network Scanner Agent (Linux) is the primary component responsible for scanning and extracting metadata from file systems.

It is available for the following platforms:

  • Linux: Provided as .deb and .rpm packages.

  • Windows: Provided as an .exe executable.

For detailed information on File System scanning, configuration, and execution, refer to the following:

3.2.2 Transfer Metadata to Fortanix On-premises Scanner

The metadata extracted by the scanner agent is securely transferred to the Fortanix On-premises Scanner, which serves as the integration point with Fortanix Key Insight.

It is available for the following platforms:

  • Linux: Provided as .deb and .rpm packages.

  • Windows: Provided as an .exe executable.

For detailed information on file system scanning using the Fortanix On-premises Scanner, refer to the following:

4.0 Properties

The following are the key properties of the File System Scanner Agent (Windows) or File System and Network Scanner Agent (Linux):

  • Extracts only metadata and does not access or transfer raw cryptographic material (for example, private keys).

  • Ensures no files are uploaded, keeping all data strictly within the on-premises environment.

  • Runs as a lightweight process without requiring long-running services or external dependencies (for example, OpenSSL).

  • Supports file system and network throttling to manage CPU, I/O, and network usage without impacting normal system operations.

5.0 Supported Cryptographic Formats

The File System scanning process supports detection and analysis of the following key and certificate formats:

NOTE

Detection of cryptographic keys, certificates, and related materials is performed through content-based analysis and is independent of file extensions or file naming conventions, as explained in Section 5.1: File-Type Independent Scanning and Data Parsing.

  • SSH Keys

    • RSA private and public keys (OpenSSH, PEM)

    • DSA keys

    • ECDSA private and public keys (PEM)

    • Ed25519 private and public keys

    • PuTTY RSA private key (PPK)

  • TLS/SSL Certificates and Keys

    • Certificate chains (PEM)

    • Root CA, Intermediate CA, and Leaf certificates

    • Certificate Signing Requests (CSR)

    • Certificate Revocation Lists (CRL)

    • RSA private and public keys

    • Elliptic Curve (EC) parameters and keys

    • Diffie–Hellman (DH) parameters

    • JSON Web Keys (JWK)

    • Symmetric keys (encrypted formats)

      NOTE

      Raw symmetric keys in AES or HMAC format (binary data without headers) may be detected based on file size and file naming patterns. However, any keys identified through this method should be manually verified, as these are not fully supported formats.

NOTE

  • Partially supported PKCS cryptographic container formats (detection and limited metadata extraction):

    • PKCS#12 / PFX bundles (encrypted and unencrypted)

    • PKCS#7 signed and enveloped messages

  • Supported PGP cryptographic materials (detection only):

    • PGP public keys

    • PGP private keys

    • PGP messages (encrypted and signed)

    • PGP signatures

For a complete list of supported network cryptographic formats, refer to the Network infrastructure.

5.1 File-Type Independent Scanning and Data Parsing

To maximize the accuracy of metadata detection, file extensions are not used to determine file type or scanning eligibility.

All files up to 4 GiB in size are scanned, regardless of their extension. The File System Scanner Agent operates directly on binary data to extract metadata wherever possible.

If a file contains multiple PEM blocks, each block is evaluated individually for metadata in formats that support PEM encapsulation. File names are not considered: as long as a file is readable, its contents are processed and analyzed for compatible metadata.

6.0 File System Scanning Benefits

The File System scanning process helps to:

  • Discover hidden or unmanaged keys across file systems and key stores.

  • Improve key visibility to support compliance, auditing, and governance.

  • Simplify migration and centralization of keys into Hardware Security Modules (HSMs) or Fortanix Data Security Manager (DSM).

  • Enable a unified inventory view to support post-quantum cryptography (PQC) readiness and key lifecycle management.

  • Reduce manual effort in maintaining key repositories.

Related articles

Platform
Fortanix Armor
Armet AI Key Insight Data Security Manager Confidential Computing Manager
Open Source Platform
Enclave Development Platform®

Solutions
Use Cases
Legacy to Cloud Infrastructure Migration Regulatory Compliance Post-Quantum Readiness Secure, Data-Driven Innovation
Industry
Healthcare Banking & Financial Services Fintech Manufacturing Federal Government

Company
About Us Partners Careers Confidential Computing University Blog FAQ Contact Us Awards Events Webinars Press News Services Media Kit Newsletters

Customers

Resources

Support
Fortanix-logo

4.6

star-ratings

As of August 2025

Request a Demo