SSH keys are handled very carefully by the Sandfly platform.

When you add SSH keys to Sandfly to gain access to your Linux systems, they are immediately encrypted with elliptic curve cryptography using keys unique to your installation. At that point, the SSH data is unrecoverable even if the database contents are completely compromised.

Initiating a Sandfly scan sends the encrypted keys to the scanning node able to access the target Linux system. The scanning node will use its keys to decrypt the credentials for that one instance and when done the encrypted credentials are disposed. No encrypted keys are written to the disk on the node, and private keys for the node to decrypt credentials are not known by the server.

With the above, a compromise of both the server and node simultaneously would be required to compromise SSH keys for your systems. As users do not interact with the scanning nodes, these systems can be kept in a highly secure configuration with limited access making it extremely difficult to get both components to initiate a credential theft.

For customers that do not want any credentials stored, or who use SSH key certificates with short expiration times where storing credentials is not useful, you can deploy Sandfly in our "ad hoc" mode. The ad hoc mode allows you to pass in scan requests with one-time use credentials that are not stored by Sandfly anywhere.

Finally, Sandfly supports key vault integration with various vendors such as Hashicorp, Cyberark, Thycotic and more. We can customize these integrations based on your enterprise needs. Sandfly's key vault integration is unique in that keys are completely encrypted in transit from the key vault so even a total compromise of the Sandfly server cannot leak key details to an attacker.