SSH keys are handled very carefully by the Sandfly platform.


When you add SSH keys to Sandfly to gain access to your Linux systems, they are immediately encrypted with elliptic curve cryptography using keys unique to your installation. At that point, the SSH data is unrecoverable even if the database contents are completely compromised.


Initiating a Sandfly scan of a secured Linux system requires encrypted keys to be passed to the scanning node able to access the target Linux system The scanning node will use its keys to decrypt the credentials for that one instance and when done, the encrypted credentials are disposed. No encrypted keys are written to the disk on the node, and private keys for the node to decrypt credentials are not known by the server.


With the above, a compromise of both the server and node simultaneously would be required to compromise SSH keys for your systems. As users do not interact with the scanning nodes, these nodes can be kept in a highly secure configuration with limited access making it extremely difficult to get both components to initiate a credential theft.


For customers that do not want any credentials stored, or who use SSH key certificates with short expiration times where storing credentials is not useful, you can deploy Sandfly in our "ad hoc" mode. The ad hoc mode allows you to pass in scan requests with one-time use credentials that are not stored by Sandfly anywhere.