You can click the numerical value on the Overview page to view the list of corresponding on-premises keys and resources, where applicable.
If you added any external key source (Fortanix DSM SaaS or On-premises) during the Fortanix Key Insight On-premises connection onboarding, the Overview page for databases displays the total key count, reflecting the correlated keys after a successful scan.
Click ASSESSMENT REPORT to navigate to the Assessment page and view the assessment report. This report allows you to assess your key security posture to ensure the safety of your data. For more information, refer to Section 4.0: Assessments.
The Overview page is described in the following sections:
3.1 Discovered On-premises Resources
This section provides the count of scanned on-premises infrastructures, including databases, file systems, and source code repositories.
It also displays the count of the following in the scanned on-premises infrastructures:
Cryptographic assets
Keys
Certificates
Resources
NOTE
The total number of keys displayed in the Discovered On-premises Resources section is only the count of the “Current” key versions in the on-premises infrastructures.
Clicking the Cryptographic Assets, Keys, Certificates, and Resources labels navigates you to their list view.
3.2 Cryptography Bill of Materials (CBOM)
This section describes how to export cryptographic asset metadata from an on-premises infrastructure into a standardized CBOM JSON file. The exported CBOM format is useful for maintaining a cryptographic inventory, demonstrating regulatory compliance, and evaluating post-quantum cryptography (PQC) readiness.
To export the CBOM data, click EXPORT. The file named bom_report_<on-premises_scan_id>.json will be downloaded to your local machine, where on-premises_scan_id is a unique identifier generated for each on-premises connection scan.
For example,
bom_report_e174504c-92d2-11f0-966a-7376cbf4905b
142.25 KB
The exported file adheres to the CycloneDX specification, including the following components:
bomFormat: Specifies the bill of materials format. For CBOM, this value is set to CycloneDX.
specVersion: Indicates the version of the CycloneDX specification being used.
version: Denotes the version of this specific CBOM file.
components: Lists cryptographic components such as on-premises keys. Each entry includes details such as type, name, algorithm, associated services, and other relevant information.
services: Describes the on-premises resources that interact with the listed cryptographic components. Each service includes details such as its name and unique ID.
dependencies: Defines the relationships between keys and resources, representing how cryptographic elements are interconnected or used together.
NOTE
If your on-premises connection was last scanned before the Fortanix Key Insight 25.07 release and has not been rescanned since, you must perform a Rescan to ensure the correct export of CBOM data.
This section provides a summary of the scanned database assets, including cryptographic keys and associated servers, along with their counts.
Click each category to view the detailed list of the corresponding keys and databases.
3.4 Keys by Spec
This section displays the total number of keys discovered in on-premises databases, along with a breakdown by individual key specifications.
Click on each key type to view the detailed list of corresponding keys.
3.5 Keys by Sources
This section displays the distribution of keys generated from various sources.
NOTE
If you added an external key source (Fortanix DSM SaaS or On-premises) during the On-premises connection onboarding, the Fortanix key source label will be displayed. This indicates that the keys are now linked to Fortanix DSM (SaaS or On-premises).
Click each key to go to its list view, which includes information such as key ID, key name, key insight, key rotation, host, and so on.
3.6 Keys by Status
This section lists the total number of active and expired keys in the databases. Click each item to access the list of the respective keys.
3.7 Top Database Types by Assets
This section displays the top five on-premises databases with the total number of keys discovered in each, along with the overall key count. Cells highlighted in pink indicate discovered keys.
Click VIEW ALL to see the complete list of databases and their discovered keys.
Click a key count to view the detailed list of corresponding keys within that database.
3.8 Scanned Databases
This section displays the encryption status of the scanned database resources, showing which ones are encrypted and which are not.
The red color cell indicates the Unencrypted resources.
The orange color cell indicates the Partially encrypted resources.
The black color indicates the resources whose encryption status is unknown.
The green color cell indicates the Fully Encrypted resources.
Clicking each item will take you to its corresponding list view.
4.0 Assessments
You can access the Fortanix Key Insight Assessment page for databases after the scan is performed, and on-premises keys and resources have been added.
The Assessment page shows:
How good or bad the key security posture is for the on-premises scanner.
Violations that must be remediated to improve the security status.
Remediation advice to improve the security status.
Figure 2: On-premises databases assessment report
NOTE
You can click the numerical values on the Assessment page to view the list of corresponding on-premises keys and resources, where applicable.
If you added any external key source (Fortanix DSM SaaS or On-premises) during the Fortanix Key Insight On-premises connection onboarding, the Assessment page will display the total key count, reflecting the correlated keys after a successful scan.
4.1 Risk Score
This section provides the overall risk score of the on-premises keys and resources for databases.
High – A high score indicates the total number non-compliant keys and partially encrypted keys in use.
Critical – A critical risk score indicates the total number of unencrypted databases detected that need attention.
The priority of the overall risk score is based on the count of risks in the following order:
Critical
High
Click each risk label or risk count to access its corresponding list view.
4.2 Resource Violations
This section provides insights into resource violations across your on-premises database infrastructure.
You can view the total number of database violations along with the breakdown of the total number of violations discovered across individual databases. This data helps identify which resources are at risk, enabling you to implement unique, compliant, and encrypted cryptographic assets for enhanced security.
Additionally,
You can view risk levels for each database, which are color-coded for easy identification.
Select VIEW ALL to navigate to the Resources page and explore individual violations for each database.
Click any database to view a detailed list of the top 10 violations associated with it, sorted by severity. Click each violation type to navigate to the corresponding list view.
Click BACK to return to the resource violations card view.
4.3 Top Security Issues
This section provides the following information:
Unencrypted DBs: Displays the number of databases that do not have encryption applied to their stored data. Encryption is a critical security measure used to protect sensitive information by converting it into a secure format that is unreadable without the appropriate decryption key.
Non-HSM managed keys: Non-HSM (Non-Hardware Security Module) managed keys refer to cryptographic keys that are handled, stored, and managed by software rather than specialized hardware devices designed for key management and security. This section displays the total number of keys in the on-premises scanner that are not managed by hardware.
Non-compliant keys: Displays the total number of keys that do not meet the established industry standards and compliance frameworks. It highlights keys that do not adhere to the required security practices and guidelines set forth by regulatory bodies and industry best practices. By identifying these non-compliant keys, this section helps identify the areas where key management practices need improvement to ensure that they align with the necessary security and compliance requirements.
Any key that utilizes the following algorithm and key size combinations is considered Non-Compliant in Fortanix Key Insight, according to the National Institute of Standards and Technology (NIST) 800-57 standard:
AES: Any key size less than 128 bits.
3DES: Keys with sizes 112 bits and 168 bits.
DES: Keys with size 56 bits.
RSA: Keys with a size less than 2048 bits.
DSA: Keys with a size less than 2048 bits.
ECC: Keys with a size less than 224 bits.
HMAC: Keys with a size less than 112 bits.
The non-compliant keys increase the data security risk. They will be flagged as vulnerabilities on the Keys page.
Fortanix Key Insight recommends using stronger key algorithms and ensuring that the key strength aligns with your defined policies and NIST standards.
PQC readiness: Indicates the percentage of your cryptographic assets that are currently quantum-safe, reflecting your database environment's preparedness for post-quantum cryptography (PQC). This percentage represents the portion of assets using PQC-compliant algorithms or configurations. Clicking the percentage value takes you to the PQC Central page, where you can view detailed data related to the corresponding on-premises connection and assess the readiness of individual assets.
Click each top security issue to access its corresponding list view.
4.5 Download Assessment Report
Click DOWNLOAD REPORT on the top-right corner of the Assessment page to view the Data Security Assessment Report for the on-premises infrastructures, such as databases, source code, and file systems, in PDF format. The report will open in the Print dialog box, where you can select to print it or save it locally to your machine as needed.p
5.0 Rescan an On-premises Connection
Click RESCAN on the top-right corner of the Overview page to perform a rescan and verify if any keys have been added, deleted, or updated in the on-premises scanner.
NOTE
The RESCAN option is accessible only to users with the Account Administrator and Group Administrator roles.
The RESCAN option is available only when the on-premises connection status is Connected.
If you click RESCAN andstart the scan, you can monitor its progress in the progress bar. After the scan is completed successfully,
The Last scanned label will be updated with the date and time of completion.
The Overview page will reflect the new state of the on-premises keys and resources.
You can also click RESCAN on the top-right corner of the Assessment page to perform the rescan. After the scan is completed, the Assessment page will reflect the new state of the on-premises resources.
6.0 Keys
After the on-premises connection is onboarded, click Keys in the Fortanix Key Insight left navigation panel to access the Keys page, where you can view all the scanned keys for on-premises databases.
Figure 3: Access Keys page
The key list displays the following information:
For every database, the table displays the key ID, key source, key name, infrastructure (Databases or File systems), violations, key category, owners, usage description, version, key insight, key category, hostname, key spec, key creation date, rotation date, expiration date, database (DB) type, and key status.
Click the VIOLATIONS count or icon to access the associated violations.
6.1 Filter Keys in Databases List View
In the list view, you can filter the keys using the Search field with the following criteria and available values:
Key Identifier
Hostname
Key Name
Infrastructure: Databases, File systems
Key Version
Key Source: HSM, Oracle Key Vault, File System Key Store, Fortanix, Azure Key Vault, Native Encryption, Other
Compliance: Compliant keys, Non-compliant keys
Key Correlation: Correlated, Not Correlated
Key Status: Active, Expired
Violation Type: Expired key, Key expiring soon, Key with expiry more than two years, Non-compliant key (Algorithm violation),Non-compliant key (Signature violation),Keys unrotated for two years, Overly permissive secret key file, Key anyone can write, Keys nearing two years in 30 days, Quantum vulnerable keys
Database Type: MSSQL, Oracle
Key Rotation Compliance: Complaint, Unrotated for over two years, Rotation status unknown
Key Category: Master Key, Data Encryption Key, Asymmetric Key
Key Spec
Owner
Usage Description
Operating System
File name/path
Key Type: Public Key, Private Key, Symmetric Key
Fingerprint
You can use a combination of the different key attributes to display the key list with specific results.
6.3 Customize Columns Display in Databases List View
Perform the following steps to modify the Keys table columns in the database list view:
Click the column setting icon () in the top-right corner of the table.
In the Customize Columns dialog box, select the columns you want to display. You can choose specific columns or select all.
Click APPLY to update the table view with your selected columns.
Click RESET TO DEFAULT to revert to the default view showing six columns, if needed.
NOTE
If the total column width exceeds the screen size, horizontal scrolling is automatically enabled. The first column and the action column () remain fixed during scrolling to ensure easier navigation.
6.4 Add Key Details in Databases List View
After onboarding an on-premises connection to Fortanix Key Insight, you can assign owners to the scanned keys in databases to enhance key management, simplify tracking, and improve remediation workflows.
Perform the following steps to add the key(s) details:
Select the checkbox () next to the required key(s) in the list.
Click ADD DETAILS in the top-right corner of the table.
NOTE
If your on-premises connection was last scanned before the Fortanix Key Insight 25.03 release and a new scan was not performed, clicking ADD DETAILS will display a Rescan Required to Add Details dialog box. To ensure your key details are correctly added, rescan the on-premises connection and then add the key details. For more information on how to perform a rescan, refer to Section 5.0: Rescan an On-premises Connection.
In the Add Details dialog box, enter the following details:
Primary owner: Enter the primary owner’s name or employee ID.
Email ID: Enter the primary owner’s valid email address.
Click ADD SECONDARY OWNER to add the secondary owner details, if required.
Description (Optional): Enter an optional description.
Click ADD to add the ownership details to the selected key(s).
NOTE
To add ownership details, specifying a primary owner is mandatory before adding a secondary owner.
Only users with Account Administrator permissions can add or edit key details.
On the Keys page, the primary and secondary owners’ names or employee IDs and email addresses appear in the OWNERS column, and the description will appear in the USAGEDESCRIPTION column.
6.5 Edit Key Details in Databases List View
You can modify the details of the selected key(s).
Perform the following steps to edit the key(s) details:
Select the checkbox () next to the required key(s) in the list.
Click EDIT DETAILS in the top right corner.
On the Edit Details dialog box,
Update the primary owner’s name or employee ID, and email address.
Update the secondary owner’s name or employee ID, and email address.
Update the description if required.
Click UPDATE to save the details to the selected key(s).
Use Infrastructure = Databases to display keys scanned from a database.
In the list, click any key ID to view its properties and associated violations.
The KEY DETAILS tab includes the following details:
Key Properties: This section displays key specifications, such as key ID, name, status, category, source, host, DB type, version (if available), creation date, infrastructure, expiration date, and key specification.
Ownership: This section is available if owner details have been added to the key. It displays the primary and secondary owners’ names or employee ID, email IDs, and description.
Automatic Key Rotation Policy: This section includes key rotation details, such as the last rotation time.
Figure 4: Access key details view
NOTE
The Key Correlation section is visible only if an external key source (Fortanix DSM SaaS or On-premises) has been configured for the Fortanix Key Insight on-premises connection. You can filter the correlated keys using the Key Source = Fortanix or Key Correlation = Correlated attributes.
For a selected correlated key in the list, this section displays details such as the key source, key source type, last correlated date, and source key ID. Click the Key ID to navigate to Fortanix DSM SaaS and view the key details.
Figure 5: Access keys correlated data
The VIOLATIONS tab displays any violations associated with the key. These violations may include issues such as shared keys, overly usage or management permissions, key expiration, and so on.
Figure 6: View key violations
The RESOURCE MAPPING tab displays the mapping between the key and on-premises database resource(s), if any. Click Legends to understand the meaning of icons and warnings displayed in the resource mapping view.
Figure 7: Key and resources mapping
7.0 Resources
After the on-premises connection is onboarded, click Resources in the Fortanix Key Insight left navigation panel.
Clicking Resources will take you to the Resources page, where you can view a list of all on-premises resources, including Oracle and MSSQL under the DATABASES tab.
Figure 8: Access resources
For every resource category (Oracle and MSSQL), the table displays the hostname/IP address, resource name, violations, resource ID, and the encryption type. Click the violations count or icon to view the associated violations.
7.1 Filter Resources in Databases List View
In the list view, you can filter the resources using the Search field with the following criteria and available values:
Resource Category: Oracle, MSSQL
Identifier
Name
Host Name / IP Address
Encryption Type: Unencrypted, Partially Encrypted, Fully Encrypted, Encryption Status Unknown
Key Violation
Key Vulnerability: Encrypted with non-compliant key, Encrypted with quantum vulnerable key
You can use a combination of the above filter options to display the data with specific results.
7.2 View Databases Resource Details
Click a resource category in the resources list to view its properties and associated violations.
The RESOURCE DETAILS tab includes the following:
Resource Configurations: This section displays the database specifications, such as resource category, ID, encryption status, and hostname or IP address.
Figure 9: Access databases resource details
The VIOLATIONS tab displays any violations associated with the database keys and resources.
Figure 10: Access database resource violations
8.0 Scanned Data Export
This feature allows you to export the scanned key and resource-related data from Fortanix Key Insight in Comma-Separated Values (CSV) format. Also, it provides flexibility, enabling you to download data for detailed analysis, audits, or reporting, and to access real-time status.
In the on-premises databases Keys and Resources list view, you can click EXPORT to export the scanned data using any of the available options:
Figure 11: Access data export feature
Export current page: Use this option to export all column data from the current page in CSV format.
NOTE
You can download a maximum of 100 items at a time, based on the settings specified in the Items per page drop down.
Export all raw data: Use this option to export all scanned data in CSV format. Review the details in the Export All Raw Data dialog box and click PROCEED to start the export.
After the export process begins, you can track its progress. The export status will be logged with a message under the Activities tab in Fortanix Key Insight.For more information, refer to Section 8.1: Manage Export Activities.
Export selected rows: This option is disabled by default. You can select the checkbox () next to the required rows on the current page and then use this option to export only those rows in CSV format.
NOTE
Users with the Account Administrator and Group Administrator roles can only perform the scanned data export.
Within the same account, you can have multiple exports running simultaneously from different cloud and on-premises connections.
8.1 Manage Export Activities
After you initiate the export process using Export All Raw Data, you can track the export status in the Activities tab located in the left navigation pane of Fortanix Key Insight.
You can see the following details for each export:
Name of the activity.
Name of the file.
Activity status: This indicates the current state of the data export. This can be,
Completed: The data export has been completed, and the CSV file will automatically download to the location specified on your local machine.
In Progress: The data export is in progress, and you can cancel it using if required.
Cancelled: The data export was cancelled, either manually or due to switching accounts while the export was in progress.
Failed: The data export did not complete successfully due to errors.
Name of the connection
Export creation date and time
NOTE
If you switch to a different account during export, the export will be cancelled and logged in the Activities tab.
If you navigate to a different solution (for example, Fortanix Identity and Access Management (IAM)), the export will continue, but no logs will appear in the Activities tab. The export status will be confirmed using toast a message.
If you refresh the web page during the export, the confirmation dialog box will appear. If you refresh, the export will be cancelled, and all entries in the Activities tab will be removed. To avoid this, do not refresh the page during the export.
Fortanix Key Insight identifies encryption keys and data services across on-premises and hybrid multicloud environments, providing a unified dashboard for tracking key mappings and cryptographic security. It offers security and compliance teams data-driven insights to assess risks, align with best practices, and meet industry regulations. Iy also supports continuous risk mitigation and crypto-agility, adapting to evolving security needs, including preparation for the post-quantum era.
.png?sv=2022-11-02&spr=https&st=2025-10-20T07%3A15%3A55Z&se=2025-10-20T07%3A42%3A55Z&sr=c&sp=r&sig=IkKJg41o8n0KOyl6LuobLVY999CyRoh9OhoeERBAzOo%3D)
) in the top-right corner of the table..png?sv=2022-11-02&spr=https&st=2025-10-20T07%3A15%3A55Z&se=2025-10-20T07%3A42%3A55Z&sr=c&sp=r&sig=IkKJg41o8n0KOyl6LuobLVY999CyRoh9OhoeERBAzOo%3D)
) next to the required key(s) in the list.
.png?sv=2022-11-02&spr=https&st=2025-10-20T07%3A15%3A55Z&se=2025-10-20T07%3A42%3A55Z&sr=c&sp=r&sig=IkKJg41o8n0KOyl6LuobLVY999CyRoh9OhoeERBAzOo%3D)
(2).png?sv=2022-11-02&spr=https&st=2025-10-20T07%3A15%3A55Z&se=2025-10-20T07%3A42%3A55Z&sr=c&sp=r&sig=IkKJg41o8n0KOyl6LuobLVY999CyRoh9OhoeERBAzOo%3D)
) next to the required rows on the current page and then use this option to export only those rows in CSV format.
if required.