--- title: "File System" slug: "fortanix-key-insight-on-premises-file-system" updated: 2026-04-28T14:59:51Z published: 2026-05-15T09:36:57Z --- > ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # File System ## 1.0 Introduction This article provides an overview of Fortanix Key Insight on-premises **File System** infrastructure, which is used to scan cryptographic materials stored within file systems. It also describes: - File system architecture - Scan file systems using the File System Scanner Agent (Windows) or the File System and Network Scanner Agent (Linux) - Supported key and certificate formats - File system scanning benefits The File System and Network Scanner Agent also provides the capability to ingest and analyze **network logs** generated by network security monitoring frameworks (for example, Zeek) on Linux systems. This enables passive monitoring of network traffic to detect cryptographic metadata such as TLS versions, cipher suites, certificates, and key exchange parameters. *For more information on network infrastructure, refer to*[*Network*](https://support.fortanix.com/docs/networks)*.* ## 2.0 Terminology References *For on-premises connection concepts and supported features, refer to*[*On-premises Connection Concepts*](https://support.fortanix.com/docs/fortanix-key-insight-for-on-premises-concepts)*.* ## 3.0 Architecture The following diagram illustrates the on-premises file system scanning infrastructure integrated with Fortanix Key Insight: ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/FS-Agent.png) **Figure 1: File System Scanning Architecture** ### 3.1 Components The architecture consists of two main components: - **File System Scanner Agent (Windows)** or **File System and Network Scanner Agent (Linux)**: These scanner agents are installed on servers that need to be scanned. It traverses local file systems and extracts metadata about cryptographic materials. - **Fortanix On-premises Scanner**: Installed once per organization. It receives metadata from multiple file system scanner agents over HTTPS and forwards the aggregated information to Fortanix Key Insight. ### 3.2 Workflow This section outlines the file system scanning workflow: - Multiple scanner agents are deployed across Windows or Linux servers. Each scanner agent scans its local File Systems and key stores, detects supported key assets, and securely sends the collected metadata to the central Fortanix On-premises Scanner. *For more information, refer to*[*Section 3.2.1: Scan File System Using Scanner Agents*](/v1/docs/fortanix-key-insight-on-premises-file-system#321-scan-file-system-using-file-system-scanner-agent)*.* > [!NOTE] > NOTE > > No cryptographic material ever leaves the server. The scanner agent transmits only metadata, such as file paths, cryptographic asset types, algorithms, and key sizes. - The Fortanix On-premises Scanner aggregates this information and establishes an outbound connection to the Fortanix Key Insight SaaS for analysis, reporting, and visualization. *For more information, refer to*[*Section 3.2.2: Transfer Metadata to Fortanix On-premises Scanner*](/v1/docs/fortanix-key-insight-on-premises-file-system#322-transfer-metadata-to-fortanix-onpremises-scanner)*.* #### 3.2.1 Scan File System Using Scanner Agents The File System Scanner Agent (Windows) or File System and Network Scanner Agent (Linux) is the primary component responsible for scanning and extracting metadata from file systems. It is available for the following platforms: - **Linux**: Provided as `.deb` and `.rpm` packages. - **Windows**: Provided as an `.exe` executable. *For detailed information on File System scanning, configuration, and execution, refer to the following:* - **Linux:** - File System and Network Installation and Execution -**[*File System Scanner Agent Configuration – Linux*](https://support.fortanix.com/docs/file-system-scanner-agent-configuration-linux) - File System and Network Configuration File - [*File System and Network Scanner Agent Configuration File*](https://support.fortanix.com/docs/file-system-and network-scanner-agent-configuration-file) - **Windows:** - File System Installation and Execution*-*[*File System Scanner Agent Configuration - Windows*](https://support.fortanix.com/docs/fortanix-key-insight-on-premises-scanner-configuration-windows) - File System and Network Configuration File - [*File System Scanner Agent Configuration File*](https://support.fortanix.com/docs/file-system-scanner-agent-configuration-file) #### 3.2.2 Transfer Metadata to Fortanix On-premises Scanner The metadata extracted by the scanner agent is securely transferred to the **Fortanix On-premises Scanner**, which serves as the integration point with Fortanix Key Insight. It is available for the following platforms: - **Linux**: Provided as `.deb` and `.rpm` packages. - **Windows**: Provided as an `.exe` executable. *For detailed information on file system scanning using the Fortanix On-premises Scanner, refer to the following:* - [*On-premises Scanner Configuration - Linux*](https://support.fortanix.com/docs/fortanix-key-insight-on-premises-scanner-configuration-linux) - [*On-premises Scanner Configuration - Windows*](https://support.fortanix.com/docs/fortanix-key-insight-on-premises-scanner-configuration-windows) - [*On-premises Scanner Configuration File*](https://support.fortanix.com/docs/fortanix-key-insight-on-premises-scanner-configuration-file) ## 4.0 Properties The following are the key properties of the File System Scanner Agent (Windows) or File System and Network Scanner Agent (Linux): - Extracts only metadata and does not access or transfer raw cryptographic material (for example, private keys). - Ensures no files are uploaded, keeping all data strictly within the on-premises environment. - Runs as a lightweight process without requiring long-running services or external dependencies (for example, OpenSSL). - Supports file system and network throttling to manage CPU, I/O, and network usage without impacting normal system operations. ## 5.0 Supported Cryptographic Formats The File System scanning process supports detection and analysis of the following key and certificate formats: > [!NOTE] > NOTE > > Detection of cryptographic keys, certificates, and related materials is performed through content-based analysis and is **independent of file extensions**or**file naming conventions**, as explained in [*Section 5.1: File-Type Independent Scanning and Data Parsing*](/v1/docs/fortanix-key-insight-on-premises-file-system#51-filetype-independent-scanning-and-data-parsing)*.* - **SSH Keys** - RSA private and public keys (OpenSSH, PEM) - DSA keys - ECDSA private and public keys (PEM) - Ed25519 private and public keys - PuTTY RSA private key (PPK) - **TLS/SSL Certificates and Keys** - Certificate chains (PEM) - Root CA, Intermediate CA, and Leaf certificates - Certificate Signing Requests (CSR) - Certificate Revocation Lists (CRL) - RSA private and public keys - Elliptic Curve (EC) parameters and keys - Diffie–Hellman (DH) parameters - JSON Web Keys (JWK) - Symmetric keys (encrypted formats) > [!NOTE] > NOTE > > Raw symmetric keys in AES or HMAC format (binary data without headers) may be detected based on file size and file naming patterns. However, any keys identified through this method should be manually verified, as these are not fully supported formats. > [!NOTE] > NOTE > > - Partially supported PKCS cryptographic container formats (detection and limited metadata extraction): > - PKCS#12 / PFX bundles (encrypted and unencrypted) > - PKCS#7 signed and enveloped messages > - Supported PGP cryptographic materials (detection only): > - PGP public keys > - PGP private keys > - PGP messages (encrypted and signed) > - PGP signatures *For a complete list of supported network cryptographic formats, refer to the*[*Network*](/v1/docs/networks#50-supported-key-and-certificate-formats)*infrastructure.* ### 5.1 File-Type Independent Scanning and Data Parsing To maximize the accuracy of metadata detection, file extensions are **not** used to determine file type or scanning eligibility. All files up to **4 GiB** in size are scanned, regardless of their extension. The File System Scanner Agent operates directly on binary data to extract metadata wherever possible. If a file contains multiple **PEM** blocks, each block is evaluated individually for metadata in formats that support PEM encapsulation. File names are not considered: as long as a file is readable, its contents are processed and analyzed for compatible metadata. ## 6.0 File System Scanning Benefits The File System scanning process helps to: - Discover hidden or unmanaged keys across file systems and key stores. - Improve key visibility to support compliance, auditing, and governance. - Simplify migration and centralization of keys into Hardware Security Modules (HSMs) or Fortanix Data Security Manager (DSM). - Enable a unified inventory view to support post-quantum cryptography (PQC) readiness and key lifecycle management. - Reduce manual effort in maintaining key repositories. Fortanix Key Insight identifies encryption keys and data services across on-premises and hybrid multicloud environments, providing a unified dashboard for tracking key mappings and cryptographic security. It offers security and compliance teams data-driven insights to assess risks, align with best practices, and meet industry regulations. Iy also supports continuous risk mitigation and crypto-agility, adapting to evolving security needs, including preparation for the post-quantum era. The Fortanix On-premises Scanner is a configuration component installed within an organization’s local infrastructure. It is designed to scan, analyze, and manage sensitive cryptographic data using Fortanix Key Insight. The scanner identifies keys, certificates, and compliance information within on-premises systems. It supports both Linux and Windows platforms, allowing for flexible and secure deployment and visibility across different environments.