1.0 Introduction
The article describes the Fortanix Key Insight user interface (UI) features for an on-premises file system infrastructure.
2.0 Terminology References
For Fortanix Key Insight – On-premises concepts and supported features, refer to On-premises Connection Concepts.
3.0 Overview
You can access the Overview page after successfully adding an on-premises connection.
The FILE SYSTEMS tab in the Overview page summarizes the on-premises keys, certificates, resources, and cryptographic assets based on the applied Fortanix Key Insight policy.
For more information about Fortanix Key Insight policy, refer to Getting Started with On-premises Connection.
NOTE
If the Overview page for file systems does not display any data, configure the on-premises scanner. For more information, refer to On-premises Connection Scanning Configuration .
Click the numerical value on the Overview page to view the list of corresponding on-premises assets (keys, certificates, operating systems, cryptographic assets), where applicable.
Figure 1: On-Premises connection file systems overview
Click RESCAN to rescan the on-premises connection. For more information, refer to Section 5.0: Rescan an On-premises Connection.
Click ASSESSMENT REPORT to navigate to the Assessment page and view the assessment report. This report allows you to assess your key security posture to ensure the safety of your data. For more information, refer to Section 4.0: Assessments.
The Overview page is described in the following sections:
3.1 Discovered On-premises Resources
This section provides the count of scanned on-premises infrastructures, including databases, file systems, and source code repositories.
It also displays the count of the following in the scanned on-premises infrastructures:
Cryptographic assets
Keys
Certificates
Resources
NOTE
The total number of keys displayed in the Discovered On-premises Resources section is only the count of the “Current” key versions in the on-premises infrastructures.
Clicking the Cryptographic Assets, Keys, Certificates, and Resources labels navigates you to their list view.
3.2 Cryptography Bill of Materials (CBOM)
This section describes how to export cryptographic asset metadata from an on-premises infrastructure into a standardized CBOM JSON file. The exported CBOM format is useful for maintaining a cryptographic inventory, demonstrating regulatory compliance, and evaluating post-quantum cryptography (PQC) readiness.
To export the CBOM data, click EXPORT. The file named bom_report_<on-premises_scan_id>.json will be downloaded to your local machine, where on-premises_scan_id is a unique identifier generated for each on-premises connection scan.
For example,
The exported file adheres to the CycloneDX specification, including the following components:
bomFormat: Specifies the bill of materials format. For CBOM, this value is set toCycloneDX.specVersion: Indicates the version of the CycloneDX specification being used.version: Denotes the version of this specific CBOM file.components: Lists cryptographic components such as on-premises keys. Each entry includes details such as type, name, algorithm, associated services, and other relevant information.services: Describes the on-premises resources that interact with the listed cryptographic components. Each service includes details such as its name and unique ID.dependencies: Defines the relationships between keys and resources, representing how cryptographic elements are interconnected or used together.
NOTE
If your on-premises connection was last scanned before the Fortanix Key Insight 25.07 release and has not been rescanned since, you must perform a Rescan to ensure the correct export of CBOM data.
For more information on how to perform a rescan, refer to Section 5.0: Rescan an On-premises Connection.
3.3 Discovered Cryptographic Assets and Operating Systems
This section provides a summary of the scanned file system assets, including keys, certificates, cryptographic assets, and operating systems, along with their counts.
Click each category to view the detailed list of the corresponding assets.
3.4 Keys by Spec
This section displays the total number of keys discovered in on-premises file systems, along with a breakdown by individual key specifications.
Click on each key type to view the detailed list of corresponding keys.
3.5 Certificates by Status
This section displays the count of certificates tagged with different statuses:
Issued: Certificates that have been issued and are currently valid.
Pending validation: Certificate signing requests that are waiting for approval.
Revoked: Certificates that have been explicitly revoked and are no longer trusted.
Failed: Certificates with invalid or inconsistent validity dates.
Inactive: Certificates that are not yet valid because their start date is in the future.
Expired: Certificates that have passed their expiry date and are no longer valid.
Click on each count to view the detailed list of corresponding certificates.
3.6 Certificates by Key Spec
This section displays the total number of certificates discovered in on-premises file systems, grouped by key specification (key type).
Click each key type to access the details list of certificates.
3.7 Top Operating Systems by Assets
This section displays the top 5 operating systems with the total number of keys , certificates, and cryptographic assets discovered in each.
Cells highlighted in Pink indicate discovered keys.
Cells highlighted in Green indicate discovered certificates.
Cells highlighted in Blue indicate discovered cryptographic assets.
Click VIEW ALL to see the complete list of operating systems.
Click each count to view the detailed list of corresponding assets.
4.0 Assessments
You can access the Fortanix Key Insight Assessment page for file systems after the scan is performed, and assets have been added.
The Assessment page shows:
How good or bad the key security posture is for the on-premises scanner.
Violations that must be remediated to improve the security status.
Remediation advice to improve the security status.
Figure 2: On-premises file systems assessment report
Click the numerical values on the Assessment page to view the list of corresponding on-premises assets, where applicable.
4.1 Risk Score
This section provides the overall risk score of the on-premises assets for file systems.
High – A high score signifies the total number of non-compliant keys, file systems with non-compliant resources, non-compliant certificates (signature violation), and so on.
Critical – A critical risk score indicates the total number of expired certificates, overly permissive secret key files, and non-compliant keys (algorithm violation) that need attention.
Medium – A medium risk score indicates the certificates and keys with expiry more than two years.
The priority of the overall risk score is based on the count of risks in the following order:
Critical
High
Medium
Click each risk label or risk count to access its corresponding list view.
4.2 Resource Violations
This section provides insights into resource violations across your on-premises file system infrastructure.
You can view the total number of resource violations along with the breakdown of the total number of violations discovered across individual operating systems. This data helps identify which resources are at risk, enabling you to implement unique, compliant, and encrypted cryptographic assets for enhanced security.
Additionally,
You can view risk levels for each operating system resource, which are color-coded for easy identification.
Select VIEW ALL to navigate to the Resources page and explore individual violations for each operating system.
Click any operating system to view a detailed list of the top 10 violations associated with it, sorted by severity. Click each violation type to navigate to the corresponding list view.
Click BACK to return to the resource violations card view.
4.3 Top Security Issues
This section provides the following information:
Non-compliant keys: Displays the total number of keys that do not meet the established industry standards and compliance frameworks. It highlights keys that do not adhere to the required security practices and guidelines set forth by regulatory bodies and industry best practices. By identifying these non-compliant keys, this section helps identify the areas where key management practices need improvement to ensure that they align with the necessary security and compliance requirements.
Any key that utilizes the following algorithm and key size combinations is considered Non-Compliant in Fortanix Key Insight, according to the National Institute of Standards and Technology (NIST) 800-57 standard:
AES: Any key size less than 128 bits.
3DES: Keys with sizes 112 bits and 168 bits.
DES: Keys with size 56 bits.
RSA: Keys with a size less than 2048 bits.
DSA: Keys with a size less than 2048 bits.
ECC: Keys with a size less than 224 bits.
HMAC: Keys with a size less than 112 bits.
The non-compliant keys increase the data security risk. They will be flagged as vulnerabilities on the Keys page.
Fortanix Key Insight recommends using stronger key algorithms and ensuring that the key strength aligns with your defined policies and NIST standards.
Overly permissive certificates [Key usage]: Displays the total number of certificates (stored in the file system) that have excessive extended key usage (EKU) permissions. Certificates with overly permissive EKU settings can lead to policy violations and security risks and are assigned a High Risk score.
EKUs define the roles a certificate can be used for, such as:
TLS Web Server Authentication
TLS Web Client Authentication
Code Signing
Email Protection
Timestamping
OCSP Signing
IPSec End System
IPSec Tunnel
IPSec User
Certificates are flagged as violations if they include multiple EKUs beyond acceptable combinations, with three exceptions:
A single EKU.
A combination of Web Server Authentication and Web Client Authentication.
An empty or undefined EKU (interpreted as “any usage”).
Any other combination is considered overly permissive and potentially vulnerable.
NOTE
Fortanix Key Insight recommends regularly reviewing and revalidating key and certificate policies to ensure that extended key usages are restricted to the minimum required for each certificate.
PQC readiness: Indicates the percentage of your cryptographic assets that are currently quantum-safe, reflecting your on-premises environment's preparedness for post-quantum cryptography (PQC). This percentage represents the portion of assets using PQC-compliant algorithms or configurations.
Click non-compliant keys and overly permissive certificates (key usage) to access their corresponding list view.
4.4 Certificate Expiry by Issuers
This section provides insights into monitoring and managing the expiration status of certificates in the file system, if any.
It gives visibility into certificate lifecycle risks and helps ensure continuous compliance and availability across the file system infrastructure.
This section contains two sub-sections:
4.4.1 About to Expire in 30 Days
This section displays the top 10 certificates scheduled to expire within the next 30 days, grouped by certificate issuer, if any.
Each issuer is represented using a distinct color for easy identification.
Click the count associated with a specific issuer or the overall total to navigate to a filtered list view displaying the corresponding certificates.
Click VIEW ALL to view the list of all certificates in the category.
4.4.2 Expired Certificates
This section displays the top 10 certificates that have already expired, grouped by certificate issuer, if any.
Each issuer is represented using a distinct color for easy identification. This data helps to identify misconfigurations, overlooked assets, or potential security risks from expired certificates.
Click the count associated with a specific issuer or the overall total to navigate to a filtered list view displaying the corresponding certificates.
Click VIEW ALL to view the list of all certificates in the category.
4.5 Certificate by Violation Type
This section displays the total count of non-compliant certificates categorized by specific violation types (For example, expired certificates), helping you take targeted action to address security or policy gaps.
Click the count for a specific violation type or the overall total to navigate to a filtered list view of the affected certificates.
4.6 Download Assessment Report
Click DOWNLOAD REPORT on the top-right corner of the Assessment page to view the Data Security Assessment Report for the on-premises infrastructures, such as databases, source code, and file systems, in PDF format. The report will open in the Print dialog box, where you can select to print it or save it locally to your machine as needed.p
5.0 Rescan an On-premises Connection
Click RESCAN on the top-right corner of the Overview page to perform a rescan and verify if any keys have been added, deleted, or updated in the on-premises scanner.
NOTE
The RESCAN option is accessible only to users with the Account Administrator and Group Administrator roles.
The RESCAN option is available only when the on-premises connection status is Connected.
If you click RESCAN and start the scan, you can monitor its progress in the progress bar. After the scan is completed successfully,
The Last scanned label will be updated with the date and time of completion.
The Overview page will reflect the new state of the on-premises keys and resources.
You can also click RESCAN on the top-right corner of the Assessment page to perform the rescan. After the scan is completed, the Assessment page will reflect the new state of the on-premises resources.
6.0 Keys
After the on-premises connection is onboarded, click Keys in the Fortanix Key Insight left navigation panel to access the Keys page, where you can view all the scanned keys.
Figure 3: Access keys list
For every on-premises file systems, the table displays the key ID, key name, infrastructure (File systems or Databases), key source, violations, key category, host, DB Type, key spec, key creation date, rotation date, expiration date, owners, usage description, and key status.
Click the VIOLATIONS count or icon to access the associated violations.
NOTE
You can customize how many columns are displayed in the Keys list view. For more information on how to configure the columns display, refer to Section 6.3: Customize Columns Display in File Systems List View.
6.1 Filter Keys in File Systems List View
In the list view, you can filter the keys using the Search field with the following criteria and available values:
Key Identifier
Hostname
Key Name
Infrastructure: Databases, File systems
Key Version
Key Source: HSM, Oracle Key Vault, File System Key Store, Fortanix, Azure Key Vault, Native Encryption, Other
Compliance: Compliant keys, Non-compliant keys
Key Correlation: Correlated, Not Correlated
Key Status: Active, Expired
Violation Type: Expired key, Key expiring soon, Key with expiry more than two years, Non-compliant key (Algorithm violation), Non-compliant key (Signature violation), Keys unrotated for two years, Overly permissive secret key file, Key anyone can write, Keys nearing two years in 30 days, Quantum vulnerable keys
Database Type: MSSQL, Oracle
Key Rotation Compliance: Complaint, Unrotated for over two years, Rotation status unknown
Key Category: Master Key, Data Encryption Key, Asymmetric Key
Key Spec
Owner
Usage Description
Operating System
File name/path
Key Type: Public Key, Private Key, Symmetric Key
Fingerprint
You can use a combination of the different key attributes to display the key list with specific results.
6.2 Export Keys Data
For steps to export the key data, refer to Section 10.0: Scanned Data Export.
6.3 Customize Columns Display in File Systems List View
Perform the following steps to modify the Keys, Certificates, and Cryptographic Assets table columns in the file systems list view:
Click the column setting icon (
) in the top-right corner of the table.In the Customize Columns dialog box, select the columns you want to display. You can choose specific columns or select all.
Click APPLY to update the table view with your selected columns.
Click RESET TO DEFAULT to revert to the default view showing six columns, if needed.
NOTE
If the total column width exceeds the screen size, horizontal scrolling is automatically enabled. The first column and the action column (
6.4 Add Key Details in File Systems List View
After onboarding an on-premises connection to Fortanix Key Insight, you can assign owners to the scanned keys in file systems to enhance key management, simplify tracking, and improve remediation workflows.
Perform the following steps to add the key(s) details:
Select the checkbox (
.png?sv=2022-11-02&spr=https&st=2025-10-20T10%3A29%3A59Z&se=2025-10-20T11%3A00%3A59Z&sr=c&sp=r&sig=f1MFSvBYbbqKz9n9qPsUQRkNvsCLWqLZd0c%2BiO53a0o%3D)
) next to the required key(s) in the list.Click ADD DETAILS in the top-right corner of the table.
NOTE
If your on-premises connection was last scanned before the Fortanix Key Insight 25.03 release and a new scan was not performed, clicking ADD DETAILS will display a Rescan Required to Add Details dialog box. To ensure your key details are correctly added, rescan the on-premises connection and then add the key details. For more information on how to perform a rescan, refer to Section 5.0: Rescan an On-Premises Connection.
In the Add Details dialog box, enter the following details:
Primary owner: Enter the primary owner’s name or employee ID.
Email ID: Enter the primary owner’s valid email address.
Click ADD SECONDARY OWNER to add the secondary owner details, if required.
Description (Optional): Enter an optional description.
Click ADD to add the ownership details to the selected key(s).
NOTE
To add ownership details, specifying a primary owner is mandatory before adding a secondary owner.
Only users with Account Administrator permissions can add or edit key details.
On the Keys page, the primary and secondary owners’ names or employee IDs and email addresses appear in the OWNERS column, and the description will appear in the USAGE DESCRIPTION column.
6.5 Edit Key Details in File Systems List View
You can modify the details of the selected key(s).
Perform the following steps to edit the key(s) details:
Select the checkbox (
) next to the required key(s) in the list.Click EDIT DETAILS in the top right corner.
On the Edit Details dialog box,
Update the primary owner’s name or employee ID, and email address.
Update the secondary owner’s name or employee ID, and email address.
Update the description if required.
Click UPDATE to save the details to the selected key(s).
You can also update the details while viewing the key details. For more information, refer to Section 6.6: View Key Details in File Systems List View.
6.6 View Key Details in File Systems List View
Perform the following steps to view key details:
Filter the keys by file system infrastructure:
Use Infrastructure = File system to display keys scanned from a file system.
In the list, click any key ID to view its properties and associated violations.
The KEY DETAILS tab includes the following details:
Key Properties: This section displays key specifications, such as key ID, infrastructure, hostname/IP address, fingerprint, creation date, key spec, key type, operating file system, and file path.
Ownership: This section is visible if owner details have been added to the key. It displays the primary and secondary owners’ names or employee ID, email addresses and description.
You can update the key details using EDIT DETAILS. For more information, refer to Section 6.5: Edit Key Details in File Systems List View.
Figure 4: Access key details view
NOTE
The Key Correlation section is visible only if an external key source (Fortanix DSM SaaS or On-premises) has been configured for the Fortanix Key Insight on-premises connection. You can filter the correlated keys using the Key Source = Fortanix or Key Correlation = Correlated attributes.
For a selected correlated key in the list, this section displays details such as the key source, key source type, last correlated date, and source key ID. Click the Key ID to navigate to Fortanix DSM SaaS and view the key details.
The VIOLATIONS tab displays any violations associated with the key.
Figure 5: View key violations
7.0 Resources
After onboarding an on-premises connection file system resources, you can navigate to the FILE SYSTEMS tab under Resources in the Fortanix Key Insight left navigation panel to view all scanned resources.
Figure 6: Access file system resources
For every resource, you can see the operating system name, hostname, Violations, and last seen details. Click the violations count or icon to view the associated violations.
7.1 Filter Resources in File Systems List View
In the list view, you can filter the resources using the Search field with the following criteria and available values:
Operating System Name
Violation Type
Host Name
IP Address
Last Seen On
You can use a combination of the above filter options to display the data with specific results.
7.2 View File Systems Resource Details
Click an operating system name in the resources list to view its properties and associated violations.
The RESOURCE DETAILS tab includes the following:
Resource Configurations: This section displays the file system specifications, such as operating system name, hostname, and last seen on.
Assets Discovered: This section displays the count of total assets discovered during the scan. Click VIEW or the asset count to navigate to the assets list page with the appropriate filter applied.
Agent IP Addresses: This section lists all the File System agent scanner IP addresses used in the on-premises connection configuration.
Figure 7: Access file system resource details
The VIOLATIONS tab displays any violations associated with the file system assets.
Figure 8: Access file system resource violations
8.0 Cryptographic Assets
After onboarding an on-premises connection with file system resources, you can navigate to the FILE SYSTEMS tab under Cryptographic Assets in the Fortanix Key Insight left navigation panel to view all scanned cryptographic assets.
Figure 9: Access the cryptographic assets list
For every on-premises file system, the table displays the file name, host name, asset type, file last updated date, violations, and file paths. Click the violations count or icon to view the associated violations.
8.1 Filter Cryptographic Assets in File Systems List View
In the list view, you can filter the cryptographic assets using the Search field with the following criteria and available values:
File name/path
Host Name
Violation Type: Expired cryptographic asset, Cryptographic asset expiring soon, Cryptographic asset with expiry more than two years, Non-compliant cryptographic asset (Algorithm violation), Non-compliant cryptographic asset (Signature violation), Cryptographic assets unrotated for two years, Overly permissive secret key file, Cryptographic asset anyone can write, Quantum vulnerable cryptographic asset, Overly permissive certificates (Key usage)
Operating System
You can use a combination of the different filter attributes to display the data with specific results.
8.2 Export Cryptographic Assets Data
For steps to export the cryptographic assets data, refer to Section 10.0: Scanned Data Export.
8.3 View Cryptographic Assets Details in File Systems List View
Click any file name of the cryptographic asset in the list to view its properties and associated violations.
The CRYPTOGRAPHIC ASSET DETAILS tab includes the following details:
Cryptographic Asset Properties: This section displays the specifications based on the asset types:
Certificate Revocation List (CRL): File name, host name, asset type, operating system, common name, organization, signature algorithm, public key algorithm, locality, file last updated on, and file path.
Certificate Signing Request (CSR): File name, host name, asset type, operating system, Issuer CN, revoked certificate serial, signature algorithm, locality, file last updated on, and file path.
Any other type: File name, host name, asset type, operating system, file last updated on, and file path.
Figure 10: Access cryptographic assets details view
The VIOLATIONS tab displays any violations associated with the cryptographic asset.
Figure 11: View cryptographic assets violations
9.0 Certificates
After onboarding an on-premises connection with file system resources, navigate to Certificates in the Fortanix Key Insight left navigation panel to view all the scanned certificates.
Figure 12: Access certificates list
For every on-premises file system, it shows the file name, infrastructure, status, violation, issuer, and key spec. Click the violations count or icon to view the associated violations.
9.1 Filter Certificates in File Systems List View
In the list view, you can filter the certificates using the Search field with the following criteria and available values:
File name/path
Key Spec
Status: Issued, Pending Validation, Revoked, Failed, Inactive, Expired
Violation Type: Expired certificate, Certificate expiring soon, Certificate with expiry more than two years, Non-compliant certificate (Algorithm violation), Non-compliant certificate (Signature violation), Certificate unrotated for two years, Overly permissive secret key file, Certificate anyone can write, Quantum vulnerable certificate, Overly permissive certificates (Key usage)
Issuer
Operating System
Subject CN
Fingerprint
IP Address
You can use a combination of the different filter attributes to display the data with specific results.
9.2 Export Certificates Data
For steps to export the certificate data, refer to Section 10.0: Scanned Data Export.
9.3 View Certificate Details in File Systems List View
Click any file name in the file systems list to view its properties and associated violations.
The CERTIFICATE DETAILS tab includes the following details:
Certificate Properties: This section displays the specifications, including file name, status, issuer, key spec, infrastructure, creation date, subject CN, fingerprint, and file path.
Agent Details: This section lists the operating system and associated Agent IP addresses.
Figure 13: View the certificate details
The VIOLATIONS tab displays any violations associated with the certificates.
Figure 14: View certificates violations
10.0 Scanned Data Export
This feature allows you to export the scanned assets from Fortanix Key Insight in Comma-Separated Values (CSV) format. Also, it provides flexibility, enabling you to download data for detailed analysis, audits, or reporting, and to access real-time status.
In the on-premises file systems Keys, Resources, Certificates, and Cryptographic Assets list view, you can click EXPORT to export the scanned data using any of the available options:
Figure 15: Access data export feature
Export current page: Use this option to export all column data from the current page in CSV format.
NOTE
You can download a maximum of 100 items at a time, based on the settings specified in the Items per page drop down.
Export all raw data: Use this option to export all scanned data in CSV format. Review the details in the Export All Raw Data dialog box and click PROCEED to start the export.
After the export process begins, you can track its progress. The export status will be logged with a message under the Activities tab in Fortanix Key Insight. For more information, refer to Section 10.1: Manage Export Activities.
Export selected rows: This option is disabled by default. You can select the checkbox (
(2).png?sv=2022-11-02&spr=https&st=2025-10-20T10%3A29%3A59Z&se=2025-10-20T11%3A00%3A59Z&sr=c&sp=r&sig=f1MFSvBYbbqKz9n9qPsUQRkNvsCLWqLZd0c%2BiO53a0o%3D)
) next to the required rows on the current page and then use this option to export only those rows in CSV format.
NOTE
Users with the Account Administrator and Group Administrator roles can only perform the scanned data export.
Within the same account, you can have multiple exports running simultaneously from different cloud and on-premises connections.
10.1 Manage Export Activities
After you initiate the export process using Export All Raw Data, you can track the export status in the Activities tab located in the left navigation pane of Fortanix Key Insight.
You can see the following details for each export:
Name of the activity.
Name of the file.
Activity status: This indicates the current state of the data export. This can be,
Completed: The data export has been completed, and the CSV file will automatically download to the location specified on your local machine.
In Progress: The data export is in progress, and you can cancel it using
if required.Cancelled: The data export was cancelled, either manually or due to switching accounts while the export was in progress.
Failed: The data export did not complete successfully due to errors.
Name of the connection
Export creation date and time
NOTE
If you switch to a different account during export, the export will be cancelled and logged in the Activities tab.
If you navigate to a different solution (for example, Fortanix Identity and Access Management (IAM)), the export will continue, but no logs will appear in the Activities tab. The export status will be confirmed using toast a message.
If you refresh the web page during the export, the confirmation dialog box will appear. If you refresh, the export will be cancelled, and all entries in the Activities tab will be removed. To avoid this, do not refresh the page during the export.