--- title: "On-Premises Scanner Integration with HashiCorp Vault" slug: "fortanix-key-insight-on-premises-scanner-integration-with-hashicorp-vault" updated: 2026-05-05T13:15:12Z published: 2026-05-15T09:36:57Z --- > ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # On-Premises Scanner Integration with HashiCorp Vault ## 1.0 Introduction This article describes the steps needed to effectively integrate Fortanix Key Insight’s on-premises scanning capabilities with HashiCorp Vault. HashiCorp Vault provides a centralized system for managing secrets and encrypting keys. By integrating it with Fortanix Key Insight, you can leverage Vault’s secure storage and management capabilities while benefiting from Key Insight’s advanced scanning and monitoring features. ## 2.0 Prerequisites Before starting the integration, ensure you have: - **Fortanix Key Insight Account**: Access to Fortanix Key Insight with appropriate permissions. - **HashiCorp Vault Installation**: An operational instance of HashiCorp Vault, either installed on-premises or managed by HashiCorp. - **Administrative Privileges**: Access to administrative interfaces for both Fortanix Key Insight and HashiCorp Vault. ## 3.0 Install and Configure Fortanix On-premises Scanner *For information on how to install and configure Fortanix On-premises Scanner, refer to*[*On-premises Scanner Configuration*](https://support.fortanix.com/docs/fortanix-key-insight-on-premises-configuration-for-scanning)*.* ## 4.0 Integrate Fortanix On-premises Scanner with HashiCorp Vault If you utilize HashiCorp Vault for managing credentials, you should use the `vault-agent` to retrieve credentials from the Vault and inject them as environment variables into the `fortanix-scanner`. In this integration, the `vault-agent` must be configured to execute the `fortanix-scanner`, as outlined in the [*HashiCorp official documentation*](https://developer.hashicorp.com/vault/docs/agent-and-proxy/agent/process-supervisor). Refer to the following code sample to configure the `vault-agent`: > [!NOTE] > NOTE > > You can use Base64-encoded values to store sensitive credentials instead of plain text. When using `vault-agent` to inject these credentials as environment variables, ensure the application decodes them at runtime before use. > > Example: If the secret stored in Vault is Base64-encoded, the injected environment variable contains that encoded value: > > ```bash > env_template "DB1_PASSWORD" {   >  contents = "{{ with secret \"path/to/db1/cred\" }}{{ .Data.password }}{{ end }}"   >  error_on_missing_key = true   > } > ``` > > Here, `.Data.password` should contain a Base64-encoded value (for example, `bXlTZWNyZXQxMjM=`), which must be decoded by the application before use. ```bash auto_auth {  method {  ...  } } template_config {  static_secret_render_interval = "..."  exit_on_retry_failure         = true  max_connections_per_host      = 10 } vault {  address = "https://" } env_template "ARMOR_API_KEY_1" {  contents             = "{{ with secret \"path/to/secret1\" }}{{ .Data.data.apikey }}{{ end }}"   error_on_missing_key = true } env_template "ARMOR_API_KEY_2" {  contents             = "{{ with secret \"path/to/secret2\" }}{{ .Data.data.apikey }}{{ end }}"   error_on_missing_key = true } env_template "DB1_USERNAME" {  contents             = "{{ with secret \"path/to/db1/cred\" }}{{ .Data.username }}{{ end }}"   error_on_missing_key = true } env_template "DB1_PASSWORD" {  contents             = "{{ with secret \"path/to/db1/cred\" }}{{ .Data.password }}{{ end }}"   error_on_missing_key = true } env_template "DB2_USERNAME" {  contents             = "{{ with secret \"path/to/db2/cred\" }}{{ .Data.username }}{{ end }}"   error_on_missing_key = true } env_template "DB2_PASSWORD" {  contents             = "{{ with secret \"path/to/db2/cred\" }}{{ .Data.password }}{{ end }}"   error_on_missing_key = true } env_template "DB_CLIENT_ID" {  contents             = "{{ with secret \"path/to/db3/cred\" }}{{ .Data.client_id }}{{ end }}"   error_on_missing_key = true } env_template "DB_CLIENT_SECRET" {  contents             = "{{ with secret \"path/to/db3/cred\" }}{{ .Data.client_secret }}{{ end }}"   error_on_missing_key = true } env_template "DB_TENANT_ID" {  contents             = "{{ with secret \"path/to/db3/cred\" }}{{ .Data.tenant_id }}{{ end }}"   error_on_missing_key = true } env_template "REPO1_USERNAME" {  contents             = "{{ with secret \"path/to/repo1/cred\" }}{{ .Data.username }}{{ end }}"   error_on_missing_key = true } env_template "REPO1_PASSWORD" {  contents             = "{{ with secret \"path/to/repo1/cred\" }}{{ .Data.password }}{{ end }}"   error_on_missing_key = true } env_template "REPO2_USERNAME" {  contents             = "{{ with secret \"path/to/repo2/cred\" }}{{ .Data.username }}{{ end }}"   error_on_missing_key = true } env_template "REPO2_PASSWORD" {  contents             = "{{ with secret \"path/to/repo2/cred\" }}{{ .Data.password }}{{ end }}"   error_on_missing_key = true } env_template "REPO3_USERNAME" {  contents             = "{{ with secret \"path/to/repo3/cred\" }}{{ .Data.username }}{{ end }}"   error_on_missing_key = true } env_template "REPO3_PASSWORD" {  contents             = "{{ with secret \"path/to/repo3/cred\" }}{{ .Data.password }}{{ end }}"   error_on_missing_key = true } env_template "DSM_APP_AUTH_CERT" {  contents              = "{{ with secret "pki/issue/dsm-app-role" "common_name=" }}{{ .Data.certificate }}{{ end }}"  error_on_missing_key = true } env_template "DSM_APP_AUTH_KEY" {  contents              = "{{ with secret "pki/issue/dsm-app-role" "common_name=" }}{{ .Data.private_key }}{{ end }}"  error_on_missing_key = true } env_template "PROXY_USER" {  contents             = "{{ with secret \"path/to/proxy/cred\" }}{{ .Data.username }}{{ end }}"   error_on_missing_key = true } env_template "PROXY_PASSWORD" {  contents             = "{{ with secret \"path/to/proxy/cred\" }}{{ .Data.password }}{{ end }}"   error_on_missing_key = true } exec {  command                   = ["/path/to/fortanix-scanner", "start", "-c", "/path/to/fortanix-scanner-config.yaml"]  restart_on_secret_changes = "always"  restart_stop_signal       = "SIGTERM" } ``` - During the integration, the `vault-agent` will read and inject secrets specified in the `env_template` blocks as environment variables into the child process defined in the `exec` block, with the name `fortanix-scanner`. These environment variables will be accessible only to the `fortanix-scanner`. - The `vault-agent` will wait until all environment templates are rendered before starting the child process. - The `vault-agent` will refresh the environment variables whenever it detects an update to the injected secrets. The `fortanix-scanner` should ensure it reads all configured environment variables before initiating a scan to obtain the latest credentials. - The `vault-agent` will terminate when the `fortanix-scanner` stops running. It is your responsibility to detect this and restart the `vault-agent` if needed. ## 6.0 Verify Fortanix On-premises Scanner Operation After the integration, perform the following steps to verify the Fortanix On-premises Scanner operation: 1. Ensure the Fortanix On-premises Scanner is configured to fetch and use environment variables before starting a scan. 2. Run a test scan on the command line to verify that the `fortanix-scanner` correctly picks up the environment variables set by the `vault-agent`. 3. Add a Fortanix On-premises Scanner on the Fortanix Key Insight user interface (UI). *For more information, refer to*[*Getting Started with On-premises Connection*](/v1/docs/fortanix-key-insight-getting-started-with-on-premises-connection)*.* After the Fortanix On-premises Scanner is added and the resources have been successfully scanned, - The new on-premises connection will be added to the **ON-PREMISES** tab on the Fortanix Key Insight user interface (UI) **Connections** page. - You can view the discovery and assessment results in the Fortanix Key Insight dashboard. *For more information on the Key Insight on-premises connection UI, refer to*[*User Interface Components*](https://support.fortanix.com/docs/on-premises-connection-user-interface-components). Fortanix Key Insight identifies encryption keys and data services across on-premises and hybrid multicloud environments, providing a unified dashboard for tracking key mappings and cryptographic security. It offers security and compliance teams data-driven insights to assess risks, align with best practices, and meet industry regulations. Iy also supports continuous risk mitigation and crypto-agility, adapting to evolving security needs, including preparation for the post-quantum era.