File Systems - User Interface Components

1.0 Introduction

The article describes the Fortanix Key Insight user interface (UI) features for an on-premises file system infrastructure.

2.0 Terminology Reference

For Fortanix Key Insight – On-premises concepts and supported features, refer to On-premises Connection Concepts.

3.0 Overview

You can access the Overview page after successfully adding an on-premises connection.

The FILE SYSTEMS tab on the Overview page displays the scanned keys, certificates, resources, and cryptographic assets according to the applied Fortanix Key Insight policy.

For more information on the Fortanix Key Insight policy, refer to Cryptographic Policy Management.

NOTE

• If the Overview page for file systems does not display any data, configure the on-premises scanner. For more information, refer to On-premises Scanner Configuration.

• In the file systems UI, the order of tabs depends on the availability of resources in each tab (DATABASES, SOURCE CODE, CONTAINERS, and FILE SYSTEMS). You will always see results in the first tab that has scanned data available. If no data is present at connection level, the default order is FILE SYSTEMS > DATABASES > SOURCE CODE > CONTAINERS.

• If your Fortanix Armor account is deactivated and you are accessing the Fortanix Key Insight On-premises connection for file systems, you will not be able to view data under the Overview, Assessments, Keys, Resources, Certificates, Cryptographic Assets, or PQC Central pages. You will only have access to view and delete items within the Connections, Policy Center, and Authentication pages.

• Click RESCAN to rescan the on-premises connection. For more information, refer to Section 5.0: Rescan an On-premises Connection.

• Click ASSESSMENT REPORT to navigate to the Assessment page and view the assessment report. This report allows you to assess your key security posture to ensure the safety of your data. For more information, refer to Section 4.0: Assessments.

The Overview page is described in the following sections:

3.1 Discovered On-premises Resources

This section provides the count of scanned on-premises infrastructures, including databases, file systems, source code repositories, and container images.

It also displays the count of the following in the scanned on-premises infrastructures:

• Cryptographic assets

• Keys

• Certificates

• Resources

Clicking the Cryptographic Assets, Keys, Certificates, and Resources labels navigates you to their list view.

3.2 Cryptography Bill of Materials (CBOM)

This section describes how to export cryptographic asset metadata from an on-premises  infrastructure into a standardized CBOM JSON file. The exported CBOM format is useful for maintaining a cryptographic inventory, demonstrating regulatory compliance, and evaluating post-quantum cryptography (PQC) readiness.

To export the CBOM data, click EXPORT. The file named bom_report_<on-premises_scan_id>.json will be downloaded to your local machine, where on-premises_scan_id is a unique identifier generated for each on-premises connection scan.

For example,

The exported file adheres to the CycloneDX specification, including the following components:

• bomFormat: Specifies the bill of materials format. For CBOM, this value is set to CycloneDX.

• specVersion: Indicates the version of the CycloneDX specification being used.

• version: Denotes the version of this specific CBOM file.

• components: Lists cryptographic components such as on-premises keys. Each entry includes details such as type, name, algorithm, associated services, and other relevant information.

• services: Describes the on-premises resources that interact with the listed cryptographic components. Each service includes details such as its name and unique ID.

• dependencies: Defines the relationships between keys and resources, representing how cryptographic elements are interconnected or used together.

NOTE

If your on-premises connection was last scanned before the Fortanix Key Insight 25.07 release and has not been rescanned since, you must perform a Rescan to ensure the correct export of CBOM data.

For more information on how to perform a rescan, refer to Section 5.0: Rescan an On-premises Connection.

3.3 Discovered Cryptographic Assets and Operating Systems

This section provides a summary of the scanned file system assets, including keys, certificates, cryptographic assets, and operating systems, along with their counts.

Click each category to view the detailed list of the corresponding assets.

3.4 Keys by Spec

This section displays the total number of keys discovered in on-premises file systems, along with a breakdown by individual key specifications.

Click on each key type to view the detailed list of corresponding keys.

3.5 Certificates by Status

This section displays the count of certificates tagged with different statuses:

• Issued: Certificates that have been issued and are currently valid.

• Pending validation: Certificate signing requests that are waiting for approval.

• Revoked: Certificates that have been explicitly revoked and are no longer trusted.

• Failed: Certificates with invalid or inconsistent validity dates.

• Inactive: Certificates that are not yet valid because their start date is in the future.

• Expired: Certificates that have passed their expiry date and are no longer valid.

Click on each count to view the detailed list of corresponding certificates.

3.6 Certificates by Key Spec

This section displays the total number of certificates discovered in on-premises file systems, grouped by key specification (key type).

Click each key type to access the details list of certificates.

3.7 Top Operating Systems by Assets

This section displays the top 5 operating systems with the total number of keys , certificates, and cryptographic assets discovered in each.

• Cells highlighted in Pink indicate discovered keys.

• Cells highlighted in Green indicate discovered certificates.

• Cells highlighted in Blue indicate discovered cryptographic assets.

• Click VIEW ALL to see the complete list of operating systems.

• Click each count to view the detailed list of corresponding assets.

4.0 Assessments

You can access the Fortanix Key Insight Assessment page for file systems after the scan is performed, and assets have been added.

The Assessment page shows:

• How good or bad the key security posture is for the Fortanix On-premises Scanner.

• Violations that must be remediated to improve the security status.

• Remediation advice to improve the security status.

4.1 Risk Score

This section provides the overall risk score of the on-premises assets for file systems.

• High – A high score signifies the total number of non-compliant keys, file systems with non-compliant resources, non-compliant certificates (signature violation), and so on.

• Critical – A critical risk score indicates the total number of expired certificates, overly permissive secret key files, and non-compliant keys (algorithm violation) that need attention.

• Medium – A medium risk score indicates the certificates and keys with expiry more than two years.

The overall risk score is prioritized based on the number of risks, in order of severity from highest to lowest:

• Critical

• High

• Medium

• Good

Click each risk label or risk count to access its corresponding list view.

4.2 Resource Violations

This section provides insights into resource violations across your on-premises file system infrastructure.

You can view the total number of resource violations along with the breakdown of the total number of violations discovered across individual operating systems. This data helps identify which resources are at risk, enabling you to implement unique, compliant, and encrypted cryptographic assets for enhanced security.

Additionally,

• You can view risk levels for each operating system resource, which are color-coded for easy identification.

• Select VIEW ALL to navigate to the Resources page and explore individual violations for each operating system.

• Click any operating system to view a detailed list of the top 10 violations associated with it, sorted by severity. Click each violation type to navigate to the corresponding list view.

• Click BACK to return to the resource violations card view.

4.3 Top Security Issues

This section provides the following information:

• Non-compliant keys: Displays the total number of keys that do not meet the established industry standards and compliance frameworks. It highlights keys that do not adhere to the required security practices and guidelines set forth by regulatory bodies and industry best practices. By identifying these non-compliant keys, this section helps identify the areas where key management practices need improvement to ensure that they align with the necessary security and compliance requirements.

  Any key that utilizes the following algorithm and key size combinations is considered Non-Compliant in Fortanix Key Insight, according to the National Institute of Standards and Technology (NIST) 800-57 standard:

  • AES: Any key size less than 128 bits.

  • 3DES: Keys with sizes 112 bits and 168 bits.

  • DES: Keys with size 56 bits.

  • RSA: Keys with a size less than 2048 bits.

  • DSA: Keys with a size less than 2048 bits.

  • ECC: Keys with a size less than 224 bits.

  • HMAC: Keys with a size less than 112 bits.

  The non-compliant keys increase the data security risk. They will be flagged as vulnerabilities on the Keys page.

  Fortanix Key Insight recommends using stronger key algorithms and ensuring that the key strength aligns with your defined policies and NIST standards.  

• Overly permissive certificates [Key usage]: Displays the total number of certificates (stored in the file system) that have excessive extended key usage (EKU) permissions. Certificates with overly permissive EKU settings can lead to policy violations and security risks and are assigned a High Risk score.

  EKUs define the roles a certificate can be used for, such as:

  • TLS Web Server Authentication

  • TLS Web Client Authentication

  • Code Signing

  • Email Protection

  • Timestamping

  • OCSP Signing

  • IPSec End System

  • IPSec Tunnel

  • IPSec User

  Certificates are flagged as violations if they include multiple EKUs beyond acceptable combinations, with three exceptions:

  1. A single EKU.

  2. A combination of Web Server Authentication and Web Client Authentication.

  3. An empty or undefined EKU (interpreted as “any usage”).

  Any other combination is considered overly permissive and potentially vulnerable.

  NOTE

  Fortanix Key Insight recommends regularly reviewing and revalidating key and certificate policies to ensure that extended key usages are restricted to the minimum required for each certificate.

• PQC readiness: Indicates the percentage of your cryptographic assets that are currently quantum-safe, reflecting your on-premises environment's preparedness for post-quantum cryptography (PQC). This percentage represents the portion of assets using PQC-compliant algorithms or configurations.

Click non-compliant keys and overly permissive certificates (key usage) to access their corresponding list view.

4.4 Certificate Expiry by Issuers

This section provides insights into monitoring and managing the expiration status of certificates in the file system, if any.

It gives visibility into certificate lifecycle risks and helps ensure continuous compliance and availability across the file system infrastructure.

This section contains two sub-sections:

4.4.1 About to Expire in 30 Days

This section displays the top 10 certificates scheduled to expire within the next 30 days, grouped by certificate issuer, if any.

• Each issuer is represented using a distinct color for easy identification.

• Click the count associated with a specific issuer or the overall total to navigate to a filtered list view displaying the corresponding certificates.

• Click VIEW ALL to view the list of all certificates in the category.

4.4.2 Expired Certificates

This section displays the top 10 certificates that have already expired, grouped by certificate issuer, if any.

• Each issuer is represented using a distinct color for easy identification. This data helps to identify misconfigurations, overlooked assets, or potential security risks from expired certificates.

• Click the count associated with a specific issuer or the overall total to navigate to a filtered list view displaying the corresponding certificates.

• Click VIEW ALL to view the list of all certificates in the category.

4.5 Certificate by Violation Type

This section displays the total count of non-compliant certificates categorized by specific violation types (For example, expired certificates), helping you take targeted action to address security or policy gaps.

Click the count for a specific violation type or the overall total to navigate to a filtered list view of the affected certificates.

4.6 Download Assessment Report

Click DOWNLOAD REPORT on the top-right corner of the Assessment page to view the Data Security Assessment Report for the on-premises infrastructures, such as databases, source code, containers, and file systems, in PDF format. The report will open in the Print dialog box, where you can select to print it or save it locally to your machine as needed.p

5.0 Rescan an On-premises Connection

Click RESCAN on the top-right corner of the Overview page to perform a rescan and verify if any keys have been added, deleted, or updated in the Fortanix On-premises Scanner.

If you click RESCAN and start the scan, you can monitor its progress in the progress bar. After the scan is completed successfully,

• The Last scanned label will be updated with the date and time of completion.

• The Overview page will reflect the new state of the on-premises keys and resources.

NOTE

• The RESCAN option is accessible only to users with the Account Administrator and Group Administrator roles.

• The RESCAN option is available only when the on-premises connection status is Connected.

• You can also click RESCAN on the top-right corner of the Assessment page to perform the rescan. After the scan is completed, the Assessment page will reflect the new state of the on-premises resources.

6.0 Keys

After the on-premises connection is onboarded, click Keys on the Fortanix Key Insight left navigation panel to access the Keys page, where you can view all the scanned keys.

• For every on-premises file systems, the table displays the key ID, key name, infrastructure (File systems or Databases), key source, violations, key category, host, DB Type, key spec, key creation date, rotation date, expiration date, owners, usage description, and key status.

• Click the VIOLATIONS count or icon to access the associated violations.

• Click () in the top-right corner of the table to customize which columns are displayed, beyond the default six.

• Click EXPORT to export the scanned keys data. For more information, refer to Section 10.0: Scanned Data Export.

• Use the Search field to filter keys based on the available criteria and supported values:

  For example,

  • Key Identifier

  • Hostname

  • Infrastructure: Databases, File systems

6.1 Add Key Details in File Systems List View

You can assign owners to the scanned keys to enhance key management, simplify tracking, and improve remediation workflows.

Perform the following steps to add the key(s) details:

1. Select the checkbox () next to the required key(s) in the list.

2. Click ADD DETAILS in the top-right corner of the table.

   NOTE

   If your on-premises connection was last scanned before the Fortanix Key Insight 25.03 release and a new scan was not performed, clicking ADD DETAILS will display a Rescan Required to Add Details dialog box. To ensure your key details are correctly added, rescan the on-premises connection and then add the key details. For more information on how to perform a rescan, refer to Section 5.0: Rescan an On-Premises Connection.

3. In the Add Details dialog box, enter the following details:

   1. Primary owner: Enter the primary owner’s name or employee ID.

   2. Email ID: Enter the primary owner’s valid email address.

   3. Click ADD SECONDARY OWNER to add the secondary owner details, if required.

   4. Description (Optional): Enter an optional description.

   5. Click ADD to add the ownership details to the selected key(s).

NOTE

• To add ownership details, specifying a primary owner is mandatory before adding a secondary owner.

• Only users with Account Administrator permissions can add or edit key details.

On the Keys page, the primary and secondary owners’ names or employee IDs and email addresses appear in the OWNERS column, and the description will appear in the USAGE DESCRIPTION column.

6.2 Edit Key Details in File Systems List View

You can modify the details of the selected key(s).

Perform the following steps to edit the key(s) details:

1. Select the checkbox () next to the required key(s) in the list.

2. Click EDIT DETAILS in the top right corner.

3. In the Edit Details dialog box, update the required values.

4. Click UPDATE to apply the changes.

6.3 View Key Details in File Systems List View

Perform the following steps to view key details:

1. Filter the keys by file system infrastructure:

   • Use Infrastructure = File system to display keys scanned from a file system.

2. In the list, click any key ID to view its properties and associated violations.

   • The KEY DETAILS tab displays the key’s properties and ownership information (if provided).

     If required, click EDIT DETAILS on the Ownership section to update the ownership details for the selected key.

NOTE

The Key Correlation section is visible only if an external key source (Fortanix DSM SaaS or On-premises) has been configured for the Fortanix Key Insight on-premises connection. You can filter the correlated keys using the Key Source = Fortanix or Key Correlation = Correlated attributes.

For a selected correlated key in the list, this section displays details such as the key source, key source type, last correlated date, and source key ID. Click the Key ID to navigate to Fortanix DSM SaaS and view the key details.

• The VIOLATIONS tab displays the violations associated with the key.

7.0 Resources

After onboarding an on-premises connection file system resources, you can navigate to the FILE SYSTEMS tab under Resources on the Fortanix Key Insight left navigation panel to view all scanned resources.

For every resource, you can see the operating system name, hostname, Violations, and last seen details.

• Click the violations count or icon to view the associated violations.

• Use the Search field to filter resources based on the available criteria and supported values:

  For example,

  • Operating System Name

  • Violation Type

  • Host Name

• Click EXPORT to export the scanned resources data. For more information, refer to Section 10.0: Scanned Data Export.

7.1 View File Systems Resource Details

Click an operating system name in the resources list to view its properties and associated violations.

• The RESOURCE DETAILS tab displays the resource configurations, discovered assets, and the list of agent IP addresses.

  Click VIEW or the asset count to navigate to the assets list page with the appropriate filter applied.

• The VIOLATIONS tab displays the violations associated with the file system assets.

8.0 Cryptographic Assets

After onboarding an on-premises connection with file system resources, you can navigate to the FILE SYSTEMS tab under Cryptographic Assets on the Fortanix Key Insight left navigation panel to view all scanned cryptographic assets.

For every on-premises file system, the table displays the file name, host name, asset type, file last updated date, violations, and file paths.

• Click the violations count or icon to view the associated violations.

• Click EXPORT to export the scanned cryptographic assets data. For more information, refer to Section 10.0: Scanned Data Export.

• Use the Search field to filter the cryptographic assets based on the available criteria and supported values:

  For example,

  • File name/path

  • Host Name

8.1 View Cryptographic Assets Details in File Systems List View

Click any file name of the cryptographic asset in the list to view its properties and associated violations.

• The CRYPTOGRAPHIC ASSET DETAILS tab displays the cryptographic asset properties based on the following asset types:

  • Certificate Revocation List (CRL)

  • Certificate Signing Request (CSR)

  • Any other type

• The VIOLATIONS tab displays the violations associated with the cryptographic asset.

9.0 Certificates

After onboarding an on-premises connection with file system resources, navigate to Certificates on the Fortanix Key Insight left navigation panel to view all the scanned certificates.

For every on-premises file system, it shows the file name, infrastructure, status, violation, issuer, and key spec.

• Click the violations count or icon to view the associated violations.

• Click EXPORT to export the scanned certificates data. For more information, refer to Section 10.0: Scanned Data Export.

• Use the Search field to filter certificates based on the available criteria and supported values:

  For example,

  • File name/path

  • Key Spec

  • Issuer

9.1 View Certificate Details in File Systems List View

Click any file name in the file systems list to view its properties and associated violations.

• The CERTIFICATE DETAILS tab displays the certificate properties and agent details:    

  

• The VIOLATIONS tab displays the violations associated with the certificates.

10.0 Scanned Data Export

This feature allows you to export the scanned assets from Fortanix Key Insight in Comma-Separated Values (CSV) format. Also, it provides flexibility, enabling you to download data for detailed analysis, audits, or reporting, and to access real-time status.

In the on-premises file systems Keys, Resources, Certificates, and Cryptographic Assets list view, click EXPORT to export the scanned data using any of the available options:

• Export current page: Use this option to export all column data from the current page in CSV format.

  NOTE

  You can download a maximum of 100 items at a time, based on the settings specified in the Items per page drop down.

• Export all raw data: Use this option to export all scanned data in CSV format. Review the details in the Export All Raw Data dialog box and click PROCEED to start the export.

  After the export process begins, you can track its progress. The export status will be logged with a message under the Activities tab in Fortanix Key Insight. For more information, refer to Section 10.1:View Export Activities.

• Export selected rows: This option is disabled by default. You can select the checkbox () next to the required rows on the current page and then use this option to export only those rows in CSV format.

NOTE

• Users with the Account Administrator and Group Administrator roles can only perform the scanned data export.

• Within the same account, you can have multiple exports running simultaneously from different cloud and on-premises connections.

10.1 View Export Activities

After you initiate the export process using Export All Raw Data, you can track the export status in the Activities tab located in the left navigation panel of Fortanix Key Insight.

You can view the following details for each export:

• Name of the activity.

• Name of the file. For example, Filesystems_Resources.csv.

• Activity status: This indicates the current state of the data export. This can be,

  • Completed: The data export has been completed, and the CSV file will automatically download to the location specified on your local machine.

  • In Progress: The data export is in progress, and you can cancel it using if required.

  • Cancelled: The data export was cancelled, either manually or due to switching accounts while the export was in progress.

  • Failed: The data export did not complete successfully due to errors.  

• Name of the connection

• Export creation date and time

NOTE

• If you switch to a different account during export, the export will be cancelled and logged in the Activities tab.

• If you navigate to a different solution (for example, Fortanix Identity and Access Management (IAM)), the export will continue, but no logs will appear in the Activities tab. The export status will be confirmed using toast a message.

• If you refresh the web page during the export, the confirmation dialog box will appear. If you refresh, the export will be cancelled, and all entries in the Activities tab will be removed. To avoid this, do not refresh the page during the export.